Continuing on the theme of DSAR’s I wanted to let you see a reply that my friend had from M&S and my analysis of the same so that she could do a follow up. She has in fact made several DSAR requests to major retailers and so far, M&S has been the worst, (in my opinion), with their response. I wanted to share this because you will find this a lot. Responses try to deflect to other’s and/or they request further information such as identity documentation to progress matters. Hopefully reading the below will help you and give you some ideas as to how to respond if you receive a similar response to your own DSAR.
Firstly, if you want to read my first article on DSAR’s, (and I suggest you do for context), you can find it here:
Why Mass DSAR Campaigns Could Disrupt Digital ID and Facial Recognition in the UK
Under the UK GDPR, any individual can submit a Data Subject Access Request (DSAR) to an organisation that holds their personal data — including biometric data through digitial ID and facial recognition scans. Companies must respond within one month, free of charge, unless the request is “manifestly unfounded or excessive.”
Response to DSAR from M&S
Dear [Redacted],
Thank you for contacting the Data Protection Office to make a subject access request.
We can only provide you with data held by Marks & Spencer PLC. For requests relating to trusted Third Party Partners you can raise your request with them directly, via the links below:
· For M&S Bank (A wholly owned subsidiary of HSBC) click here.
· For M&S Energy (under partnering arrangements with Octopus Energy Ltd) click here.
· For M&S Opticians (Operated by Owl Optical Ltd) click here.
· For Ocado click here.
· For Interest Free Loans click here.
The store based at Charing Cross Station is actually operated by our franchise partners, SSP. As a result, you would need to contact SSP directly to request any CCTV footage they may hold. The email address for SSP is: customer.care@ssp.uk.com
The privacy notice for SSP, which contains additional contact details, can be accessed here: https://www.foodtravelexperts.com/international/gdpr/
Facial Recognition
M&S, like many other retailers, operates surveillance cameras in all stores to prevent and detect unlawful and inappropriate activity and to protect our customers and colleagues. We are confident that we do so in compliance with applicable laws, including data protection laws, guidance and best practice. Our specialist data protection compliance team provides expert advice and liaises closely with the Information Commissioner’s Office, which regulates data protection in the UK. Some of your questions relate to confidential matters of operational security, and you will appreciate that we are restricted in the level of detail we can provide.
All of our stores have signage at the entrances to notify customers that surveillance cameras are in operation, and in some cases in-store monitors show real time footage. We are transparent about our cameras and want customers and colleagues to be aware, to provide them with reassurance, to deter criminals and to comply with our legal obligations.
We can confirm that M&S does not rely on consent for the processing of personal data in connection with CCTV. Consent is not necessary and would be unworkable. Instead, we rely principally on the lawful basis set out in Article6(1)(f) of the UK GDPR because this processing is in our legitimate interests and does not infringe upon the rights and interests of our customers or colleagues. The ICO’s guidance on surveillance cameras confirms this ‘it is likely the appropriate lawful basis will be legitimate interests.
Footage is monitored by our security teams and access is strictly controlled and restricted. It is stored in secure locations subject to appropriate operational and technical protections. Footage is retained in line with our data retention and destruction controls, and in general it will be automatically deleted within a month. For obvious reasons, footage of specific incidents in stores will be retained for longer than this where required for legal compliance, investigations or the prosecution of offenders. M&S works with specialist security partners who process personal data contained in CCTV on our behalf in the capacity of ‘data processors’. M&S undertakes due diligence on such processors to ensure they are fit and proper partners that operate to high standards, particularly with regard to data security. They are subject to strict contractual restrictions which require them to protect personal data in the footage and only allow them to handle the data on our behalf and in line with our documented instructions.
Where appropriate and lawful, M&S will also share footage with police and other law enforcement agencies, for example where necessary to investigate criminal offences and bring perpetrators to justice.
Biometric Data
M&S does not use live facial recognition technology in its stores. There is no automated process for checking images of customers captured on CCTV to match them with records of known offenders. However, when an image of a someone suspected of a criminal offence in M&S premises is added to our crime prevention database, biometric data is used for retrospective facial recognition processing to identify whether the image matches any other image of a suspect or offender previously uploaded to the database. A match will not be made until a member of our specialist security team has reviewed and approved it. We are confident that this processing of biometric data is necessary for the purposes of crime prevention & detection and/or the apprehension and prosecution of offenders; and is compliant with data protection laws. We do not rely on consent for processing this data.
We will complete your subject access request by 20th November.
We will keep you updated on progress and if you have any questions in the meantime please contact us.
Thank you for your understanding.
My analysis of the response from M&S
Franchise Store Clarification: The response notes that the Charing Cross Station store is operated by a franchise partner, SSP, and therefore, M&S cannot provide CCTV footage from that location. This could be problematic if you were not clearly informed that the store was a franchise, as it might create confusion about where your data is held or processed.
Concern: M&S redirects you to contact SSP directly but does not confirm whether they have ensured SSP complies with similar data protection standards. Under UK GDPR, M&S, as the data controller, may still have responsibilities to ensure their franchise partners handle personal data appropriately.
Legitimate Interests as Lawful Basis: M&S states they rely on “legitimate interests” (Article 6(1)(f) UK GDPR) rather than consent for processing CCTV data. While this is permissible and aligns with ICO guidance, they must still conduct a Legitimate Interests Assessment (LIA) to balance their interests against your rights. The response does not confirm whether an LIA was conducted or provide details about how they ensure your rights are not overridden.
Concern: Without transparency about the LIA, it’s unclear whether M&S adequately considered the impact on data subjects’ privacy rights, especially given the intrusive nature of CCTV surveillance. Ask them if they have completed a Legitimate Interests Assessment and if you can see it.
Facial Recognition and Biometric Data: M&S confirms they do not use live facial recognition but do use retrospective facial recognition for crime prevention, processing biometric data to match images of suspected offenders against a crime prevention database. Biometric data is considered “special category data” under UK GDPR (Article 9), which requires a higher level of protection and an additional lawful basis for processing.
Concern: The response claims this processing is necessary for crime prevention and detection, which could fall under Article 9(2)(g) (substantial public interest) and the Data Protection Act 2018 (Schedule 1, Part 2, para 10 - preventing or detecting unlawful acts). However, they do not explicitly confirm compliance with these specific provisions or mention whether a Data Protection Impact Assessment (DPIA) was conducted, which is mandatory for processing biometric data under Article 35 of UK GDPR. The lack of mention of a DPIA raises questions about whether they fully assessed the risks to your rights and freedoms. Organisations relying on Schedule 1, Part 2, paragraph 10 of the Data Protection Act 2018 must have an “appropriate policy document” in place to outline their reasons for processing and the safeguards they have implemented. Ask if they have one and request a copy of it
Transparency and Signage: M&S claims to be transparent about their use of surveillance cameras through signage and in-store monitors. However, they do not specify whether the signage explicitly mentions facial recognition (retrospective or otherwise) or just general CCTV use.
Concern: If the signage only refers to CCTV without mentioning facial recognition or biometric data processing, this could breach the transparency requirements of UK GDPR, as data subjects may not be adequately informed about how their data is processed.
Retention Period: M&S states that CCTV footage is generally deleted within a month but retained longer for “specific incidents” related to legal compliance, investigations, or prosecutions. While this is reasonable, the response lacks specificity about the maximum retention period or the criteria for retaining footage longer.
Concern: Vague retention policies could lead to excessive data retention, potentially breaching the data minimisation and storage limitation principles under UK GDPR. Ask them to be explicit about the criteria for retaining footage for longer.
Data Sharing with Third Parties: M&S mentions sharing footage with law enforcement and using specialist security partners as data processors. While they claim due diligence is conducted, they provide no details about the safeguards in place (e.g., data-sharing agreements, security measures).
Concern: Without clear information about how data is protected when shared or processed by third parties, there’s a risk of non-compliance with UK GDPR’s requirements for secure data processing and third-party oversight. You need to question them more on this.
Response to DSAR: The response promises to complete your DSAR by November 20, 2025, which aligns with the one-month deadline (assuming your request was made around October 20, 2025). However, it does not confirm what specific data will be provided or whether it includes any biometric data processed via retrospective facial recognition.
Concern: If M&S holds biometric data about you in their crime prevention database, they must provide this as part of the DSAR (unless an exemption applies, e.g., for law enforcement purposes under the Data Protection Act 2018). The response is vague about whether such data exists or will be included. Press them on this.
Confidentiality and Limited Detail: M&S cites “confidential matters of operational security” to limit the detail provided about their facial recognition processes.
Concern: While some operational details may be sensitive, UK GDPR requires transparency about data processing activities. Withholding excessive information could undermine your ability to understand how your data is used, potentially breaching transparency obligations. Mention this to them and press them on this.
Potential Exemption for Crime Prevention: The response implies that their biometric data processing is justified for crime prevention and detection. The Data Protection Act 2018 allows exemptions from certain GDPR obligations (e.g., providing access to data) if complying would prejudice crime prevention or detection.
Concern: If M&S intends to apply such an exemption to withhold data from your DSAR, they must explicitly state this and justify it. The response does not mention any exemptions, which could lead to non-compliance if they fail to provide relevant data without proper reasoning.
Recommendations
Follow Up with M&S and request clarification on whether a DPIA was conducted for their retrospective facial recognition processing and whether an LIA supports their use of legitimate interests. Ask for specific details about what data (including biometric data) will be provided in your DSAR.
Contact SSP. If your request pertains to the Charing Cross Station store, follow up with SSP as advised, but also ask M&S to confirm their oversight of SSP’s data protection practices, as M&S may still have responsibilities as a data controller
Check Signage. If possible, verify whether the signage in M&S stores explicitly mentions facial recognition or biometric data processing. If it doesn’t, this could be raised as a transparency issue and a possible complaint to the ICO.
Request Retention Details. Ask M&S for their specific retention policies and criteria for retaining footage beyond one month to ensure compliance with UK GDPR.
Raise with ICO. If you’re concerned about the lack of clarity on biometric data processing, DPIA, or transparency, consider contacting the Information Commissioner’s Office (ICO) for guidance or to file a complaint.
Other comments made by me to my friend
M&S may be a joint controller with their franchise SSP if their agreement requires data sharing for shared purposes, such as M&S’s central Sparks loyalty program or aggregated customer insights across the network as when two or more controllers jointly determine the purposes and means of processing, they are considered joint controllers. In joint control scenarios (GDPR Article 26), both parties must transparently allocate responsibilities (e.g., who handles data subject requests or breach notifications) via a written arrangement. M&S often sets brand standards that influence data processing, making joint control common in such partnerships. Ask them about their written arrangement and who is allocated what responsibilities.
If M&S mandates specific systems (e.g., M&S-provided POS or CRM tools) and SSP processes data solely per those instructions, SSP could act as a data processor for M&S (requiring a data processing agreement under GDPR Article 28). However, evidence from similar franchise models suggests SSP retains significant autonomy, tilting toward controller status. Without access to the exact M&S-SSP franchise agreement, this is an informed assessment. In practice, both parties would conduct a data mapping exercise to confirm roles. Having said this, M&S retains significant responsibilities under GDPR, even if SSP is the primary controller. Franchisors like M&S cannot fully delegate GDPR compliance, as the regulation holds controllers (and joint controllers) accountable for ensuring lawful, secure processing.
In summary, whilst SSP bears primary operational duties as the store operator, M&S’s role as franchisor ensures it shares or oversees compliance to safeguard the brand. Both entities must maintain records of processing activities (GDPR Article 30) and appoint a Data Protection Officer if processing is large-scale.
The above analysis is legally robust, well-reasoned, and actionable. It would be highly effective as the basis for a follow-up letter to M&S or a complaint to the ICO, and I have suggested my friend follow up citing the above. I hope this helps you all with your own DSAR’s and in the next article I will cover a response requesting ID documents and a suitable reply to refuse the same under the principle of data minimisation.
I have been researching glasses that defeat facial recognition. Combine this with a face nappy and anonymity can be regained.
I am sick and tired of being treated as a guilty person when entering a store. Innocent until proven guilty is the precedent.
And this surveillance is a joke, when shop lifters are not stopped by staff or security due to health & safety.
I have limited my use of major stores, but am mindful of facial recognition cameras and general surveillance.
I will be starting a DSAR campaign shortly for every store I go to when I am filmed. Even the small independents will be sent one.
One other thing... these stores operated by third parties under franchise should be specifically targeted, they do not make it clear they are franchise operations and give a (false) impression of being the store advertised.
Tesco, M&S, Morrisons, Costcutter and some of the neighbourhood convenience stores operate like this. Hit them almost with DSARs it will hurt the smaller companies harder and hopefully lead to the demise of this surveillance culture.
Exhilarating! A feeling all is not lost!