Have you complained to the ICO? You have the right to do so and/or your initial claim should be for disclosure of those documents but any court claim will likely be at least six months unless you can persuade the court that the application is time sensitive and requires a decision to be made urgently i.e. those documents you need which have not been disclosed are crucial to your employment claim.

No I haven't replied to the ICO, as I they are unable to comepenste me (which is what I am looking for) as the disclosure pack has already been agreed.

Does anyone have an idea of how to file such a claim? Small claim? But I do not know whether I am entitled to more than £10k. Its all a bit of a mystery at the moment.

I am in a fairly similar situation to psychojuice and R0b has kindly given me some advice on another thread.

I would certainly complain to the ICO in any case because:

1) It puts pressure on your employer

2) If the ICO investigates and their assessment is in your favour, this gives you a very strong piece of evidence in court.

3) It costs you nothing, takes a matter of minutes and you don't lose anything from doing it

The ICO used to have a document that provided some guidance for people claiming under the previous DPA. Unfortunately, they've removed this now and there is nothing at the moment about the 'judicial remedies' available under GDPR.

I guess in your case, you wouldn't want to bring a damages claim for an infringement of your rights under GDPR until the outcome of your employment tribunal. But the question is, can anything be done in the interim to force your employer to provide you with all information containing your personal data?

I will be talking to a public access barrister on Monday about what can be done in cases of non-compliance with disclosure under GDPR.

Thanks for the input AnotherLevel I would be very interested in finding out what the barrister says. Perhaps if s/he is any good you could PM me his details.

Sure, I will post as soon as I know more.

Out of interest, why don't you make a specific disclosure application to the ET judge in your claim? I would think this is much more appropriate and time efficient in your claim. If you make a claim under the new DPA, you're still going to need to provide evidence and convince the judge that your employer has withheld documents containing your personal data.

Thanks for the advice. I have written to a judge. Lets see what happens!

How did you get on with your barrister?

Welcome to VIP Would you like your thread moving to the more private area ?

thank you very much. I think it can remain where it is at the moment.

another point about the ICO, surely one only needs to send a complaint to the ICO if it is a complicated matter. If a company breaches the GDPR by say not not responding or taking over 30 days- wouldn't an open and shut case be simple enough to take straight to court?

If someone does not respond to a SAR and you raise a complaint to the ICO, then the ICO will contact that company and remind them of their legal obligations. If they still fail to respond, then the ICO can issue an Enforcement Notice, which becomes a criminal offence for failure to comply with the notice.

If a company responds to a SAR, but outside of the one month deadline, then the ICO will always uphold your complaint in relation to the delayed response. However, they will not take action unless there is a repeated history of that company failing to respond within deadlines.

If a company does not provide all the information you requested or are entitled to, then this is a really tricky area. Unless it is blatantly clear that the company has not provided all the information it processes/stores, then the onus is on you to prove that the company has not complied with the DPA/GDPR. It doesn't matter if it's the court or the ICO, you need to have some evidence that the company is withholding information containing your personal data.

I made a SAR to a company before and in their response, they provided a copy of an email. This email contained my full name as the subject (obviously my personal data), but the email chain wasn't complete. The email they provided was just a reply and it was clear the first email in the chain was missing as well as any response to the reply (it wasn't 100% clear this existed, but it was highly likely as the reply had quite a few questions within it). It took a lot of time for me to get that email chain, after many excuses, and eventually it became quite obvious why they did not want to provide it to me in the first place. This is a basic example of what you ultimately would need to be able to do to prove to the ICO/a judge that a company has not complied with the DPA/GDPR.

I am awaiting another update from the barrister I contacted, however he said two things:

1. He recommended using the High Court to file the claim and seek an order. I am hesitant about this due to the costs involved.

2. Even though I can prove that my former employer has failed to comply with my SAR fully, I am really after the nitty gritty communication about me and I don't have evidence that this exists. I know it exists myself, but that's not enough when trying to convince a judge. There are a couple of ways potentially around this in my case, especially when the data is handled by third parties, but I don't want to openly discuss them on here.

But what if people just want to go after a company for breach of the GDPR. Surely not responding to a request or going over the 30 day time limit, are still breaches? How would the ordinary man on the street claim compensation for the breaches? Surely it can't be a matter for the high court?! However saying that, I'm not sure if it would be small claim court either as it is not possible to put a price of such breaches at present.

Anyone else got any ideas?

Unless a data controller is willing to accept a settlement for a GDPR breach, your only option is to pursue them in court for compensation. The ICO does not seek compensation on behalf of data subjects.

There isn't any guidance at the moment on which court track a GDPR claim will take. In my case the High Court is the preferred option because the claim is somewhat technical, the jurisdiction issue and it create more pressure on my former employer.

People have to be realistic in their expectations for compensation. Say a data controller responds to a SAR on day 40, rather than within the one month period for a response. Does this mean the data subject can claim £1,000s in compensation? Of course not and if they wanted to claim a large sum of compensation, they would need to demonstrate to a judge that they suffered this loss as a result of the breach of their rights under GDPR.

There is already quite a bit of case law under the previous DPA about claims for compensation such as distress. However, most of these have come in the past 4 years or so. As GDPR does not explicit define the judicial remedies, it's ultimately at the court's discretion what to award someone.

With your ET claim, if you want to claim compensation for an infringement of your rights, you will need to prove:

1) You need to demonstrate that that the information containing your personal data exists, that your employer should have disclosed it and by not disclosing it, your rights under GDPR/DPA have been infringed.

2) If you're claiming you lost your ET as a result of the infringement, you will need to prove that if they provided this information containing your personal data, it would have resulted in a different outcome in your claim.

This is going to be so difficult for you to achieve, especially number 2. Ultimately if something exists that would have a material affect on your ET claim, it should be disclosed as part of the disclosure stage. If you can prove it exists, then deal with it as a matter of specific disclosure rather than waiting to lose your ET claim and bring a claim for compensation under GDPR/DPA. If a judge does not believe a document exists as part of disclosure under your ET, you stand little to no chance that another judge will believe the document exists for purposes of GDPR/DPA.

like most things in this weird country Regulation sounds good BUT try and enforce it,? as an ordinary person in the street do not have funds

Thanks for that. So are you saying that I can make a claim for a breach of the gdpr during my ET? Would I have notify the court and the respondent beforehand?