DVLA Data Protection Breach


The DVLA was passing the names and addresses of registered vehicle owners to private parking companies to enable them to issue parking fines. But we believed that it breached individual data protection rights by processing data without proper care and attention. 

The DVLA Data Protection Failure

When an organisation processes (collects, uses, holds, shares) your information, it has to do so in a way that is compliant with data protection law. While the DVLA’s privacy policy states that it may share personal data with registered private parking companies, by processing data without the proper care and attention, and not checking that PCNs are valid and correct, we believed that the DVLA was breaching the data rights of registered vehicle owners. 

We helped our clients make DVLA claims for a range of incorrect and invalid PCNs. Here’s just some of their stories.

Real-life DVLA case studies

Ron was given a PCN while parked on a public road opposite a private car park. He paid in full after being threatened with court action. We helped him make a claim as the fine was invalid, and he had suffered emotional distress and financial loss as a result.

Sarah drove in and out of the same carpark twice in one day. There were no parking spaces, so she did not stop. A private parking company charged her from the time she first drove in, to the time she drove out on her second visit. After an unsuccessful appeal, she turned to Keller Postman UK to help her claim compensation for the error.

Aisha was given a PCN because she didn’t pay within the time limit set by a private parking company. She was unable to do this as the payment machine was not working properly. We helped her claim compensation for this invalid fine.

Sam visited a local hotel bar and used a private car park which provides free parking to customers. However, her vehicle registration was not entered correctly on the hotel’s system, so she was fined for non-payment. Despite being able to prove that she was a customer at the time in question, the parking company refused her appeal and have taken her to court for non-payment. We helped her get justice.

George visited a retail store and parked in its carpark. He inserted the correct fee into the parking machine, but it failed to deliver a ticket. He has since been issued with a PCN. We helped him claim compensation for this invalid fine.

Jadyn checked his credit score after being refused credit for a purchase. He was shocked to discover details of a CJJ for non-payment of a PCN for a vehicle he has never owned. The car is registered to an address he used to live at. Jadyn currently needs to pay over £1,000 to clear the debt. We helped him make a claim for the invalid PCN, the impact on his credit rating, and the emotional distress experienced.

David was given a parking fine despite having a blue badge which entitles him to free parking. He paid the fine as he was uncomfortable receiving threating and aggressive letters for payment. We helped him claim compensation for the distress experienced.

Julie could not download the parking app due to poor 4G signal in the car park. She usually pays online so had no change for meter. Despite eventually paying the parking fee, and leaving within the time paid for, she was given a ticket. We helped Julie to make a compensation claim.

Ashar was issued the ticket for being parked on permit-controlled land. He had a permit, and right to park there, but the smart parking ANPR system wasn’t working correctly. As well as not acknowledging his permit, the fine didn’t arrive until a month after he visited the car parks (legally, it should have been issued within 14 days). We helped him claim compensation.

*Names have been changed to protect client confidentiality.


Has the DVLA breached your data protection rights?

We believe that the DVLA’s poor data process are routinely letting people down. For example, the DVLA does not ask for anything other than basic information (vehicle, make, model, reg plate) prior to providing personal information for a PCN.

The DVLA does not check if:  

This is a data protection failure. 

Even with a valid ticket, the DVLA often provides private parking companies with incorrect data and breaches data protection rules in other ways. For example, by not keeping its systems up to date, and by using your data in ways you did not agree to.

To claim compensation with Keller Postman UK, you will need:


Talk to our expert data breach lawyers today on 0151 459 5850

When it comes to data protection botches and abuses, it is not just about data breaches.

Organisations are failing to uphold our data rights in other ways.

Improper processing

Under the GDPR, your data can only be processed for “specified, explicit and legitimate” purposes. It also must be kept accurate, up-to-date, and safe. You must also provide your consent for how it can be used. Companies collecting your data must also undertake a DPIA (Data Protection Impact Assessment) to make sure personal data is being lawfully used and processed.  

Our investigations show that is not happening. 

In response, Keller Postman UK is:

DVLA Data Breach Timeline

  • Up to present day
    The DVLA passed the names and addresses of registered vehicle owners to private parking companies to enable them to issue parking fines.
  • May 2018
    The GDPR is introduced. This law provides people with greater data protections.
  • October 2020
    A Freedom of Information Request uncovered that the DVLA had reported almost 200 data breaches to the Information Commissioner’s Office (ICO) across 2019/2020.
  • January 2022
    Keller Postman UK launches a group action to help registered vehicle keepers in England & Wales claim compensation for the misuse of their personal data.

Latest News

The DVLA reported almost 200 breach notifications to the UK’s data protection regulator

According to a recent Freedom of Information request made by secure storage vendor Apricorn, the DVLA reported almost 200 breach notifications to the ICO between 2019 and 2020. 

It is likely that the introduction of the General Data Protection Regulation (GDPR), resulted in an increase in breaches being reported to the ICO, as it is now mandatory to do so. However, the sheer number of reports being made by the DVLA is cause for concern.

Commenting on this case our Head of Privacy & Data Breach Litigation, Kingsley Hayes said:

“The public sector handles some of our most sensitive personal data, so a data breach could be disastrous. Nevertheless a reliance on unsecured legacy software and a lack of preparation for dealing with cyber-attacks has made the sector vulnerable. In particular, the findings by Apricorn highlight that the DVLA needs to do more to keep data safe and mitigate risk.

“Of course, there may be some general issues that will be similar across these breaches, and if this is the case, those affected may be able to come together to pursue rectification and damages.”

Your questions answered

See our answers to the FAQs we get asked about the DVLA Data Protection Breach.

What was the Keller Postman UK DVLA data breach case about?

The DVLA was passing the names and addresses of registered vehicle owners to private parking companies to enable them to issue parking fines. But all too often, it was breaching individual data protection rights by processing data without the proper care and attention. Keller Postman UK  launched a DVLA data breach group action to help protect the data rights of those affected. 

Who was eligible to make a claim?

Your data could have been processed incorrectly by the DVLA, and you may have been eligible to make a claim if you were issued with a PCN:  

  • Despite having purchased a valid ticket  
  • Where a faulty ticket machine meant you could not buy a parking ticket 
  • By an unregulated car parking company 
  • Despite you no longer owning the vehicle (on the day the ticket was issued)  
  • Against an incorrect vehicle (e.g. where an ANPR system picked up an incorrect reg plate) 
  • That was sent to the wrong address. 

To start a claim, you needed to provide us with evidence that you were issued with a PCN (e.g. payment of the fine, the original PCN etc.). We also needed the name of the parking company and the location of the private car park where the fine was issued.  We also required evidence to show that your data was processed incorrectly.


What personal data does the DVLA hold about me?

The DVLA manages a vast amount of data. This includes drivers’ names, addresses, dates of birth, photographs, entitlements, endorsements, convictions, and relevant medical information.

The DVLA also holds information about vehicle registration numbers, identification numbers, makes and models, emissions and tax status. 

The DVLA claims that it only passes data to third parties where there are “practical motoring benefits” – this includes private parking companies. 

My data has been breached by the DVLA in another way. Can I still join this action?

No, this action is closed. 

At Keller Postman UK, we help groups of people make compensation claims when an organisation has not looked after their personal information correctly.  This is called making a group action claim. If you are a victim of another DVLA data protection breach, check out our current group actions  to see if we are running a claim related to that specific breach.

If the action you want to join is not listed, please tell us about it! Where enough people come forward, we may launch a new claim.

We run our cases on a no-win, no-fee basis.