GDPR Failures and Incomplete Removal<br /><br />
The Case File > ESCC: documents and omissions
GDPR Failures and Incomplete Removal
How ESCC’s Data Handling Breached Accuracy, Necessity, and Fairness
Public authorities are bound by strict data protection obligations. When they publish information about individuals, they must ensure that the data is accurate, proportionate, necessary, and retained only for as long as required.
In the case of East Sussex County Council (ESCC), the publication and prolonged retention of the December 2022 press statement raise serious concerns under UK GDPR principles — concerns that become even more evident when examining the incomplete removal carried out in December 2025.
In the case of East Sussex County Council (ESCC), the publication and prolonged retention of the December 2022 press statement raise serious concerns under UK GDPR principles — concerns that become even more evident when examining the incomplete removal carried out in December 2025.
This page analyses how ESCC’s actions conflicted with core data protection duties and why the removal, far from resolving the issue, exposed further procedural weaknesses.
📌 Accuracy: A Public Statement Built on an Incomplete Record
Under Article 5(1)(d) UK GDPR, personal data must be accurate and, where necessary, kept up to date.
Yet ESCC’s press statement:
- omitted the April 2022 appeal,
- omitted the carer’s warnings,
- omitted the vulnerability information,
- omitted the linguistic barriers,
- omitted concerns about the interview under caution,
- omitted the fact that the sentence was never notified.
The omissions were not minor.
They fundamentally altered the meaning of the data presented to the public.
They fundamentally altered the meaning of the data presented to the public.
A narrative that excludes key facts cannot be considered accurate.
📌 Necessity: Was Publication Required at All?
Authorities may publish information only when it is necessary for a legitimate purpose.
In this case:
- the alleged offence was minor,
- the sentence was low‑level,
- the individual was vulnerable,
- the guilty plea was potentially invalid,
- the appeal had been submitted,
- the sentence was never notified.
None of these factors support the necessity of a public statement.
Moreover, ESCC never demonstrated:
- why publication was required,
- why publication was proportionate,
- why publication was in the public interest,
- why publication outweighed the individual’s rights.
The absence of justification is itself a breach of the necessity principle.
📌 Proportionality: A Three‑Year Online Presence for a Spent Sentence
Even if publication had been justified, retention must still be proportionate.
Yet ESCC kept the statement online:
- throughout 2023,
- throughout 2024,
- throughout 2025.
This occurred despite:
- the sentence being spent,
- repeated removal requests,
- the cross‑border reputational impact,
- the absence of any legal requirement to retain the content,
- the CCRC closing the case in January 2025.
Three years of online visibility for a minor, contested, and procedurally flawed case is not proportionate.
📌 Fairness: Ignoring Vulnerability and Linguistic Barriers
Fairness is a cornerstone of UK GDPR.
It requires authorities to consider:
It requires authorities to consider:
- vulnerability,
- comprehension,
- context,
- potential harm.
ESCC had been informed — explicitly — that the individual:
- did not understand English,
- did not understand the interview,
- did not understand the guilty plea,
- was medically vulnerable.
Publishing an accusatory narrative while ignoring these factors is incompatible with fairness.
📌 Transparency: The Removal Without Explanation
On 23 December 2025, ESCC removed the press statement.
However:
- no explanation was provided,
- no correction was issued,
- no notification was sent to the media,
- no de‑indexing was carried out,
- no acknowledgement of the harm was made.
The removal was silent, incomplete, and strategically timed — occurring just 11 days after a criminal complaint was filed in Italy.
Transparency requires openness.
This removal was the opposite.
This removal was the opposite.
📌 Storage Limitation: Why Was the Statement Still Online in 2025?
Under Article 5(1)(e) UK GDPR, personal data must not be kept longer than necessary.
Yet ESCC:
- retained the statement for three years,
- provided shifting justifications (CCRC in 2024, “open court” in 2026),
- removed it only after legal escalation.
The timeline suggests that retention was not based on necessity, but on institutional inertia — and later, on reputational risk.
📌 Incomplete Removal: The Digital Footprint That Remained
Even after removal:
- cached versions remained accessible,
- media copies remained online,
- search engine results still referenced the statement,
- no de‑indexing request was made.
A removal that leaves the digital footprint intact is not a removal.
It is a gesture.
It is a gesture.
📌 Why These GDPR Failures Matter
The consequences of ESCC’s actions were not abstract:
- reputational harm extended across borders,
- the individual was denied the chance to challenge the narrative,
- the public was misled by an incomplete account,
- the authority failed to meet its legal obligations.
Data protection is not optional.
It is a legal duty — one that was not met.
It is a legal duty — one that was not met.
Conclusion — A Case Study in How Not to Handle Personal Data
ESCC’s publication and retention of the 2022 statement breached:
- accuracy,
- necessity,
- proportionality,
- fairness,
- transparency,
- storage limitation.
The incomplete removal in 2025 did not resolve these issues.
It highlighted them.
It highlighted them.
This page forms a crucial part of the wider dossier, demonstrating how procedural omissions were compounded by data protection failures — and how these failures contributed to three years of avoidable harm.
Integrated Overview of ESCC’s Procedural and Narrative Handling
The documentation presented across these pages reconstructs, in a coherent and verifiable manner, how ESCC handled, communicated, and later withdrew material relating to the case ESCC v. Riccardo Gresta concerning the Eastbourne Blue Badge matter. Each page examines a specific dimension of this trajectory: from the ESCC Timeline 2022–2026 to the analysis set out in How ESCC Shaped an Incomplete Narrative, through the examination of Why “Open Court” Does Not Justify Everything and the issues highlighted in GDPR Failures and Incomplete Removal.
Further sections explore the cross‑border implications discussed in Cross‑Border Issues and Public Prosecution, the institutional inconsistencies outlined in ESCC Responses: Gaps and Contradictions, and the evidence emerging from The Carer’s Emails: What ESCC and the Court Knew. The pages on Procedural Duties Ignored by ESCC and Procedural Failures by the Magistrates’ Court show how key obligations were overlooked, while The CCRC Justification: A Discarded Pretext and Late Removal as Implicit Admission illustrate the shifting explanations and delayed corrective actions.
The documentation also addresses why Why the 2022 Publication Was Unlawful from Day One, provides a structured synthesis in Executive Overview and Key Issues, examines broader patterns in Targeting, Deterrence, and the “Sacrificial Case” Pattern, and clarifies technical aspects in Duration of Publication and Technical Analysis of ESCC’s Removal Errors. Taken together, these elements form a unified and evidence‑based account of how the original narrative was created, disseminated, and ultimately challenged.
Procedural Closure – Status Recorded
This notification was formally issued to all relevant entities, who were offered the opportunity to provide clarifications or counter‑documentation. As of the present date 21 February 2026, no objections, corrections, or alternative factual reconstructions have been submitted. The notification phase is therefore considered procedurally closed. A right of reply remains available, but any late submissions will not alter the factual framework established during the notification period.
The Record Speaks
