KB 2023 004108 - [2025] EWHC 1824 (KB)

In these proceedings, the claimants’ claims are limited to declaratory relief and compliance orders; no compensation is sought. As pleaded, the claimants’ positive case identified the following breaches of the UK GDPR: (1) under article 5: none of the processing involved in JS1 was lawful, fair or transparent (article 5(1)(a)), it constituted further processing in a manner incompatible with the specified, explicit and legitimate purpose relied on (defending the claimants’ claims) (article 5(1)(b), it violated the data minimisation principle (article 5(1)(c)), and, in relation to the claims of C2 and C3 (those claims having been concluded “years before” JS1), the defendant had no legitimate purpose in processing their personal data (article 5(1)(e)); under article 6: the defendant had not sought the consent of any of the claimants for the data processing involved in JS1; under article 9(1): the defendant had processed the claimants’ “sensitive personal data” (that is, data concerning the claimants’ health); under article 14: no personal data having been obtained directly from any of the claimants, the defendant had failed to provide the claimants with information as required under that provision; under article 17: the defendant had unlawfully retained and used the claimants’ personal data beyond the purpose for which it was collected (that is, the claimants’ own claims).

At the hearing, Mr Hanstock (who had not settled the pleadings), put the claimants’ case as centred on three propositions: (1) lack of necessity, specifically in the use of the claimants’ personal, and special category, data in County Court proceedings without pseudonymisation; (2) the limited value of the data in purported pursuit of the identified objective; and, on the basis of (1) and (2), (3) the unfairness of, and lack of transparency in, the processing. The claimants’ case related to the entirety of the processing involved in JS1 (as explained in JS2), and engaged article 5(1)(a)(c) and (e), article 6 (relevant to lawfulness), article 9 (offending the prohibition on the processing of special category data), and articles 14, 17, and 25. In submissions, Mr Hanstock’s focus was on the defendant’s failure to pseudonymise the claimants in JS1, stating that the objection in this regard was to the provision of JS1 to Ersan, to the court and to the other claimants in the County Court proceedings. The claimants thus sought a declaration of unlawfulness/breach of the UK GDPR in relation to the use of their names in JS1, and a compliance order such that JS1 could only be used with their names redacted.

Addressing the question of necessity, even if desirable to use the claimants’ names, that was not enough: the test was objective, requiring a proportionality assessment, having regard to the parties’ resources, the availability of less intrusive alternatives (here, pseudonymisation, as had subsequently occurred), and remoteness. It was the claimants’ case that JS1 was of so little probative value (see Freedman J’s observations in Kerseviciene) that the processing was not in fact necessary.

These were, moreover, points that also went to the question of fairness: even if reasonably necessary, the use of the claimants’ names (at least by the time JS1 was disseminated to Ersan, the County Court, and the other claimants) was unfair. The data involved in JS1 was important to the claimants, and included special category data, including that of a child (C2). The defendant’s object was to use the data to pursue allegations of fraud; as such, it was obviously reputationally damaging. Moreover, the claimants had raised their objections, in their letters of 2021 and in the letters before action in 2023, expressly identifying pseudonymisation as a less intrusive means of processing the data. Those letters amounted to requests for erasure of personal data (including by means of pseudonymisation) for the purposes of article 17.

Allied to this point, although similarly requiring separate consideration, was the question of transparency. This was also expressly (and separately) engaged by article 14, and the obligations to which that gave rise (given no personal data had been obtained directly from the claimants). In this regard, it was no answer for the defendant to rely on the privacy notice on its website: (i) the evidence did not establish that the notice was in place prior to 2020; (ii) the claimants could not reasonably have been expected to have known to look at the defendant’s website (in particular given that C2 was then a child and his case had been settled directly with the insurer); (iii) even if the claimants’ involvement in (proposed) County Court proceedings ought to have put them on notice as to some processing of their personal data, the extent of JS1 went beyond what might reasonably have been expected.

On the question of abuse (raised by the defendant), this was not a case that properly fell within Henderson v Henderson (Henderson v Henderson (1843) 3 Hare 100): (i) none of the prior claims in which UK GDPR rights were raised as a bar to the admissibility of JS1 concerned C1, C2 or C3; (ii) the Ersan undertaking arose in proceedings that did not involve C1, C2 or C3, and did not apply to them; (iii) neither the earlier determination (on admissibility) nor the Ersan undertaking took effect in rem; (iv) the earlier determination did not render the GDPR issues in this claim res judicata. Abuse of process was not properly before the court at this stage (at most, it could only have relevance to costs). In any event, claimants had given evidence as to why they were pursuing these claims, rejecting the suggestion this was at the bidding of Ersan; Ersan’s motive thus had no relevance to these claims.