What Happens Next? Following a Live GDPR Access Request at Worldline UK

The Curious Case of Access Without Copies

In its previous reporting, Loopline Media noted that Worldline UK had apologised for “unintended anxiety” arising from a request for personal data. Subsequent correspondence brings that underlying issue into sharper focus.

Worldline emails Dsar_Redacted (1)_RedactedDownload

The original request, dated 24 November 2025, was expressly framed as a request under Articles 12–15 UK GDPR and was acknowledged by Worldline UK the following day. In December, Worldline UK issued what it described as its response, enclosing an annexed table summarising categories of personal data, purposes of processing, and recipients.

In that response, Worldline UK stated that it had “confined [its] response to that specific personal data in accordance with Article 15(1) UK GDPR” and that, other than the annexed table, it “does not intend to provide you with information to which you are not entitled under Article 15 UK GDPR,” expressly listing “copies” among the materials it would not provide Worldline.

The distinction drawn here is precise and consequential.

Worldline UK’s position, set out clearly in later correspondence dated 29 January 2026, is that the original request did not include a request for copies at all. As the Data Protection Officer put it:

The scope of your 24 November 2025 DSAR did not include a request for copies.” Worldline Data Protection Team

On that basis, Worldline UK asserted that it had “complied with your 24 November 2025 DSAR within the statutory deadline” and that the request for copies would instead be “dealt with as a separate DSAR made on 21 January 2026”.

This is the point at which the disagreement ceases to be procedural and becomes interpretive.

From a consumer or data subject perspective, the difference between being told that data exists and being able to see it is fundamental. One explains; the other allows verification. How organisations draw that line affects not just transparency, but how long individuals are left waiting for answers about their own information.

The data subject’s response, sent on 21 January 2026, explicitly rejected the sufficiency of a schedule-only response, stating:

“The provision of a narrative description or table does not discharge the obligation for copies without explanation under Article 15(3) UK GDPR.” Worldline Data Protection Team

That correspondence further emphasised that no extension had been notified and that the one-month deadline had expired on 24 December 2025.

Worldline UK’s reply did not engage with that point directly. Instead, it relied on the specific wording of the original request and treated the request for copies as “new”, thereby restarting GDPR timelines.

Seen in isolation, this could be framed as a legitimate difference of legal interpretation. Seen in context, it aligns with the pattern previously described: a process in which access is acknowledged in principle, but delivery is segmented, deferred, and re-timed through administrative categorisation.

This matters because the apology for “unintended anxiety” did not arise from a single communication. It arose from the accumulation of steps: additional unnecessary verification requested (as admitted by Worldline UK) and withdrawn, unanswered questions and portal-generated messages implying work had not yet begun, and now the assertion that the statutory obligation to provide copies never arose in the first place.

For the ordinary requester, this creates an odd position: the data is acknowledged, described, and categorised — but apparently never quite arrives.

This correspondence also sits against a wider regulatory backdrop within the Worldline group. In January 2025, Germany’s Federal Financial Supervisory Authority (BaFin) published binding measures against Worldline subsidiary Payone GmbH, citing violations of requirements for proper business organisation, deficiencies in anti-money laundering controls, and weaknesses in IT systems and processes. Those findings led to increased capital requirements and the appointment of a BaFin special representative to oversee remediation. While the subject matter differs, the regulatory language is notable: the issues identified were not transactional errors, but structural and organisational shortcomings. Against that context, questions about how statutory rights are operationalised, segmented, and managed through process acquire a broader relevance.

change, new beginning, risk-3256330.jpg

Taken together, the exchanges raise a legitimate question about whether, and how far, compliance culture within the wider Worldline group has evolved in recent years. That question is not about intent or wrongdoing, but about emphasis: whether regulatory obligations are now approached primarily as procedural exercises to be managed, or as substantive rights to be delivered in full and without friction.

That question is not unique to data protection. Worldline has, in other regulatory contexts, publicly emphasised the strengthening of its compliance frameworks, enhanced oversight, and zero-tolerance standards. The handling of a routine but legally precise access request offers a ground-level view of how those commitments translate into practice.

For now, the dispute remains live. Worldline UK has now acknowledged a “DSAR 2” and indicated it will respond “accordingly”. Whether that response will include copies of personal data, or further debate about scope and entitlement, remains to be seen.

What is clear is that the apology marked not an end point, but a pause. The correspondence that followed shows how easily the mechanics of compliance can reshape the practical experience of a right that, on paper, is meant to be straightforward.

The question raised by this latest exchange is a narrow but important one: when an Article 15 request is made, does access begin with a table — or with the data itself?

That question will not be answered in theory. It will be answered, as this case continues, in practice.

Disclaimer

This article is published for informational and public-interest purposes only. It does not constitute legal advice or a determination of compliance with the UK GDPR or any other regulation. It does not allege wrongdoing by Worldline UK, any Worldline entity, Payone GmbH, or any individual. It reports on contemporaneous correspondence relating to a live data subject access request and references publicly available regulatory material for context. Any observations about process, timing, or organisational approach are matters of consumer experience and regulatory interpretation, not findings of fault. Documents cited are reproduced accurately, with personal data redacted where appropriate. Readers should seek professional independent advice or contact the Information Commissioner’s Office regarding their own data protection rights.

london, willis building, reflection-3529954.jpg

This Article is brought to you by

Loopline Media

Catch up with the Author

Facebook-f Twitter Linkedin

Subscribe Now to Get Regular Updates

Search

Post-Brexit: data protection
Card processor sends sensitive data to wrong address
24 August 2022

Worldline SA subsidiary Payone GmbH has been accused of breaching data protection rules after it sent sensitive employee payroll information to the wrong address by accident. The Worldline Group holdS a 60% stake in the Frankfurt based company who have a small UK market presence.

In June 2021, one of Payone GmbH’s ex UK employees (the data subject) received a “potential data breach notification” from the firm advising him that his salary, National Insurance data, nationality (Special Category Data) was amongst various bits of information sent to an incorrect home address.

This included personal information such as the former employees name, age and address.  It also included details such as the date of birth and the amount of annual work bonus he received in his bank account amongst other identifiable data.

Payone GmbH confirmed that this document was sent out in error following an employee making a mistake when re-entering data processed by their third-party payroll provider.  The error arose when the employee was fulfilling an Article 15 GDPR request. The error was spotted by the data subject when he noticed in an email version of the document that the postal address was incorrect. An attempt to notify Payone GmbH of the error went in vain as the document was already irretrievably despatched.

The data subject was alarmed with the incident which exposed him to the possibility of fraudulent activity, amidst reasonable fears his data could end up on the dark web and used by criminals.  Habitually resident in the UK he complained to the Information Commissioner’s Office (ICO) in June 2021. He similarly raised the concern in Germany via The Hessian Commissioner for Data Protection and Freedom of Information (HBDI).

The ICO reprimanded Payone GmbH for the error in their final decision letter.
Similarly, the HBDI cited a violation of Article 5(f) of the General Data Protection Regulation (GDPR) relating to integrity and confidentiality.

The ICO stated in their July 2021 findings that Payone GmbH, “should take steps to ensure that all personal data records are accurate and up to date. Holding inaccurate information, such as addresses, does increase the risk of personal data breaches and poses risks to the security of information”.

The HBDI confirmed in their October 2021 findings that Payone GmbH had taken remedial action. They concluded that a monetary fine would not be imposed on Payone GmbH as they had taken technical and organisational steps in response to the data breach. Data subjects could now request their data in an autonomous portal.

The GDPR, which came into effect in 2018, gave the Information Commissioner’s Office greater powers to tackle data breaches. The new ‘UK GDPR’ charts its own course after Brexit whilst seeking to maintain EU GDPR adequacy.  In extreme scenarios, organisations face penalties of up to £20m or 4 per cent of their global worldwide turnover, whichever is more.

In the years prior to GDPR, the ICO fines were capped at £500,000.

The data subject said: “I am just glad I spotted it; they were going to resend the document again to another wrong address. Prior to Brexit the process would have been commenced via the ICO who in turn would liaise with the HBDI on the data subjects’ behalf; but I found myself communicating with both authorities separately which was an additional step but in the end was surprisingly
effective. Unfortunately, Payone GmbH again sent my incorrect address to the
Workers Pension Trust in January 2022, and documents yet again went to the wrong address. In my opinion they have not learned from the first time and my complaint is sitting with the ICO yet again”.

The former employee is pursuing a remedy under Article 82 UK GDPR via
the Court’s of England & Wales.

Extraordinary Experiences

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Our Core Values

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
  • Locavit liberioris possedit
  • Diremit mundi mare undae
  • Spectent tonitrua mutastis

We use cookies to improve user experience and analyse website traffic. By clicking ‘Accept’, you agree to our website’s cookie use as described in our Privacy Policy.

Accept
Decline
Accept
Decline