General Data Protection Regulation 2018 breaches are frequently making headline news. One case came to my attention via a complaints forum which shines a spotlight on clear breaches and a lack of regard to the General Data Protection laws.

Car dealerships and poor customer service tend to go hand in glove, albeit with the odd exception.

Most complaints seem to revolve around car warranties. You never need to buy a warranty as the Consumer Rights Act 2015 gives you better cover for free.



The data firms are using belongs to you under the General Data Protection Regulation Act 2018. You will have probably heard of the GDPR Act, although most people don’t fully understand the implications and impact it has on everyone’s lives.


The Data Protection Act 1998 (2002 in the Isle of Man) was updated and replaced with a harmonised version in May 2018, although the principles remain the same with a new accountability requirement.

The reason for this is because of technological and digital advances that were not relevant or covered in the old legislation, and to harmonise and empower EU citizens with more powers over the use of their personal data.

This legislation remains in place now that the UK has left the EU, so it’s here to stay.

The most significant addition is the accountability principle. GDPR requires organisations to evidence how they have complied with the principles – for example by documenting the decisions taken about a processing activity.


Penalties for non-compliance can range up to €20m or 4% of annual global turnover, whichever is higher.

The Information Commissioner’s Office (ICO) take a variety of factors in to account including the gravity of the offence, damage to the individual, if the infringement has been disclosed to the ICO and other aspects.

It is mandatory for any organisation to report any infringements of the GDPR Act 2018 to the ICO. Non-compliance and not reporting the infringement will be taken more seriously with the penalties incurred to reflect that.


The data held by the car dealership contained claims such as,

  • The seat is now loose due to driver size and weight, it’s partially collapsed and has come loose at the base where the bolts attach. This isn’t covered by the mechanical warranty” and “I believe the customer is a serial complainer / scammer.”

The first lesson anyone ought to take on board when they are dealing with customer data (which belongs to the customer) under Article 5 is that it should be factual and relevant, knowing that the customer can access it at any time by submitting a Data Subject Access Request.

In this case, the customer has only received a couple of screenshots which will just be the tip of the iceberg.


My advice was to reiterate that (you) want literally everything you are entitled to see in a clear and easy to read printed format from the date of receipt of the Data Subject Access Request. Always send requests by recorded delivery.

My next step would be to scrutinise what I have received. If I suspected that any data was being withheld, I would insist that an independent audit is made with all PCs drilled for any deleted e-mails so I can fully ascertain the position before proceeding with further action.

Further action in this instance includes defamatory and false statements being made. These can be supported by independent reports stating that the car seat clearly had inherent faults that were not disclosed at the point of sale. This would be a misrepresentation that falls under the Misrepresentation Act 1967.

I would also be liaising with the Independent Commissioner’s Office (ICO) and the Citizens Advice Bureau to hold them to account.

What are your thoughts on this? Have you successfully dealt with a General Data Protection breach?

Pin It on Pinterest

Share This

Share this post with your friends!