High Court rules on GDPR case

On 1st April 2025, the High Court delivered its judgment in the case of Yesim Kul & Ors v DWF Law LLP. This ruling centres on specific disclosures sought by the claimants and the defendant's motions regarding data handling practices in accordance with the United Kingdom's General Data Protection Regulation (GDPR). The judgment emerges from a complex interplay of previously established claims and legal arguments rooted in GDPR principles.

The case began following a series of road traffic accidents involving three claimants who were initially part of a larger group of 137 individuals. These accidents occurred on 19 January 2019 and 2 October 2016. The claimants, represented by Ersan & Co Solicitors, alleged the unlawful processing of their personal data by DWF Law LLP, a law firm representing various insurers connected to the defendants. The essence of their grievance relates to the handling of sensitive personal data without acquiring the necessary consent, thereby constituting a breach of GDPR.

The legal proceedings initiated as part of separate county court litigation, in which DWF defended claims against multiple individuals represented by Ersan. During these proceedings, a crucial witness statement, JS1, was submitted that included personal data pertaining to the claimants without prior consent. This information was seen as vital in numerous contested cases where accusations of fundamental dishonesty were made.

The judgment addressed several motions, including the claimants' request for specific document disclosures, which they argued would clarify the lawful basis for the processing of their data. However, the defence opposed these requests, citing legal professional privilege and asserting that the requested materials were irrelevant to the key issues at hand.

Judge Jennifer Eady DBE concluded the claimants could not establish a legitimate need for the specific disclosure sought. She noted that the narrow scope of the claims made the requests more akin to fishing expeditions rather than legitimate inquiries pertinent to the trial. She further reasoned that any disclosure would not significantly aid the issues at trial and could disrupt the overarching process.

In another aspect of the proceedings, the defendant sought to amend its defence and remove certain parts of the claimant's witness statement submitted by Mr Gadd. Upon review, the court determined that the re-amendment helped clarify the defendant's position without materially impacting the trial's focus. Consequently, the court ruled to excise several paragraphs from Mr Gadd's statement, since they pertained more to legal argument than to factual evidence.

This judgment highlights the necessity for clarity and precision when applying GDPR principles in contested litigation involving data processing scrutiny. The ruling seeks to balance individual rights against procedural safeguards that protect confidentiality and legal privilege. With a substantive hearing set for 6 May 2025, this decision establishes a relevant precedent demonstrating how allegations related to GDPR can interact with broader legal contexts, emphasising the intricacies of accountability in data processing within litigation.

Legal professionals and those engaged in data protection will find important insights in this ruling, as it outlines the borders between necessary disclosures and the constraints imposed by existing legal frameworks