The General Data Protection Regulation (GDPR) was designed to safeguard individuals’ rights to access their personal data, ensuring transparency and accountability. However, my ongoing struggle with Balliol Property Services (BPS) and Burnetts Solicitors LLP reveals how procedural tools can be misused to frustrate these rights. What follows is an account of their deliberate obstruction, contradictory tactics, and bad-faith efforts to undermine my Subject Access Request (SAR).
A Case Study in Vexatious Conduct
1. SAR Submission and Initial Non-Compliance In April 2024, I exercised my GDPR right under Article 15 by submitting a SAR to BPS. Despite their obligation under Article 12(3) to respond within one month, they failed to comply. Instead, they redirected my SAR to Burnetts Solicitors without my consent. It should be noted at this stage that BPS had corresponded with me extensively over the years, leaving no doubt about my identity.
2. Burnetts Assumes Control (Mid-2024) Amid BPS’s failure to comply with the statutory one-month timeframe under GDPR Article 12(3), Burnetts Solicitors LLP assumed responsibility for processing my SAR. They instructed me to direct all SAR-related correspondence to them, barring any direct contact with BPS. This action positioned Burnetts as a data processor under GDPR Article 4(8), thereby obligating them to ensure compliance with all relevant data protection laws. It is critical to note that when Burnetts assumed control, BPS—and consequentially Burnetts, as the data processor—were already outside the statutory timeframe, placing both parties in breach of GDPR obligations.
However, Burnetts’ involvement did not lead to resolution. As mentioned before, the statutory timeframe for responding to my SAR had already expired. Burnetts then compounded this breach by failing to clarify their role, ensuring compliance, or progressing my request in a timely and transparent manner.
3. Procedural Reversal by Burnetts (November 2024) As months passed and ICO scrutiny increased, Burnetts adopted contradictory positions that further delayed the SAR process. In a striking procedural reversal, they directed me to provide my ID directly to BPS, contradicting their earlier directive to route all correspondence through their firm. This inconsistency added confusion and revealed a lack of professionalism.
Burnetts’ shifting stance appeared designed to obscure their own role in the process. Their failure to identify themselves as a data processor—a position they had effectively assumed—amounted to a breach of GDPR Article 5(1)(a), which demands transparency and accountability. By creating unnecessary procedural hurdles, they acted in bad faith and obstructed my access rights.
4. Invoice Undermines ID Verification (29 November 2024) The culmination of this obstruction came on 29 November 2024, when the director of BPS sent an email to two of my verified addresses. The email demanded settlement of an alleged debt tied to fabricated legal fees and threatened legal action. This correspondence demolished BPS’s claim that they needed further ID verification, as they clearly had no difficulty identifying me when pursuing their own interests.
This development exposed the ID verification demands as redundant and vexatious, highlighting BPS and Burnetts’ deliberate misuse of GDPR to frustrate my SAR. It also implicated both parties in potential breaches of other legal frameworks, including the Companies Act 2006 and the Economic Crime and Corporate Transparency Act 2023.
Burnetts’ Role: From Data Processor to Vexatious Actor Burnetts’ involvement in this matter is particularly troubling. By acting as a data processor without my consent, they assumed direct GDPR obligations under Articles 28 and 29. Their failure to clarify their role, coupled with their contradictory instructions and unnecessary ID demands, not only breached GDPR but demonstrated vexatious behaviour.
Their use of temporary email addresses to handle SAR correspondence further undermined the transparency required under GDPR Article 5(1)(a). This deliberate obfuscation, combined with their shifting roles and attempts to distance themselves from the SAR process and BPS, demonstrates a calculated effort to avoid accountability. Of particular concern is their inconsistent positioning. Initially acting as a data processor, Burnetts later claimed to be a mere liaison—a shift that coincidentally occurred after the ICO determined that BPS had failed to comply with the statutory timeframe for my SAR, and Burnetts had neglected to clarify their role. However, when BPS directed me to send my ID directly to Burnetts yesterday, BPS inadvertently re-established Burnetts’ role as a data processor, firmly placing them back within the obligations of GDPR.
Key GDPR Breaches by BPS and Burnetts
- Article 12(3): Failure to respond to my SAR within the statutory one-month timeframe.
- Article 12(6): Unjustified ID verification demands, despite no reasonable grounds to doubt my identity.
- Article 5(1)(a): Lack of transparency and accountability in defining roles and responsibilities.
- Article 5(1)(c): Violation of data minimisation principles through redundant ID requests.
- Article 32: Failure to ensure secure processing of personal data, raising concerns about how my data was managed.
The Bigger Picture: Abuse of Power and Procedural Tools
The deliberate obstruction of my SAR by BPS and Burnetts represents a gross misuse of GDPR. Their tactics, including redundant ID verification, contradictory instructions, and attempts to deflect responsibility, reveal a pattern of bad-faith behaviour that undermines the integrity of data protection laws.
Moreover, the fabricated invoice issued by BPS raises serious questions about their compliance with broader legal obligations, including corporate governance and transparency requirements under the Companies Act 2006. The Economic Crime and Corporate Transparency Act 2023 further amplifies these concerns, as their actions demonstrate a blatant disregard for accountability and lawful conduct.
A Call for Accountability
This case highlights the urgent need for stronger enforcement of GDPR and related laws. Regulators, including the Information Commissioner’s Office (ICO), must take decisive action to address such vexatious behaviour. Allowing organisations like BPS and Burnetts to weaponise procedural requirements undermines the very purpose of GDPR and erodes public trust.
For my part, I intend to pursue all available avenues to hold these parties accountable, including:
- Filing additional complaints with the ICO to expose the vexatious and obstructive tactics employed by BPS and Burnetts.
- Reporting Burnetts to the Solicitors Regulation Authority (SRA) for professional misconduct and GDPR breaches.
- Exploring legal action under GDPR Article 82 to seek compensation for the damages caused by their non-compliance.
Conclusion: A Fight for Justice
The deliberate obstruction I have faced is not an isolated incident—it is symptomatic of a wider issue where organisations misuse GDPR to frustrate accountability. My case serves as a cautionary tale for others navigating the SAR process, but it also underscores the need for systemic reform.
This battle is far from over, but I remain resolute. Organisations like BPS and Burnetts must not be allowed to abuse the rights of individuals with impunity. By holding them accountable, I hope to set a precedent that ensures GDPR’s principles of fairness, transparency, and accountability are upheld.
This account is based on my personal experience and is intended to shed light on the misuse of GDPR by organisations attempting to evade accountability. It is provided for informational purposes only and should not be construed as legal advice. For guidance on specific legal issues or concerns, you should consult a qualified legal professional.