Tweet
Hi all,
I wanted to share something that might be relevant to anyone dealing with Next, ACI, or Perch Capital (or other debt purchasers).
I raised a complaint with the ICO after discovering that Next shared my personal data with ACI/Perch AFTER selling the debt. Their justification for doing this kept changing — first “performance of a contract,” then FCA DISP rules, then finally FCA CONC guidance.
The ICO has now issued a decision that Next had not complied with their data protection obligations, and that their shifting reliance on different lawful bases was unlikely to comply with GDPR.
What’s more, when I submitted a Subject Access Request (SAR) to Next, they refused to disclose key information such as internal notes and communications with ACI. The ICO, however, when I did a SAR to them, did disclose equivalent categories — showing that this kind of information can and should be provided.
This raises big questions:
How many people’s data is still being shared post-sale, months or years after debts were assigned?
If DCAs are relying on documents obtained this way, are they using unlawfully obtained data to enforce debts?
If SARs are incomplete, how can anyone fairly defend themselves in court?
For me, this has been stressful, time-consuming, and has raised serious concerns about industry-wide practices. I’ll be pursuing this further, but I think it’s important that others are aware — because if your data was shared unlawfully, it could directly impact the enforceability of the debt.
Has anyone else had similar experiences with incomplete SARs, or found DCAs going back to the original creditor to fish for documents long after a sale?
Happy to share more detail if useful, and I’d be interested to hear if anyone else is challenging this.
I wanted to share something that might be relevant to anyone dealing with Next, ACI, or Perch Capital (or other debt purchasers).
I raised a complaint with the ICO after discovering that Next shared my personal data with ACI/Perch AFTER selling the debt. Their justification for doing this kept changing — first “performance of a contract,” then FCA DISP rules, then finally FCA CONC guidance.
The ICO has now issued a decision that Next had not complied with their data protection obligations, and that their shifting reliance on different lawful bases was unlikely to comply with GDPR.
What’s more, when I submitted a Subject Access Request (SAR) to Next, they refused to disclose key information such as internal notes and communications with ACI. The ICO, however, when I did a SAR to them, did disclose equivalent categories — showing that this kind of information can and should be provided.
This raises big questions:
How many people’s data is still being shared post-sale, months or years after debts were assigned?
If DCAs are relying on documents obtained this way, are they using unlawfully obtained data to enforce debts?
If SARs are incomplete, how can anyone fairly defend themselves in court?
For me, this has been stressful, time-consuming, and has raised serious concerns about industry-wide practices. I’ll be pursuing this further, but I think it’s important that others are aware — because if your data was shared unlawfully, it could directly impact the enforceability of the debt.
Has anyone else had similar experiences with incomplete SARs, or found DCAs going back to the original creditor to fish for documents long after a sale?
Happy to share more detail if useful, and I’d be interested to hear if anyone else is challenging this.
Comment