[QUOTE]Under GDPR, data subjects can seek a judicial remedy for any infringement of their rights in the country in which they are habitually resident./QUOTE]
I'm not sure if there is a reference to the above under the GDPR, I'd have to look at that but my only other thought is that you are referring to the Recast Brussels Regulations implemented circa 2014) where you can issue a claim in the country where you are domiciled against another who is domiciled in another EU member state. However, that would relate to the court having jurisdiction to hear the claim but the governing law I presume would be the country that you were employed in under the terms of the employment contract - just for everyone's benefit your private message explained that your employment was the Czech Republic.

I can't really comment on the law over in Czech Republic but they will be caught out by GDPR. Indeed a quick Google suggests that they are yet to implement their revised data protection law so the GDPR will apply in full until the national law is enacted.

Have you considered writing to the Czech data protection authority, the Office for Personal Data Protection (www.uoou.cz) and seeing what they have to say?

Assuming you can issue a claim in this country against your employer in the Czech, you would need to consider whether you have to obtain permission from the court to serve the claim form out of the jurisdiction. Civil Procedure Rule 6.33 is applicable here and I believe the basic rule is that where the European Regulations apply i.e. The Recast Brussels Regulations where the defendant is domiciled in another EU member state, then permission from the court is not usually required.

I believe the Recast Brussels Regulations also deals with enforcement of judgments in EU member states, so if you obtained judgment for disclosure by a court in this jurisdiction, then it should be recognised and enforceable by another member state.

Cross-border disputes are not the easiest to get your head around and you should ideally get some proper legal advice on how to go about it, or perhaps get access to a legal database such as Practical Law or Lexis PSL (either local library or maybe your local university might offer you access for a small fee) and have a read of it in full because its a lot to take in. Alternatively, international law firms such as Allen & Overy, Eversheds, DLA Piper, Clifford Chance etc. will probably have articles on Recast Brussels Regulations (the predecessor was the 2001 Regulations) and how they apply.

Thanks for the response R0B.

Under Article 79, I should be able to seek proceedings against the company in England based on the below:

I have spoken to the Office for Personal Data Protection you listed above and I don't hold much faith in them. There seems to be no procedures for dealing with complaints, no forms to fill out and you are just asked to send them an email to a basic inbox. Under Article 77, I am able to bring the complaint to the ICO, which I will be doing.

I've been reading through the Recast Brussels Regulations and although somewhat complex, it does appear to be the case that a ruling by a court in England & Wales would be enforceable in another member state. The only catch is that the enforcement procedure itself is governed by the national law of the Member State in which enforcement is sought.

In terms of filing a court claim in England, is it a simple case of an N1 form with the particulars asking for specific performance? Do you know if this would be assigned to the small claims court? Do you know why the non-money claim applications fees are £308, but monetary claim fees are generally a lot lower (I was wondering whether it is possible to claim a small monetary amount and ask for the order)?

Yes it would appear that the N1 form is the correct form to use. I think you would need to set out some background to your case than simply asking for specific performance. Difficult to say if it would go on the small claims track as they are usually reserved for simply money type claims as well as other relatively easy actions. As we are talking about a cross border dispute, it is possible the court might allocate it to something other than the small claims track.

I can't give you the specific reason as to why fees are higher than a money claim but they are only lower if your money claim is below a certain threshold, otherwise you could very well end up paying a similar amount to the flat rate fee for non-money claims. Either way you should be awarded your costs of the application if you are successful and assuming you claim that too as part of your claim.

I'm not sure how you would seek a money claim where you want some disclosure from your former employer. You would have to persuade the judge that the lack of disclosure and failure to comply with your request has caused material or non-material damage. It doesn't require financial loss but you would still have to prove it has caused some distress or inconvenience to warrant a small amount of compensation.

Here's what I learned when i did an SAR: all the employer has to do is tell the ICO they have supplied all the information to you, and the ICO will take their word and that will be the end of it. It doesnt matter what information you think they are not disclosing, there is nothing else you can do about it.

My employer is in a specific industry that requires the retention of communication for 6 years for compliance purposes with domestic and EU law (e.g. on money laundering).

There is also documentation from third parties containing my personal data, with no explanation as to how these third parties ended up with my personal data. At the very least there must be a paper trail, explaining how these third parties documentation came into possession of my personal data in the first place.

I am quite confident I can stand before a judge and present my case. I do have evidence that documentation containing my personal data has been deliberately withheld.

I've had fairly decent dealings with the ICO in the past. I'll give you one example where I presented a case to the ICO that an insurance company had failed to fully comply with a SAR:

- I had a non-fault car accident and the day after notifying my insurance company of the accident, I suddenly got a large number of phone calls to my mobile about whiplash and accident injury claims.
- My insurance company denied passing my personal data to third parties.
- I submitted a SAR and they responded without giving any details of my mobile phone number or passing my data to third parties.
- I complained to the ICO, and the insurance company claimed they provided all personal data in accordance with the DPA.
- I submitted a thorough report to the case worker, including evidence that even my insurance company was using my mobile phone number but failed to include it in their SAR response.
- The ICO agreed that the insurance company had not provided all personal data and as a result, had breached their DPA requirements.
- About 2 weeks later, the insurance company issued me a whole load of new personal data including the fact that they had provided my personal data to a subsidiary who then sold the data to third parties.

You need to present evidence to the ICO that an organisation has not provided all personal data. Without this, the ICO can normally only go on the word of the other party as to whether they have complied. There are also going to be situations that the ICO knows organisations in certain industries retain a lot of data for compliance purposes and if it's clearly not been included in a SAR response, then they can make a reasonable assessment about this.