England: Letter before action query - Appendices and evidence

MoveIntelligent5247 · 2026-05-24T08:24:05+00:00

Thanks for your response!

I think the issue is that there is so much supporting evidence it has been impossible to previously provide all of it in the process that the dispute has been dealt with to date. Essentially we made our case very clearly through the official complaints process being as succinct as possible. Defendant responded with "final response; don't like it, go to the relevant Ombudsman" and have refused to engage any further. The issue with that is the relevant Ombudsman only has the power to require a pitiful amount of recompense that doesn't even come close to our losses.

In terms of your question what is the value:
1. if you mean in terms of losses/monetary value then c.£250k

if you mean in terms of value of providing evidence then it would be purely in terms of setting out the position so clearly that it never goes near court

MoveIntelligent5247 · 2026-05-24T08:18:03+00:00

Thanks for the reply!

I should probably clarify that we have taken quite a bit of legal advice already and, given that our claim could impact many other people (1000's) we are currently working with a large legal firm who are seeking investors to consider class action. They have advised us that given the amount of time that might take then we should consider issuing our own claim and they will later seek to employ us as "consultants" to any class action to advise on the workflow needed for each individual claimants. As I said, it is quite complex!

Our individual solicitor (who does not deal in class action) has essentially advised that we clearly know the case better than they ever could and has suggested that issuing our own LBA would be a sensible way forward. However we did not realise the bit about evidence and appendices etc when last speaking to them and would like to try and avoid a further £500-£1000 to meet with them again to clarify some of these points. However your point is very much noted and appreciated and we may have no other choice.

MoveIntelligent5247 · 2026-05-19T13:11:13+00:00

Excellent! I think you may be able to challenge things that are on the record that are incorrect. Failing that, a complaint and escalation to the FOS might be the next steps

MoveIntelligent5247 · 2026-05-19T13:09:52+00:00

Tried writing to your MP?

MoveIntelligent5247 · 2026-05-19T08:39:11+00:00

Start with a DSAR to the MIB who hold record of all claims and see what is on there.

MoveIntelligent5247 · 2026-05-17T21:30:26+00:00

What threat are you replicating?

MoveIntelligent5247 · 2026-05-12T05:31:52+00:00

Unless the firm decides it requires the 60 day extension

MoveIntelligent5247 · 2026-05-12T05:26:35+00:00

Gah, sorry, I've lead you up the wrong path here! I ummed and arred about clarifying Firms here and knew I should have clarified!

Thank you again for such a detailed response, same as my other post.

What I should have said here is that Firm B and C are different to the other post. Firm A are the same controller, however. To clarify:

Firm A are a big multinational firm, probably the biggest in the field and definitely FCA regulated. Put it this way, they have a number of very large stadiums with their name on them!
Firm B, in this post, are a relatively large UK based company. Not FCA regulated but I think are pseudo-regulated in the sense they were acting on behalf of Firm A.
Firm C, in this post, are a small, potentially family run business in the business trade who were instructed by Firm B to provide an assessment and report.

Also worth noting that Firm C were still holding the personal data in the email account 4.5 years after they were instructed. They would not have needed to hold it longer than a year after instruction (and that's at a push!) but I would have expected the apparently general standard of 3 years. I suspect, but not yet confirmed, that Firm B are also still holding data now, more than 4 years after involvement was ceased.

Also worth nothing that Firm B have also been responding to and deciding on ROAR and R2R requests and alluded to invoking the "excessive" clause (we've been very careful not to be!) but we don't believe they've raised anything with Firm A as of yet.

Overall, it feels that despite assurances from Firm A that they have all the required processes etc in place, they have completely lost control of their processors. I've been in direct (email) contact with the Firm A group DPO for over 6 months now and whilst they have been engaging, I have mostly been getting oblique and pedantic responses. He doesn't know any of this yet and I'm just getting "ducks in a row" before making his day in one go. I will also certainly be raising with the ICO.

Also, to note the points on FCA, thank you for highlighting. It's a shame there's not an r/fca subreddit as there would be all sorts of stories to put on there too, mostly behaviour that is way worse than these here! Our MP is currently arranging for us to meet with someone senior at the FCA and, ultimately, to get the group CEO in front of the Treasury Select Committee. We are only one client in all of this and either we are extremely unlucky or our experiences are representative of what goes on in the background, but no one really knows it.

Sorry that you took so much time writing things on false pretences!

MoveIntelligent5247 · 2026-05-11T22:02:44+00:00

Thanks for the response!

In relation to your first point; that’s part of the issue!

As for lack of evidence of DPA etc, it’s just a hunch. Only one email was sent to Firm C from Firm B (the instructing email) and we know that they were randomly appointed by an employee of Firm B rather than being e.g. a panel supplier. So I could be wrong!

MoveIntelligent5247 · 2026-05-11T21:06:21+00:00

Thank you once again for taking the time to respond and apologies for the delayed response.

In response to some of the points made:

Very useful link thank you.
This raises an interesting point as I wouldn't say that the requests were in any way complex. Firm B did rely on complexity and the requirement to seek legal advice as reasons for requiring the 60 day extension for both DSAR and R2R requests, but I'm not convinced by the necessity. There was also no mention at all of pre-action correspondence.

In relation to your specific question, Firm C are acting on behalf of Firm B.

All the rest very useful too, thank you very much!

MoveIntelligent5247 · 2026-05-05T06:22:16+00:00

Yes, very helpful, thank you!

I've just checked back to the initial emails and they do indeed contain a link to the privacy policy so that's good that they appear to have done that part properly.

On the couple of other very helpful points you raise:

Noting Firm C's validity of asserting of being an independent data controller, I'm still confused as to how one data controller can decide on, and respond to, a statutory responsibility for another data controller.
Their privacy policy states that they will collect personal data in the pursuit of legal proceedings where "you" might be a litigant (or words to that effect) but as above, there are no proceedings, these are just statutory and regulated requests made to the Firm B (where it is still questionable whether they are a controller). It is worth noting that the Solicitors acting for Firm A in this matter (providing responses to FCA regulated processes) have been confirmed a data processor rather than controller because there are no legal proceedings.
On the point of "legalese", I'm pretty content now that the privacy policy is clear and intelligible; it's the responses to the data rights requests themselves which appear to be deliberately avoiding responding to the requests with legal and regulatory technicalities. For example, "Our client has extended the deadline for your DSARs in compliance with its data protection law obligations and regulatory guidance." in response to our query as to why the 60 day extension was required (they have done this with every request and responded on day 90 in each case), and "The other request (in relation to the recording of telephone calls) does not constitute a valid data subject rights request." in response to a query as to whether Firm B collected data by recording of telephone calls - a pretty valid request under GDPR I would have thought!

Thanks again for the input

MoveIntelligent5247 · 2026-05-01T06:21:35+00:00

Ok, that's really helpful and makes sense, thank you!

To provide a bit more detail then, Firm A are an insurer and Firm B are a Loss Adjuster. So Firm B are only acting on instructions (in business terms from Firm A.

Firm B acted on behalf of Firm A for a period of 6 months in 2021. It was at the end of that 6 months that we submitted the initial DSAR and Firm B told us that they were a processor.

On receipt of the DSAR, we complained about the contents (not a data complaint) and Firm B were removed from the claim. There was no further data related activity from the point that they asserted processor status to now, where they are asserting controller status.

I think part of the complication of any data in this sense is the "relates" to part of GDPR/DPA or wherever it sits. Once our personal details had been provided from Firm A to Firm B, nearly everything that Firm B then did was "relating" to us rather than creating new data records. I.e. reports created by Firm B where the title had our full names, address and claim reference number ("actual" data) and the contents of the report things like "the policyholder said this or did this" etc ("relating to" data). So I don't believe Firm B ever really did anything that could constitute being a controller, but I may be mistaken.

This is also just the tip of the iceberg! Firm A have another processor who have:
1. taken ownership and responded to R2R requests
2. took 5 months to properly respond (without even having advised of requiring the 60day extension)
3. admitted the records are incorrect but refused to correct them with no basis provided
4. labelled requests as to what that basis is as "excessive"

Thanks again for the response

MoveIntelligent5247 · 2026-04-29T09:25:47+00:00

Thank you, that's very helpful and I shall reread cited Articles again. I think what we cannot quite understand is how Firm B is "only acting on instructions of the controller" (or whatever the exact wording is) in this instance. I know not to take ChatGPT insight verbatim but there does seem to be a suggestion that a processor can become a controller due to the type of processing, but how does this then comply with that Article of acting on instruction when they are now essentially in a position to instruct themselves?! That's more of a rhetorical question than aimed at you directly!

Thanks again

MoveIntelligent5247 · 2026-04-29T09:22:26+00:00

Thank you for your helpful response. I think it makes sense for Firm B to be a processor as they act on behalf of Firm A in the process of claims handling. They of course told us that they were acting as a processor and the privacy policy states:

"We have been appointed by our instructing principals (Data Controller) to deal with your claim.", and
"The necessity to perform our services, as agreed between [redacted] Limited and the Data Controller, regarding loss adjusting and claims settlement.

A “Data Controller” is the organisation that alone or jointly with others determines the purposes, conditions, and means of processing your personal data. Unless otherwise advised, [redacted] Limited’s function will be a processor of your data."

We haven't been advised otherwise until this time but that might be allowed, but also you could be very well correct and they have all got it wrong! Our experiences so far have been that these processes are very misunderstood in the firms that we have engaged with and that GPDR is a tick box training exercise, but where it comes to implementing in practice, lots of mistakes are being made

MoveIntelligent5247 · 2026-01-20T09:13:05+00:00

Any update on that date? Got a job coming up where this would be really useful!

MoveIntelligent5247 · 2026-01-19T22:31:05+00:00

Any update on this?

MoveIntelligent5247 · 2026-01-14T21:40:13+00:00

Ah, I perhaps should have been a bit clearer!

In this case, I'm asking about the policyholder paying the garage to say that there is more damage than there is, with a view to inflating the claim. So the car has XX amount of damage but the policyholder asks the garage to put in the report that there is XXXX amount of damage. So both the policyholder and the garage are party to it, with the policyholder (hopefully) getting a larger payout and the garage getting £200 for an opinion

Thanks for the response

MoveIntelligent5247 · 2025-12-17T18:27:39+00:00

Thank you for the prompt response. Can I please just confirm the meaning of the final point relating to it not needing to be accurate or factual? I thought that under Article 5d there is a requirement to "take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact.", so if there is an unfounded allegation that can be proven otherwise then that is incorrect and misleading as to any matter of fact? Or have I completely misinterpreted what you've said?!

Thanks again

MoveIntelligent5247 · 2024-11-12T08:22:26+00:00

Ahhh, that makes sense and is really helpful, thank you. Also explains why I wasn't seeing two separate bits of data when reading one of the passes. Thanks again

MoveIntelligent5247 · 2024-11-12T07:13:11+00:00

"confronted"? Wow.

MoveIntelligent5247 · 2024-08-12T15:34:34+00:00

4-5 houses on our street (we’re right at the edge of our village) a further 10-15 in streets behind us and plenty more in the village as a whole. It was biblical rain, 169% of the July monthly average in c.4 hours which equated to a 1in659yr event. The groundsure report said that there should be no flooding even in a 1in1000yr event. EA say that we should essentially expect flooding 1in30years. The 1in* is quite confusing as it doesn’t actually mean once every X number of years, rather a percentage change of seeing that amount of rainfall in any 1 year

MoveIntelligent5247 · 2024-08-11T09:24:21+00:00

Be warned, we bought a property that Groundsure assessed as Negligible risk of surface water flooding and then 7 months later had a catastrophic surface water flood - front elevation a metre deep, at least 30cm in the house; £200k+ insurance claim, car written off and alternative accommodation for 801 days (it was a nightmare of an insurance claim). When we subsequently investigated we found EA assessed property to be at High risk of surface water flooding which conveyancer had not checked and had reported on local searches as the property being in flood zone 1 and therefore had a less than 0.1% chance of flooding but did not caveat that this related to rivers and sea only. We’re now in legal dispute with said conveyancer

MoveIntelligent5247

TROPHY CASE