Scotland — UK GDPR / Data Protection Act 2018 — DVLA KADOE access misuse
Both private parking operators and councils obtain registered keeper details from the DVLA's KADOE (Keeper at Date of Event) service — a strictly regulated process under the Data Protection Act 2018 and the Roads (Scotland) Act 1984 / Road Vehicle (Registration and Licensing) Regulations 2002 reg 27. KADOE access is permitted only where 'reasonable cause' exists. Private operators must additionally be members of an Accredited Trade Association (BPA, IPC) and comply with the relevant Code of Practice. Council use is controlled by the Police, Public Order and Criminal Justice (Scotland) Act 2006 and DVLA Memorandum of Understanding. Common breaches: KADOE accessed without an active enforceable contractual or statutory basis (e.g., for an unenforceable Scottish keeper claim — see UK-SCOT-017); KADOE accessed multiple times for the same vehicle in a manner not necessary; data retained longer than ATA Code requires (BPA: 2 years post resolution; IPC: similar). A complaint to the ICO (which has a Scottish office at Edinburgh and applies UK GDPR to Scotland) can result in fines and an order to delete data, plus your right to compensation under Article 82 / s.168 DPA 2018. UNIQUE point in Scotland: because keeper liability does not exist (UK-SCOT-017), the operator's KADOE access for the purpose of pursuing a Scottish keeper has no lawful basis under Article 6(1)(f) GDPR (legitimate interests) — the interest is in pursuing a non-existent claim, which fails the necessity test.
Legal basis
UK GDPR Article 5(1)(a)–(d), Article 6(1)(f), Article 82; Data Protection Act 2018 s.168; Roads (Scotland) Act 1984; RV(R&L) Regs 2002 reg 27; relevant ATA Code of Practice
How to identify this in your case
Private operator obtained your keeper details from DVLA for a Scottish-keeper parking claim that has no statutory basis. Or your details were retained or shared beyond what was necessary.
Sample appeal wording
Dear [OPERATOR], Re: PCN [PCN_NUMBER] — UK GDPR / DPA 2018 complaint and subject access request I have received your demand for £[AMOUNT] addressed to me as registered keeper of vehicle [VRN]. As I have explained separately, there is no legal basis in Scotland for keeper liability for private parking charges (POFA 2012 does not extend to Scotland; Part 8 of the Transport (Scotland) Act 2019 is not in force). It follows that your access to my registered keeper details from DVLA via KADOE was not necessary for any legitimate interest within UK GDPR Article 6(1)(f), because there is no enforceable interest in pursuing me as keeper. Your processing of my personal data is therefore unlawful within UK GDPR Article 5(1)(a) and the Data Protection Act 2018. Pursuant to Article 17 (right to erasure) I require you to: 1. Erase all my personal data from your systems within 30 days; 2. Notify any third parties (debt collectors, ATA Trade Association, KADOE) of the erasure; 3. Confirm in writing that no further processing will occur. I also make a subject access request under Article 15 for all personal data you hold concerning me, including the legal basis recorded for KADOE access; I expect a response within 30 days. Failure to comply will result in a complaint to the Information Commissioner's Office (Edinburgh office, ico.org.uk) and a claim for compensation under Article 82 / s.168 DPA 2018. Yours faithfully, [NAME]
Replace [PARKING DATE], [NtK DATE] etc. with your own dates before sending.
Beat It writes this argument automatically
Scan your PCN — our AI checks if this ground applies to your specific ticket, drafts a properly-cited appeal letter, and submits it to the council on your behalf. Only pay if you win.
Scan my ticketSources
- UK GDPR
- Data Protection Act 2018
- DVLA KADOE Code of Practice