In April 2018, we received a complaint from a data subject who had ceased to be a customer of the data controller. However, she had discovered that her data was still being processed as she continued to receive bills from the data controller. The complainant had received verbal and written assurances that she did not owe the amount being billed.

However, he complainant subsequently received a text message from a debt-collection company, asking that she contact them. When the complainant phoned the debt-collection company, it refused to provide her with any information regarding the alleged debt until she provided them with personal data verifying her identity, which she refused to do. Later the same day, the complainant received a letter from the debt-collection company confirming that it was seeking to recover monies owed by her to the data controller.

This complaint was identified as potentially capable of amicable resolution under Section 109 of the Data Protection Act 2018, with both the complainant and data controller agreeing to work with the DPC to try to amicably resolve the matter. Company A confirmed with the DPC that an error had caused the complainant’s account balance to appear outstanding but that when the error was identified by the data controller, the outstanding balance was removed from the account. The data controller also confirmed that it had instructed the debt-collection company to cease any collection activities, and also to delete any data associated with the complainant.

While the complainant was satisfied with the ultimate outcome, the DPC emphasised to the data controller that the complainant had previously been informed on at least two occasions that the matter had been resolved. Despite this, her data had been unfairly processed by being passed to a debt-collection company without there being any justification for such disclosure.

In recognition of its failings, the data controller apologised to the complainant, provided certain assurances to her that the matter would have no effect on her credit rating, and made donations to charities of her choice.

For a controller to lawfully engage a processor to process personal data, there must be a justification for the processing of the personal data in the first place. In this case, the controller had disregarded previous concerns raised by the complainant that bills were being issued to her despite her no longer receiving services from the controller and had failed to look into the continued use of her personal data for billing purposes in circumstances where she was no longer a customer.

The DPC encourages individuals to raise data protection concerns directly with the controller in the first instance so that they can address them. However, data controllers frequently ignore or disregard direct attempts made by a data subject to raise complaints until the DPC becomes involved. This is unacceptable and, as part of each organisation’s accountability obligations, it should have meaningful and efficient measures in place to deal with and address data protection complaints when raised directly by a data subject, without the need for the data subject to resort to DPC intervention.