Case Study Of The VARS Technology Drive Off Scam
"When you have eliminated all which is impossible, then whatever remains, however improbable, must be the truth." (Arthur Conan Doyle)
•VARS Technology: The Company•
VARS Technology Ltd are a company registered in England and Wales with a listed address of Unit 1 & 2 Calder Court, Amy Johnson Way, Blackpool FY4 2RH. In addition to car park management, they claim to offer the world's most advanced service station forecourt protection. Briefly, their system works via their automatic number plate recognition (ANPR) technology which activates when a vehicle enters a service station forecourt. If a driver pumps fuel and then drives off without paying (a 'drive off event', also known as 'bilking') their ANPR system sends data automatically to VARS Technology. VARS Technology then apply to the UK Driver, Vehicle and Licensing Authority (DVLA) for the name and address of the registered keeper of the vehicle and pursue for the cost of the stolen fuel, to which they add their 'administration charges'.
•Media Reports Of VARS Technology Drive Off Scams•
When VARS Technology identify a bona fide drive off event it is legally appropriate for them to approach, on behalf of the forecourt, the correctly identified individual who is directly responsible for the fuel theft and request payment from them. They can apply to the civil court system for a judgment if they do not pay. This article is not concerned with such legitimate cases. Rather, it discusses the numerous and increasing reports in which VARS Technology appears to contrive fictitious drive off scenarios in order to chase payments from innocent parties. These scenarios have become a disturbingly common feature in internet search results, especially so on legal advice forums, anti-scam websites, motoring websites, company review websites, and several social media. Youtube channels which 'audit' the behaviour of companies have also come to the conclusion that VARS Technology have an unethical side to their business. There are especially numerous and growing reports on Trustpilot. Mainstream media are now starting to take notice. For example, on 20 December 2025 the 'Guardian' newspaper published an article authored by journalist Taro Kaneko, in which he outlines two cases of the VARS Technology drive off scam (though he diplomatically refrains from using that term). From all of these sources, the systematic use of three principal kinds of fictional scenario can be identified (bold added):
First, where the victim's vehicle was present at the location and time of the alleged drive off event, and the driver paid for fuel (the most common variant of the scam):
"They accused me of a drive off. However, I didn't drive off. I had paid on the day via a fuel card which meant I gave the cashier my Car Registration and had proof via the Fuel Card Statement. VARS took so long in responding, that the charge levied had increased."
".......received a letter from VARS Technology claiming I drove out of the .......petrol station without paying.......Checking my statements I see I did get petrol there that day and I have proof I paid for it. The photo they offered as evidence didn't show date/time or even my car at the pump."
"I have been issued a Drive Off Notice by VARS for fuel I bought and have a till receipt for, complete with time, date, reg no. which I sent a copy of.......they just ignore my letters and till receipt and send me an increased bill as I haven't paid in the 'specified time' they are now threatening bailiffs and court action."
"This has happened to my husband also. He was accused of leaving a forecourt not paying £15.28 in fuel. We have a receipt etc that proves he actually bought fuel to the price of £20 and paid it off."
Second, where the victim's vehicle was present at the location and time of the alleged drive off event but the driver did not actually dispense any fuel:
"Here is one example of how the "scam" works. Your vehicle drives into a petrol station with a food outlet attached, you buy some food, but do not use the fuel pump and drive off. Having captured your registration on APNR.......a claim is lodged.......for an amount owing by you, as you failed to pay for fuel."
"I was shocked to be told that I had supposedly driven off without paying £7 for petrol. That never happened. In fact, I had been in the shop the night before buying nappies for my baby. After reviewing their records, the staff admitted it was an error on their part. I thought that was the end of it. Months later, I received a letter from Vars Technology demanding £127 for this "unpaid" £7 - something the petrol station had already admitted was their mistake."
"Vars Technology have accused me of driving off without paying for my petrol! This is utterly ridiculous and a SCAM!.......I have now had 2 Debt collectors letters asking for £160 and several calls from them......yes I did drive into the.......PETROL FORECOURT but as it was busy I drove out again, I did not get any petrol at this garage as I was short on time."
Third, where neither the victim, nor the victim's car, was present at the location and time of the alleged theft (possibly the most egregious variant of the scam and the same scenario described in the upcoming case study):
"If there was a picture of me actually in the petrol station or car at said petrol station maybe I'd understand a little but from the picture the car was pulled up on the side of the road somewhere so how that equates to me "stealing" £8.04 is ridiculous."
"They sent us a notice for non payment for a vehicle we don't own and never have.......We were nowhere near the motorway on the day in question and do not know anyone by the name that was given."
"They have falsefully accused my husband of buying fuel from a Fuel station at Nuneaton and not pay, sent him a bill of £77.19 and threatened to increase to £137.19 in 14 days. They have pictured a car different from our car…….also showed a photo of a different person."
Unsurprisingly, approximately 98% of VARS Technology's Trustpilot ratings are 1 star and The Fraud Codex organisation gave VARS Technology the following risk score:
•VARS Technology's Scam Modus Operandi •
Financial scammers typically employ well-developed scripts and it has become possible to ascertain to a high degree of accuracy whether someone is scamming simply by identifying specific behavioural characteristics. Some notable scammer red flags include:
- An initial unsolicited letter, email or text from an unfamiliar source alleging the recipient has done something embarrassing or illicit and/or have a debt that they previously knew nothing about.
- No believable evidence of the alleged debt is ever provided by the scammer.
- A clear data mismatch exists between information provided by the scammer and information held by the victim and this mismatch is readily apparent to any objective third party.
- The scammer presents themselves as having legal authority when they do not, often using an exaggerated, quasi-legal style of language.
- The scammer deliberately exaggerates and is otherwise misleading as to the nature and certainty of potential legal consequences.
- The scammer sets arbitrary time limits which are noticeably shorter than usual in legitimate business practice, imminent deadlines to which their victim must comply in order for the scam to cease.
- Threats of escalation are made if the victim attempts to question the validity of the scammer's claims or does not comply immediately.
- No independent, viable and objective appeals mechanism is offered to the victim.
- The ability for the victim to communicate with the scammer is made difficult by design. Often they provide no customer facing phone number. Contact is usually expected to ensue via emails or texts most of which are either ignored or replied to several days later.
- The scammer routinely fails to respond directly and appropriately to valid points raised in correspondence, offering little in the way of any proper dialogue, relying heavily and persistently on simplistic, formulaic, repetitive set scripts.
- There is an insistence that the victim provide the scammer with personal information, despite having no legal authority to make such demands.
- The scammer ignores data protection legislation, even claiming that it doesn't apply to them.
- Written communication from the scammer includes grammatical errors, including poorly constructed sentences. They are often ambiguous in meaning, and sometimes even gibberish.
- When media reports of their unethical behaviour emerge and they are offered an opportunity to reply, the scammer either ignores this or, if they do reply, do not directly address specific issues, offering only vague, boilerplate replies.
The presence of a few of these red flags are not in themselves evidence of a scam; some businesses are simply poorly managed or have minimal regard for customer relations. However, when all, or a majority of these red flags are present, it is reasonable and prudent to infer that the perpetrator is deliberately sailing legally close to the wind and/or is operating a scam, even alongside any legitimate business activity. Victims and other interested parties of VARS Technology's drive off scam regularly report the majority of these red flags. Indeed, in the case study discussed here, VARS Technology were observed to exhibit behaviours meeting 13 of the 14 red flags.
In the academic research literature the constellation of tactics described above is labelled 'FUD' (fear, uncertainty, doubt). FUD is a form of manipulation designed to provoke victims toward minimising logical trains of thought, thereby provoking impulsive reactions that pressure people into acting against their best interests and to disregard their rights enshrined in law. Obviously, these tactics are blunt and unsophisticated and definitely don't work in all cases. Some people are too generally astute (or legally aware) to acquiesce and scams work best when victims are inclined to blindly obey the scammer's demands. All scams are a numbers game. The scammer doesn't expect to win them all. However, if enough innocent victims prove fearful enough to accede to their monetary demands, often simply to get rid of the situation they have been put in, it makes it worth the scammers time. As is evidenced by these victims of VARS Technology (bold added):
"Despite having a valid receipt for fuel VARS refused to accept the full amount had been paid…….Have paid it because of the distress this has caused by threatening to double costs if not paid within 14 days."
"I am paying just to get them off my back even though I know what they are accusing me of is not true. They say I drove off without paying for petrol when I actually bought groceries. They have provided no proof or CCTV images."
Bear in mind that scams and fraud are significantly under-reported crimes. The charity Victim Support, in a written submission (125742; October 2023) to the UK Parliamentary Committee, 'Financial Reporting and Audit', estimate that only 1 in 7 victims in the UK let someone else know they have been scammed. Victims do not publicly report being subject to a scam due to the embarrassment and perceived futility they feel after paying the scammer. It is almost certainly the case that quantifying reports from various public media alone yields a serious underestimate.
•VARS Technology's Faux Legal Powers•
The most important (and cost effective) component of VARS Technology's drive off scam is the demand letter. When most successful, victims (such as those quoted above) are fearful enough to pay promptly, and sometimes do so before they even realise they are being scammed. In these demand letters VARS Technology present themselves as an entity with legal powers to which the intended victim of their scam has legal obligations. Although they do not use the term 'fine' (and are legally not allowed to do so) many victims of VARS Technology's drive off scams do perceive, and indeed commonly refer, to their demand letters as notifying them of a 'fine' being levied upon them. VARS Technology do nothing to dispel this myth. Ideally, of course, scam victims would be aware of their legal situation and rights, including that VARS Technology have no legal powers whatsoever, even though they often use mealy-mouthed terms like "legally owed debt". They also employ quasi-legal authoritarian language, as in "you will be liable." This is, of course, legal nonsense. VARS Technology do not get to decide liability. This is decided if, and only if, their legal arguments and accompanying sound evidence has been deemed honest and robust enough according to legal judgment in a civil court.
VARS Technology's legitimate drive off debt enforcement activity is underpinned by contract law. Formation of a contract cannot be forced. For a contract to be legally enforceable it must be possible for both parties to reject the terms of the contract prior to entering into the contract. The contract must also be undertaken with 'knowing consent'; i.e., both parties must have the cognitive capacity to enter into a contractual agreement voluntarily, and both parties must have acted with a 'good faith'. In the case of a bona-fide drive off event the driver must, before commencing the transfer of fuel, have had the opportunity to view suitably sized warning notices regarding their imminent duty of payment and the possible consequences for not doing so. These must be clearly visible, either on or located very near to the fuel pump and not, for example, well above eye height or only found inside the forecourt's shop. So, the moment fuel is pumped, the assumption is that an 'implied contract' between driver and forecourt owner has been agreed and is now in place.
VARS Technology's drive off scams, on the other hand, appears to be underpinned by abusing contract law, i.e., by denying that a contract has been fulfilled (in those cases where full payment has actually been made) or misrepresenting the existence of a contract where one had not been formed or could not possibly exist, i.e., fictional scenarios. It is legally well established that a person who is not party to a contract can neither sue nor be sued (the 'doctrine of privity'). In such cases, therefore, VARS Technology's claims that a scam victim is subject to an 'implied contract' is wholly contrary to both the doctrine of privity as well as the legislated requirement of 'good faith'. It is a legally fictitious claim if VARS Technology know that the person they are alleging to have stolen fuel could never have entered into such a contract by, for example, parking their car alongside a fuel pump, but in fact pumped no fuel (for whatever reason, including not agreeing to the contractual terms displayed after perusing them). Or, most obviously, as with the allegation made in the forthcoming case study, the alleged thief was never present at the forecourt at the location and time of an alleged drive off event. Furthermore, a valid contract always requires an exchange of some kind. So, for VARS Technology to expect their victim to be liable for the cost of fuel (and their 'administration fees'), the victim has every right to be provided with actual evidence that they had, in actuality, personally received fuel to that value.
If a claimed debt cannot be evidenced it cannot be enforced. When VARS Technology send demand letters to victims of their drive off scams they are sending what is often referred to as a 'speculative invoice'. These are no more than a demand for payment for a claimed, but as yet wholly unevidenced breach of contract, accompanied by a threat of court proceedings for noncompliance. It is, in effect, a specific variant of the well-known 'fake invoice scam' in which a scammer sends an invoice to someone demanding payment for goods or services that have neither been ordered nor received. It is technically fraud to knowingly issue a legally invalid and/or unenforcable invoice, and speculative invoices are widely recognised as being employed by individuals and organisations in cases where they have little in the way of an arguable legal case. They are often sent out en masse, their primary purpose being to scare or otherwise manipulate a portion of people into paying for something for which they are not liable. Importantly, the mere issuing of a speculative invoice can never be considered to constitute acceptance of a contract by the person to whom it is addressed and so, in instances of their drive off scam, VARS Technology's speculative invoices remain legally worthless until legitimised by a court.
When VARS Technology threaten noncompliant scam victims by "escalating further" they are referring initially to getting a debt collection company to continue acting on their behalf. These companies send more demand letters threatening legal ramifications, possibly even paying the victim a home visit, all the while adding their own 'administration fees' to the so-called 'debt'. However, as with VARS Technology, debt collection companies are also 'legal nobodies', being neither police, court officers, nor court-appointed bailiffs. They cannot enter any property without permission, they cannot remove items from a property, and they cannot force any payment to be made. The best they can (legally) do is simply request that an alleged 'debtor' settle any alleged 'debt'. Victims of VARS Technology's drive off scams can quite legally ignore them, at least until they attempt to issue court proceedings. Unless a court has made judgment against the scam victim and the 'debt' has not been paid within the allotted time, none of VARS Technology's 'debt' collection representatives is able to act, or legally present themselves as bailiffs acting to collect a legally owed debt, and this is the case even when the word 'bailiff' is in their company's name. And be aware that VARS Technology's debt collection partners do have the word 'bailiff' in their company name. Direct Collection Bailiffs Ltd. (DCBL) have quite a reputation in legal circles for painting themselves as bailiffs when legally acting as mere debt collectors. If they receive no joy, their sister company, DCB Legal, can act under instruction from VARS to commence court proceedings and represent them in the court. This is done often on the flimsiest of evidence, only for them to discontinue at the last minute if a defendant robustly stands their ground. One solicitor, in a written submission (WCC0080; 17th April 2024) to the UK Parliamentary Committee, 'Work of the County Court (Inquiry)' had this to say of them:
"Most of my own cases have involved claims brought by solicitors DCB Legal.......In DCB Legal's case there is overwhelming evidence that the firm has no intention of allowing claims to be decided on their merits by a judge. If they are unable to obtain a default judgment, they will badger the hapless consumer (by telephone and in writing) into paying up. If that fails because the consumer puts up a robust defence, gathers evidence, prepares a detailed witness statement etc, DCB Legal invariably abandons the claim before the hearing, having wasted the time of the Court and the consumer, and having caused the consumer enormous distress........DCB Legal's propensity to discontinue claims rather than expose them to judicial scrutiny is so notorious."
VARS Technology's drive off scam is not based on legitimate legal practice in which the mainstay is acting in good faith and if necessary, presenting sound evidence and logical argument to a court. It is built entirely on a threat model. It relies firstly on scaring the most vulnerable victims into paying up early to avoid being taken to court, and secondarily on 'robo-litigation', flooding the court system with copious dubious 'cases' in order to obtain default judgments against victims that might ignore the notice of court action, and so the 'case' is not defended. As the above submission states, any dubious 'cases' that are consistently and vigorously defended are invariably closed down before the court sits. VARS Technology cannot afford to let any and all cases proceed to court. If they allowed all noncompliant 'cases' to be heard in court it would inevitably open their unethical practices to judicial, political and wider public scrutiny. VARS Technology incur less overheads and so maximise profits by making repetitive demands accompanied by the bluff and bluster of threatened legal action than they could ever hope to do via actual litigation.
•Background To The Case Study •
Consider the photograph below, supplied by VARS Technology as 'evidence'. If a mental health professional such as a clinical psychologist or psychiatrist showed this same image to a patient and asked them to describe what they see the patient might reasonably report "I see a young, tall male in a service station, pumping fuel into a green-blue car whose registration plate is E******." If, on the other hand, the patient had replied "I see a short elderly woman in a service station pumping fuel into a very dark grey car whose registration plate is F******" the clinician would undoubtedly suspect the patient was either playing a joke or suffering from some perceptual and/or cognitive deficit. If, after being repeatedly challenged, the patient persevered with the claim that this image was definitely an elderly woman with a very dark grey car with vehicle registration F****** psychopathology would quite reasonably be inferred.
For example, viewing an image of a tall young adult male and perceiving him to be a much shorter elderly female would easily qualify as a criterion for diagnosis of a delusional misidentification syndrome per Diagnostic and Statistical Manual of Mental Disorders 5, most likely symptomatic of someone suffering from a psychotic state, caused by e.g., schizophrenia or dementia. Similarly, accurate discrimination of simple line patterns, such as are displayed on vehicle registration marks, are routinely used to measure non-verbal intelligence in children as young as five years old, e.g., in Raven's Progressive Matrices. So, if asked why they were insisting the first digit of the registration mark was an F, the patient had countered with "whilst I appreciate that the vehicle is showing the character 'E' I am aware this has been tampered with and has been identified as the vehicle F******", diagnoses of psychosis and/or cognitive deficit would surely be strengthened.
It is highly doubtful that anyone at VARS Technology is demonstrably psychotic or has a pronounced cognitive deficit. Nevertheless, the example above is neither hyperbole nor even loosely analogous to what VARS Technology repeatedly inferred and assumed to be the case in the present case study. No, difficult as it may seem it is exactly how VARS Technology appeared to be assuming their legitimacy in order to non-legally prosecute their 'case'. The parallels between assertions made by a psychologically challenged patient and assertions made by employees of VARS Technology were glaringly obvious throughout this case study. This is not entirely surprising, however. It is common for scammers to make seemingly absurd and illogical claims, and even to persevere with absurdities to the point of obvious irrationality, seemingly befitting of their having mental health issues. In the early days of the internet, for example, scammers didn't really believe they were Nigerian Princes with money transfer issues and neither did they expect the majority of people they emailed for help to believe it either. Neither do the scammers in more recent cases actually believe they are officers of 'His Majesty's Supreme Court of London', in order to have their victims pay imaginary fines by sending them gift cards. Similarly, no one at VARS Technology really believes that elderly women are disguising themselves as young men in order to steal fuel. One particularly absurdist example of the VARS Technology drive off scam is the following report from Facebook:
"I drive an electric vehicle so impossible to take petrol. They claimed it was for £35 and also was now charging an administration fee as well so actually wanted £65. I sent them a copy of the V5 logbook to prove I drive an EV. Clearly they have some issues with this system and its definitely not foolproof."
Not foolproof indeed. Scammers commonly concoct these absurdities in order to quickly filter out the more astute or suspicious victims, leaving them to immediately benefit from the more profitable victims; scared, gullible and/or vulnerable people who are more likely to acquiesce to their demands.
According to VARS Technology (and notably only VARS Technology, this was never verified by anyone else, including anyone at the forecourt or their legal representative), on 11 September 2024 at 16.07 hours the Audi A3 pictured above entered the forecourt at ESSO Braywick service station, located at 11 Windsor Road, Maidenhead, England SL6 1UZ. The service station's parent company is Asda Express Ltd. The driver is alleged by VARS Technology (and only VARS Technology) to have dispensed fuel and then driven off without paying. As became known later, the above image was the only piece of 'evidence' VARS Technology ever possessed for this alleged drive off event. What they created from that single image wasn't delusional, but was a wholly fictional scenario with which they threatened and attempted to extort money from a person they could not possibly fail to know was innocent.
According to DVLA records, the registration mark E****** corresponds to a red Ford Ka, a completely different make, model, and colour of vehicle. The vehicle VARS Technology claimed the alleged thief to be driving was, quite obviously, displaying cloned or altered plates. Thus, the sole evidence of illegality demonstrated by this image was the fraudulent use of a registration mark, per s.44 of the Vehicle Excise and Registration Act 1994. ESSO Braywick are equipped with CCTV cameras. The Data Protection Act 2018 states that CCTV footage should only be kept for as long as is necessary for the purpose it was collected. Obviously, assuming VARS Technology's fuel theft claim was true, the forecourt's complete CCTV footage of the visit of this vehicle and the actions of the driver would have provided crucial evidence for the purpose of criminal prosecution or civil litigation, so the forecourt had a legitimate reason to preserve the footage. However, on 11 October 2024 ESSO Braywick permanently deleted all CCTV footage of this alleged drive event. The clear implication, therefore, is that the forecourt (or their parent company) had no further interest in legally pursuing this drive off event, most likely because the chances of identifying the alleged culprit were slim to none given the poor quality of the image and the cloned/altered registration plate.
What follows is a detailed description and analysis of this specific example of a VARS Technology's drive off 'case'. The 'case' played out over two months, October to December 2024, involving a dialogue across 20+ emails involving three different VARS Technology employees, as well as additional correspondence from the legal representative of the service station. It is an evidence led, accurate depiction of events, accompanied by sound deductive inferences based on VARS Technology's own statements and responses. There is no embellishment of facts. Nothing is based on hearsay or secondhand reports. All quotes are verbatim, in context, sometimes truncated for clarity but never 'mined'. The author was actively involved, in the background, with all communications between the scam victim and VARS Technology and the legal representative of the forecourt. All correspondence has been employed here with the express permission of the scam victim and is safely archived. In most cases the laws quoted pertain UK-wide, particularly the data protection legislation. Some others are directly applicable only to England and Wales.
•VARS Technology Initiate Their Drive Off Scam•
The author's interest (and first knowledge) in VARS Technology originated when a letter dated 30 October 2024 was sent to someone they know well (hereafter referred to as SV, for 'scam victim'). It referenced the alleged drive off event at ESSO Braywick on 11 September 2024. The letter was directly and personally accusatory (bold added):
"You obtained 40.16 litres of fuel worth £58.91 and did not pay for it!"
The letter demanded payment of £88.91, being the alleged cost of the stolen fuel plus VARS Technology's £30 'administration charge' and went on:
"You must pay the above sum within fourteen days of this notice…….In the event of non-payment…….you will be liable [for £118.91]"…….Failure to pay this may lead to court proceedings being raised against you for which you will also be liable for any additional costs."
A number of features in the demand letter immediately stood out to everyone who was shown it as strongly indicative of a scam. First, and most obviously, the image provided by VARS Technology depicts a tall male (approx. 1.8m+), likely aged 20s, maybe early 30s, dispensing fuel. SV is female, much shorter (approx 1.55m), and aged in her late 60s, with a traditional female first name. VARS Technology were under no illusion that this person and SV are not identical. Despite this, VARS Technology's wording was to the effect that SV alone, as the sole recipient of their letter, was the actual thief and so legally liable, viz. "you obtained.......and did not pay for it" and "you must pay."
Second, VARS Technology market themselves as a company developing and utilising high-tech cameras and optics yet this letter included only a low-resolution image containing a high degree of chromatic distortion along with much digital noise. The colour of the vehicle is so unclear it does not seem to feature in any factory available option for Audi cars of that age. There is also noticeable perceptual distortion, especially along the x-axis. When selling their services to potential clients it is highly doubtful that a high-tech company like VARS Technology would present themselves with image quality as poor as this. The image provided looks like it was captured on a toy camera with a plastic lens and a fixed focus and aperture. A budget DSLR camera with a consumer grade lens would undoubtedly have produced a far higher resolution and clearer image. Yet nowhere in the letter was it stated that any more robust visual evidence was available. No matter, an enlargement is provided here; despite the ridiculously low-tech image quality, the first letter of the registration mark is unambiguously an 'E'.
Outputting and/or distributing such poor quality images theoretically acts to give VARS Technology some semi-plausible deniability should they be accused of unlawfully collecting personal data. It would certainly be more difficult to mount a viable defence if their technology was reliably outputting evidence with high image quality.
SV's vehicle registration mark was F****** (she no longer owns the car) and her front plate had a prominent distinguishing feature to the side, built into it's construction (a flag of one of the constituent countries of the UK). Furthermore, SV's car was a noticeably darker colour than the one in the image, appearing close to black, while the car depicted here appears to have a much lighter blue-green hue. Despite these discrepancies, SV's registration mark F****** was the only one quoted in the letter. The actual, visible registration mark, E******, received no mention. SV immediately reported the drive off allegation and the cloned/altered plate in their image to both Thames Valley police (where ESSO Braywick are located) and her local police force and, on two occasions, she provided VARS Technology with both crime reference numbers issued. VARS Technology did not acknowledge these at all.
Third, the general style of language and grammar used was unsophisticated, i.e., it was a mishmash of imperative and declarative phrases e.g., "you must pay", informal language styles, e.g., "and did not pay for it!" (note the silly social media style exclamation mark!) and they even included at least one grammatically incorrect sentence, which is a very strong characteristic of scammers (bold added):
"In the process of recovering the money owed to the forecourt we several costs and the administration fee allows us to recover those costs."
How on earth does the administration fee allow VARS Technology to recover their costs? This is poorly worded. They appear to be using the world 'allow' in order to put across the notion that they are somehow 'permitted' in the legal sense, to charge an administration fee. If that was the case they should be quoting the legislation. There was another highly misleading quasi-legal statement, e.g., (bold added)
"Failure to pay this may lead to court proceedings being raised against you for which you will also be liable for any additional costs."
VARS Technology clearly want the recipient to assume their letter is legally authoritative yet, to anyone with a basic knowledge of law, this sentence misrepresents their legal position in a particularly amateurish way. It suggests that, should their 'case' proceed to court, SV will be liable for additional costs, seemingly regardless of the outcome of the case. This is untrue. The default position in courts dealing with small claims proceedings is that each party is responsible for its own costs and reimbursement of costs is entirely at the discretion of the judge depending on the strength of the claimant's case and the attitude and behaviour of both parties involved.
Fourth, nothing within the image provided is even vaguely suggestive that the person depicted was stealing or even intended to steal fuel. For an allegation of theft to hold any legal weight, either in a 'no reasonable doubt' criminal court or on the 'balance of probability' test used in a civil court, more evidence than this would be expected, ideally in the form of either a series of time-stamped still images, and/or coherent CCTV footage, demonstrating the driver's intention to steal, i.e., including both the event of obtaining the fuel and the subsequent drive off event following no attempt to make payment. This image alone would be laughably inadequate as evidence. Further, on the demand letters issued by VARS Technology for parking infringements they clearly state "these images are photographic evidence of the incident." Regardless of the truth of that statement on any specific occasion, it is interesting to note that no similar statement was included in this demand letter.
Fifth, unlike their parking demand letters, which quote legislation that the registered keeper may be liable for the actions of a driver, at no point in this demand letter did VARS Technology quote a specific piece of legislation or any other legal basis for claiming that the registered keeper of a vehicle can be deemed liable for theft of fuel by an unknown driver.
SV replied immediately to VARS Technology via email:
"I deny your claim that either myself or my car was involved in a theft of fuel. On 11/9/24 my car was several hundred miles away from that location and indeed has never been in that area since being in my ownership."
This was an understatement. On the date of the alleged theft SV's car was not only provably hundreds of miles away from ESSO Braywick, but her car was also not even in England. Indeed, in the nine years SV had owned the car, she cannot recall a single time it had ever been driven anywhere in England. She went on:
".......in the photograph you have provided, the first letter in the registration number is clearly an E and not an F as you claim. See two attached photographs, the first being the one provided by you and where the E is clearly visible, and the second an enlargement of that number plate.......This is sufficient evidence to demonstrate that you have identified the wrong vehicle.......I look forward to confirmation that the matter regarding myself is settled and I formally request that you delete any personally identifiable information about me."
VARS Technology's reply (discussed in more detail later) expressed doubt that the registration marks were in fact different, and outright ignored both the crime reference numbers and the perfectly legitimate request for deletion of her personal data. The situation was both menacing and absurd; Kafkaesque and Pythonesque. Assuming that no company could be this incompetent, it was hypothesised that VARS Technology likely had, in good faith, looked up the make and model of vehicle E****** in order to pursue payment and, finding another vehicle entirely, realised they had little hope of pursuing the driver for payment. However, not to be defeated, they had further searched through the publicly available DVLA records just in case a similar model of vehicle with a similar registration mark showed up. Finding vehicle F****** to be a close enough match, they initiated their scam by sending SV a demand letter in the hope she could be persuaded to pay. This hypothesis received considerable support during subsequent communications with VARS Technology.
Of course, SV could have simply ignored the demand letter. She was aware that VARS Technology were most likely not monumentally incompetent but chancers who had no possibility whatsoever of this farce being entertained by any court expecting litigants to be acting in good faith. No even semi-competent solicitor would present such a frivolous and/or vexatious 'case' to a judge. What possible logical and legal arguments could they possibly use to underpin their case? Nevertheless, SV was incensed that VARS Technology had the temerity to formally make the allegation that she was a thief and so liable to pay for someone else's fuel. So she was curious as to how far they would pursue their scam before inevitably giving in. Thus, the ensuing communication she had with them including a strong element of scambaiting. Surprisingly, VARS Technology seemed to concentrate so much on keeping to their scam script, that they never seemed to comprehend they were being scambaited and actually tried several strategies to extract payment before eventually conceding defeat. Even then, their stated reason for conceding defeat was also patently untruthful.
•VARS Technology's Deceptive Application to DVLA•
Having a data subject's consent gives data controllers and processors an automatic legal right to deal with their personal data. At no time, however, had SV given direct or implied consent for VARS Technology to collect or process her personal data. She had never formed any contract with either ESSO Braywick or VARS Technology and neither her car, nor herself, were visible in the image provided by VARS Technology. This raised the question as to the legal basis VARS Technology were relying on that allowed them to collect and process her personal data. They could only have been relying on the concept of 'legitimate interest'. However, 'legitimate interest' requires that the entity dealing with personal data be able articulate a legal case for their actions. Conducting a profit making enterprise can be considered a legitimate interest to process personal data but this reason alone does not allow violating a subject's privacy when acting without consent. Similarly VARS Technology could not rely on the legitimate interest of complying with a legal obligation, for none existed under contract law. Nor where they acting explicitly in the public interest. Whatever the articulatable reason they might have thought they had, it needed to conform to Article 6(1)(f) of UK GDPR 2018, i.e., that their legitimate interest was not overridden by:
".......the interests or fundamental rights and freedoms of the data subject."
Personal data refers to any information that can be used to identify a natural person. Under UK GDPR 2018 an image of a vehicle registration mark is not considered personal information per se but does become so when used, or is intended to be used, to identify a living person. A Data Subject Access Request (SAR) quickly submitted by SV to the DVLA revealed that VARS Technology had speedily applied for the personal details of the keeper of vehicle registration F****** on the very next day following the alleged theft of fuel. i.e., on 12 September 2024. VARS Technology can legally make these inquiries based on their own contract with the DVLA, which is governed by the legal framework 'Keeper of a Vehicle at the Date of an Event' (the 'KADOE Service'). However, they cannot do so on a whim, nor as a 'fishing' expedition in order to concoct a 'case'; they must provide the DVLA with a legitimate reason for doing so (they now receive the information electronically and automatically). As they stated on their demand letter:
".......we write to the DVLA requesting the name and address of the registered keeper on the event date. The DVLA will then consider our request, and only if it meets their strict eligibility will they return the requested details."
VARS Technology's notion of "strict eligibility" was disingenuous. If aware of the facts, it is highly doubtful the DVLA would have disclosed SV's personal data. By inquiring about the personal information of the keeper of the vehicle with the registration mark F****** VARS Technology were clearly in breach of Schedule B7.2 of KADOE, which states (bold added):
"The Customer [i.e., VARS Technology] shall ensure before relying on any item of Data that the Data provided matches the information in the request…….and shall not seek to recover payment where the Data provided does not match the vehicle information in the request."
It is a simple fact that the vehicle registration mark in the image provided by VARS Technology did not match the vehicle registration mark quoted by VARS Technology in their request for personal information. In addition to contravening the KADOE contract, the unlawful access to SV's data is potentially also a criminal offence under s.170 of the Data Protection Act 2018. Despite this, VARS Technology's 'reasonable cause', submitted to the DVLA was worded as follows:
"We are requesting the address of the registered keeper at the time of the event in order to reclaim lost monies for fuel dispensed and not paid for."
VARS Technology were truthful in disclosing their reason for making the application for personal information but they were certainly not truthful as to the data they provided to the DVLA when doing so. Initially, it appeared plausible that an employee at ESSO Braywick had, in good faith, misread the vehicle registration plate, either directly or on screen, or had read it correctly yet accidentally keyed in an 'F' instead of an 'E' when sending data to VARS Technology. Hanlon's Razor, i.e., 'never attribute to malice that which can be adequately explained by stupidity' being the relevant rule of thumb here. VARS Technology lent support to this possibility when they informed SV (bold added):
"the forecourt.......passed relevant data to us for us to pursue the unpaid fuel."
This statement was also untrue. ESSO Braywick's solicitor directly contradicted VARS Technology's account, when she informed SV that no one at ESSO Braywick played any part in either collection or reporting of the vehicle's registration mark (bold added):
"Each site uses automatic number plate recognition software to identify registration plates that enter our forecourts. This technology is owned by VARS and they manage any offences that occur in relation to a vehicle automatically.......We, therefore do not receive the information.......and there is no communication.......in relation to this incident with VARS."
Deliberately misrepresenting or refusing to disclose the proprietary nature of surveillance equipment runs counter to Art. 6 of UK GDPR (2018). Yet a number of other victims of the drive off scam have also been informed by various forecourt personnel that it was not the forecourt who had given VARS Technology data, as they had claimed, but VARS Technology's own equipment that transmits data from forecourt directly to VARS Technology.
In any case, if it took a mere minute for SV to differentiate the first digit on the vehicle using a low-tech magnifying glass hovering above the demand letter, how come VARS Technology's high-tech ANPR technology (conveniently, it seems) misread the plate? According to the police officer SV spoke with, such misreads are apparently very common and the 'Guardian' article mentioned above quotes an ex-employee of VARS Technology admitting:
"........the ANPR software is "terrible" and has been known to the company as an issue since 2023."
Nevertheless, regardless of the effectiveness or not of VARS Technology's ANPR technology, Art. 22 of UK GDPR 2018 states that decisions made solely by automatic decision making are prohibited if they might produce legal effects and, according to VARS Technology's own data use policy at the time, "demand actions initiated by a misread" should not occur (bold added):
"You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making."
In other words, at least one human being at VARS Technology should have (with, one would reasonably expect, normal or corrected to normal visual acuity) examined the registration plate visible in the image and have surely concluded (as would anyone else), that it was unambiguously E****** and not F******. Further, neither incompetence nor accident exonerate VARS Technology. UK GDPR 2018 also concerns itself with the unintentional collection or misuse of personal data. Even if VARS Technology had been genuinely mistaken and an accidental misreading of the vehicle registration mark had been made (by either machine or human), an unlawful breach of SV's personal data would have still been the case. The Information Commissioner's Office (ICO) guidelines define a personal data breach as follows (bold added):
"A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."
Assuming a genuine mistake was made, upon realising the deceptive nature of their KADOE application (at the least when pointed out by SV in her initial response to the demand letter), VARS Technology had an obligation to report this breach to the ICO within 72 hours. They did not do so, a clear act of nonfeasance, i.e., failure to act where action is required by statute law. Because the unauthorised access to personal data could have caused the data subject a financial loss they were also required to notify SV that the breach had occurred. Ironically, the breach was in plain sight on their demand letter; albeit far from the manner prescribed by law.
A further important detail provided by the DVLA strongly suggests that the breach was not due to an honest mistake. One would reasonably expect a company director to exercise due diligence even when an employee may not. However, the DVLA request for the keeper details of F****** was signed, not by some incompetent or rogue employee, but by a VARS Technology company director. Unfortunately, DVLA redacted his name:
Note the wording in the declaration the company director had signed (bold added):
"I declare that the information given is correct to the best of my knowledge.......I am aware that it is an offence to unlawfully obtain personal data contrary to data protection legislation."
In addition to breaching KADOE and data protection legislation, this company director's actions would arguably come under the purview of s.2 of the Fraud Act 2006 which states:
"Fraud by false representation: A person is in breach of this section if he (a) dishonestly makes a false representation, and (b) intends, by making the false representation (i) to make a gain for himself or another, or (ii) to cause loss to another or to expose another to a risk of loss."
The evidence strongly suggests, then, that VARS Technology knowingly and intentionally made a false representation to the DVLA with the aim of making a financial gain.
•VARS Technology Attempt To Shift The Burden Of Proof•
If VARS Technology make an allegation that a person they have identified has stolen fuel from a service station forecourt then the onus is squarely on VARS Technology to be able to present tangible, believable evidence to that effect. Furthermore, they are obligated to do so in their own time and at their own expense. However, in their first response email to SV, VARS Technology pretended as if this was not the case:
"Thank you for contacting VARS Technology. As you have stated the number plate is different, please provide us with a clear image of your vehicle. We need this to be able to close the claim. Once you have provided this we will notify you of the outcome of the claim."
The irony of VARS Technology expecting SV to provide a clear image of her vehicle, after providing such a low quality image themselves, raised the first of many laughs. More seriously, however, VARS Technology had been given opportunity to acknowledge their 'error', report the matter to the ICO, contact (and apologise) to SV, and allow everyone to move on. Instead, VARS Technology chose to concoct and persevere with a wholly fictional drive off scenario. Because the deceptive DVLA request was made by a company director, it seemed reasonable, therefore, to assume that the decision to persevere with their scam had similarly been made by someone in a senior position in the company. Thus, any doubt that VARS Technology were conducting a scam evaporated at this point and the existence of this website is entirely due to VARS Technology's choice to act in a dishonourable manner.
Having unlawfully acquired SV's personal data from DVLA, VARS Technology were now expecting SV to voluntarily provide them with further personal data. This was never going to happen. There is a well-recognised legal freedom from a requirement to provide personal information unless this is done by informed consent or via a specific legal duty via statute law. VARS Technology had never requested informed consent and they certainly could not rely on any legal power. In any case, what possible purpose did VARS Technology have in mind by demanding an image of SV's registration plate, other than the vacuous "we need this to be able to close the claim"? They already knew (for certain) that it was not SV herself who had stolen fuel. They already knew (for certain) that the car in the image had an altered or cloned plate and they had been informed on two occasions by SV that she had reported both facts to two police forces, having provided VARS Technology with the two crime reference numbers. As SV replied:
"You have breached data protection legislation by requesting from DVLA details of the keeper using a car registration number unconnected to your 'case'. I find it incomprehensible that you request further personally identifying information from me in the form of a "clear image of your vehicle".…….let me make it perfectly clear that my refusal to provide you with an image of my registration plate or any images of my car in no way implies guilt. Firstly, I reasonably take offence at your attempt to extort money by menace. Secondly, you have no legal authority to demand images of my car. I am however happy to provide any necessary images to duly authorised officers representing the Police or a Court. You are neither. Thirdly, given VARS' arrogant and cavalier approach to data protection protocols I am reluctant to provide any further personally identifying information due to the risk that you would misuse or tamper with it."
What VARS Technology were attempting was to intimidate by disingenuously shifting the legal burden of proof from themselves. The stance was based entirely on an 'argumentum ad ignorantiam', otherwise known as an 'argument from ignorance'. This is a logical and legal fallacy describing the circumstance when an assertion or allegation is treated by someone as being true, not because there is evidence in support, but rather because of a perceived lack of evidence to the contrary. It is never the job of a defendant to disprove an unproven claim. In cases of alleged debt the evidential burden of proof always falls entirely on the claimant. This is trite law, well-established, widely-recognised, considered to be elementary. Furthermore, in civil law the claimant must prove, on the balance of probability, all of the essential facts they present to the court. This would include the accurate identity of both the driver and the car. VARS Technology would surely be aware of all this. Yet, in a further email, they again tried to shift the burden of proof, this time with an added threat (bold added):
"As you made the suggestion the image in the drive off claim is not your vehicle we need you to evidence this in order for us to process your claim and come to a decision. Failure to provide such evidence may result in the claim escalating further."
Notice how, in addition to their 'argument from ignorance' VARS Technology deflect from the plain and obvious fact that that the registration plates are different, viz., "as you made the suggestion"? And their authoritarian pseudo-legal tone, "we need you to evidence this….." SV was not in the slightest intimidated by any threat of 'escalation'. VARS Technology's failings in evidence were of the 'elephant in the room' type and not simply 'de minimus' errors (i.e., errors that are of little consequence to the general nature of the claim). Her reply:
"I wasn't merely suggesting the image in the drive off claim wasn't my vehicle; I was categorically denying it…….Indeed, it is yourselves that have presented clear evidence that it is NOT my vehicle filling up at the petrol station…….If you doubt this, it is solely YOUR responsibility to produce evidence to the contrary."
At no point did VARS Technology ever attempt to explain why they thought the burden of proof should be reversed. They must have been aware that their expectations were based on fallacy.
•VARS Technology's Pretence Of Keeper Liability•
S.3 of the Theft Act 1978 provides that, for the crime of fuel theft from a forecourt to be realised, a defendant must have possessed mens rea, i.e., that they had the knowing intention of stealing fuel. Partly because of this, most police forces in the UK (and elsewhere) no longer actively pursue one-off cases of fuel theft from service stations, not necessarily because of limited capacity but because many of these cases genuinely involve absent-minded or confused individuals and/or human and technological failings at the till. Indeed, one police force states on their drive off report form:
"This form MUST NOT BE USED to report fail to pay for fuel incidents where: The driver or any passenger within the vehicle enters the shop, or if there has been any attempt to pay for fuel or goods, or property has been left as security for payment."
Reports indicate that VARS Technology automatically include all of these scenarios as equally indicative of theft. But someone cannot steal, in the legal sense, by mistake or accident. VARS Technology must be aware of this; they reference the very same Act and Section on the notices they display on their client service station forecourts. However, referencing the Theft Act 1978 is hypocrisy on their part, as it would undoubtedly adversely affect their business model if they advanced down a criminal law route. It certainly seems an attempt, however, to convince the general public that they are somehow acting under the lawful authority of that particular legislation. They are not. The Theft Act 1978 is concerned solely with criminality, not contract law. The only party which suffers a loss in drive off events is the forecourt, and any profit VARS Technology might potentially make results from them capitalising on that initial loss. Indeed, given their business model, it is obviously to VARS Technology's benefit that drive off events occur, and, arguably, it is also in their interest to make it appear as if criminal drive off events are more common than they actually are by pretending that outright criminality and alleged violations of implied contract are legally and morally equivalent, even when errors are caused by forecourt staff, banks and/or technology. Interestingly, VARS Technology previously quoted S.3 of the Theft Act 1978 on their demand letters sent following an alleged drive off event. They no longer do so. It is reasonable to assume that this would bring to the attention of some respondents that, as they were not culpable under criminal law ("and with intent to avoid payment") they would be better placed to contest an allegation of fuel theft made under contractual law. In other words, dropping this wording could only act to empower VARS Technology to widen the scope of their legally dubious 'cases'.
A contract can be formed either (i) verbally, (ii) in writing or (iii) by behaviour (in the present 'case', for example, by dispensing fuel). Thus in the present 'case', a contract may have been formed. However, even granting that a bona fide drive off event was the case, any contractual relationship regarding theft of fuel could only have been formed between ESSO Braywick/VARS Technology and the actual driver of the vehicle. This fact is crucial to VARS Technology's ability to pursue legal action in drive off events. SV was in no position to fulfill any of the three criteria listed above because she, according to the very evidence presented by VARS Technology, was not present at that time and location, did not dispense fuel, and was not the registered keeper of the vehicle involved. The question of whether or not a debt arises is ultimately assessed in court on the basis of probability. However, the identity of a debtor cannot be decided on the basis of probability. In legal proceedings, the claimant must be able to prove that the person they allege to have caused a loss and so liable for the debt is correctly identified and not simply a 'probable' or 'likely' candidate. This has been a cornerstone of civil law for well over a century (see e.g., Dunlop Pneumatic Tyre Co. vs. New Garage & Motor Co. Ltd, 1915). Even older, but still very current law, neither a person's disinterest, lack of communication nor 'silence' can be used as evidence in any claim that a contract was formed (per Felthouse vs. Bindley, 1862).
Furthermore, in the absence of an accurate identification of the driver, the registered keeper of the vehicle allegedly involved cannot be presumed or inferred to be identical to the actual thief. So, even if the vehicle pictured had been SV's car, an allegation of either theft or breach of contract would not have automatically extended to her, as the registered keeper of the vehicle. Even if it is possible but unclear whether the registered keeper is the driver, liability does not extend, as a recent ruling (VCS v. Edward, 2023) by Judge Mark Gagan affirmed:
"It is consistent with the appropriate probability analysis whereby simply because somebody is a registered keeper, it does not mean on balance of probability they were driving on this occasion, because one simply cannot tell…...it is not appropriate to draw an inference to that, on balance of probability, the registered keeper was driving on any given occasion."
There is no general legal principle for vicarious keeper liability; only cases specifically prescribed by statute obtain, and these are very few. If VARS Technology thought they had an automatic or even a qualified legal right to transfer liability from an unknown driver to the registered keeper of the vehicle in drive off events they would certainly be quoting the legal basis for this in their drive off demand letters. They do not, simply because no such legal right exists. Even if this had been SV's car in their image, VARS Technology would have no legal authority to require that SV identify the person dispensing fuel. The obligation under s.172 of the Road Traffic Act 1988, which requires a registered keeper to disclose the identity of a driver at a particular time is available only to a police investigation (under specific conditions) and the forecourt (or their parent company) had chosen to put their trust elsewhere.
However, in their demand letter sent to SV, VARS Technology do appear to assume that the driver of a vehicle will be known to the registered keeper:
"If you were not the driver at the time of the event, please contact our enquiries team with the name and serviceable address of the driver."
Despite this, it also appears to be the case that, even if informed of the driver's identity, there is no guarantee that VARS Technology will bother to act on information they receive. On the contrary, they appear to routinely misrepresent the legal situation to victims of their drive off scams. This example is from Trustpilot:
"…….he explained he wasn't the driver…….He has disclosed who the driver is and yet they still say he needs to pay as he was the registered keeper but he does not own or drive the van…….it's unfair because he didn't steal the fuel, he didn't decide to fill the van up and then drive away without paying for it!"
In the present 'case', however, it was indisputable that SV was not the driver. Therefore, unless VARS Technology was able to demonstrate that the unidentified male driver in the image was explicitly acting as an agent for SV for the express purpose of the theft of fuel, or that SV had aided and abetted the theft in some other way, no criminal or contractual claim was possible against her. Therefore, for VARS Technology's legal representatives to issue court proceedings they would be required to accurately identify the actual male person depicted in the image. They would also have needed to locate his physical address to which court documents could be correctly served. Although VARS Technology erroneously maintained throughout their correspondence that SV was somehow the registered keeper of the vehicle depicted in the image, notably, they never employed the most obvious route available to them and simply kindly requested that SV identify the driver. This omission suggests strongly that they were always aware that this was not SV's vehicle and so asking her to identify the driver would be a pointless exercise.
On two occasions SV broached the impossibility of her liability, on the basis that VARS Technology were thoroughly unable to demonstrate that any contract had been established between herself and ESSO Braywick/VARS Technology, e.g.,:
"You have failed to demonstrate that a contract has been established between the keeper of the vehicle registered F****** and the forecourt owners or VARS Technology. In the absence of an established contract there can be no breach of contract by conduct and therefore no legal basis to collect personally identifiable data either through myself or a third party. It would appear that you are inferring that a contract has been established solely and merely on the basis of some similarity between number plates!"
At no point in their communications did VARS Technology make any attempt whatsoever to offer evidence that a contract had been established. They just assumed it all along, again standing on their 'argument from ignorance'. It seems reasonable, therefore, to presume that they were always aware that no such contract had ever existed.
•VARS Technology's Further False Allegation•
With VARS Technology's drive off scam clearly going nowhere fast, they now tried a different approach. This involved a further false allegation, albeit one that forced them to openly acknowledge the discrepancy in registration plates, while still appearing to be acting irrationally (bold added):
"Due to the nature of our business we do come across tampered/cloned plates on a regular basis. On this occasion, whilst we appreciate that the vehicle is showing the character 'E' we are aware this has been tampered with and has been identified as the vehicle F******. In this circumstance, as a process we follow, we do request that the motorist provide us with images of their vehicle which we are able to compare with the evidence we hold. Should differences be spotted between yours and the offending vehicle, the claim would close with immediate effect and we would make you aware of this."
The sheer arrogance of this wholly mendacious statement immediately raised several questions. The notion that the registration plate E****** was bogus was known to both SV and VARS Technology from the start. So why did VARS Technology wait several weeks to make a second false allegation that SV's plate had been "tampered with"? Why not simply openly acknowledge the registration plate discrepancy and make the tampering allegation at the very beginning of their contact with her, in tandem with their allegation of fuel theft? Was this really the next logical step in "the process we follow"? Did no one at VARS ever consider that asking a guilty party for an image of their registration plate after telling them they are "aware" it was altered was effectively alerting that person to the need to change it back and provide an image of the original plate? Obviously, VARS Technology hadn't given this strategy enough thought. In the rational world, the truth was that VARS Technology had never sighted SV's registration plate, so where could this apparently newly-found knowledge have possibly come from? At best this new allegation was a convenient, though clearly delusional belief. At worst it was an outright lie, an ill-thought out ad hoc response to a noncompliant victim of their scam. And what about the difference in colour between the cars? Was their next step in "the process we follow" to be an allegation that "we are aware" that SV had resprayed? So SV simply asked the obvious question:
"Please clarify your statement…….At what point was the vehicle identified as F****** and by whom?"
Having no meaningful answer, and acting true to form, VARS Technology ignored these questions. What they did do, however, was disgraceful. Despite their 'case' being in active dispute, they sent a second 'Final Notice' demand letter, raising the so-called 'debt' to £118.91. Quite comically, they included the very same image as evidence of their allegation. Just as comically, the text in the letter included the same misrepresentation as to liability from court proceedings and again contained the obligatory silly grammatical mistake of the kind seemingly prized by scammers:
".......you have a further 14 days remaining to pay the total amount, including a fee of £60", followed by the following sentence in the next paragraph lifted directly from the first demand letter ".......this figure includes the fuel value and a nominal £30 fee."
At this point, every aspect of their scam was viewed as farcical, as alluded to in SV's reply (bold in original):
"You were previously very specific about the personally identifiable data you have in relation to me and my vehicle. It appears this is untrue. You have now made a further direct accusation (that I have tampered with my registration plate) that does not logically follow from any of the personally identifiable information you hold about me.…….By doing this you are merely conjuring up a fanciful scenario in order to plug your serious evidential gap. I would therefore like you to clarify what exactly you mean by "we are aware."
In response, VARS Technology declined to address their evidential gap and continued to assert that the cars were identical and that SV had tampered with her registration plate:
"Your dispute is that the vehicle in the image does not belong to you and you were not the party that has been involved with the tampering of the registration plate......."
With their drive off scam descending into mirth, VARS Technology were forced to change strategy once again, this time employing an obviously insincere conciliatory approach to get her to comply (bold added):
"Throughout our correspondence with you we have tried to resolve the matter before any potential escalation takes place and to do this we do require your cooperation. While you are reluctant to provide any of the requested information to us [i.e., the image of her registration plate], we can confirm that if you would like to work with us to resolve the matter, you are permitted to formally request that once the necessary review has been actioned the information you send to us is deleted……"
"You are permitted to formally request" got a laugh too. Who do VARS Technology think they are? Do they think that statutory rights only apply to their scam victims when they give their permission? SV was always permitted to request that her personal data be deleted, she didn't need VARS Technology's permission to do so, she had a solid legal basis for them to do so, and she had already requested that they do so. They ignored her. Nevertheless, not unexpectedly, their allegation that "we are aware" that HA had altered her registration plate did quietly disappear and was never again mentioned.
•VARS Technology's Arrogant Attitude To Data Protection Legislation•
VARS Technology's arrogant and contemptuous attitude to data protection legislation was evident from their very first contact with SV. A person's image, when captured and processed solely for commercial purposes, is subject to the requirements of both the Data Protection Act 2018 and UK GDPR 2018 (essentially the same legislation and interchangeable) and cannot be disclosed to other parties without permission or legitimate reason. If, as VARS Technology claimed, a drive off event had occurred at that location and time, it would certainly have been lawful for ESSO Braywick and/or VARS Technology to transmit personal data in the form of single images and/or CCTV footage of the alleged perpetrator and their vehicle to each other and to the police. However, VARS Technology were almost certainly aware at the time they sent their first demand letter that SV was a wholly disinterested party, having no involvement in, contractual obligation to themselves or the forecourt, nor any other conceivable interest regarding the vehicle or individual depicted. Thus, by making SV an unwilling recipient of the image of the male person, VARS Technology were in breach of data protection legislation. A general sloppy attitude to data protection extends to VARS Technology's own data policies. For example, in their data protection statement Section 3 directly contradicts Section 8, viz:
"All personal and special category data is stored within the UK and is not transferred outside of the UK." (S3) vs. "When we collect your personal data, it may be processed outside the UK." (S8)
More annoyingly, however, was the consistent and tiresome efforts they made attempting to swerve any of their legal obligations concerning the deceptive acquisition and processing of SV's personal data. Recall that SV's personal data, or anything legally pointing toward her personal data, was never included on either CCTV or ANPR imagery at the ESSO Braywick forecourt. Neither her vehicle, nor her registration mark, nor her physical image had ever been captured, not at this alleged drive off event, nor at any other time. She had never in her entire life attended that location. Therefore the totality of SV's personal data currently held by VARS Technology (or ESSO Braywick and/or their parent company) emanated solely from their deceptive KADOE request to the DVLA. Art. 5(1)b UK GDPR 2018 states (bold added):
"Personal data shall be…….collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."
In her first email in response to VARS Technology's initial demand letter, pointing out what should have been obvious to any honest person; that their so-called 'evidence' portrayed both a different vehicle registration mark and a different driver, and therefore they had no 'case' whatsoever against her, SV quite correctly wrote (bold added):
"This is sufficient evidence that you have identified the wrong vehicle…….I look forward to confirmation that the matter regarding myself is settled and I formally request that you delete any personally identifiable information about me."
As previously mentioned, VARS Technology ignored this deletion request. Perhaps because they hadn't yet given her permission to ask? SV then placed weight on VARS Technology's legal obligations:
"I note that you did not address my request to delete any and all of my personal data from your records. The personally identifiable data that you currently hold about me can no longer legally be used for the purpose for which it was purportedly collected. I therefore again request that you do so and that you confirm this in writing."
At this stage, VARS Technology made their first duplicitous attempt to divert attention away from themselves and culpability toward the forecourt:
"We are not the data controller. The images come from the site for the purpose of the claim. The data controller in this instance is the forecourt not ourselves."
It stretched credulity that VARS Technology actually believed that the image they presented to SV constituted veridical evidence of their allegation. What did the image have to do with HA's personal data? Nothing whatsoever. By referring only to "the images" and pointedly ignoring the collection of personal data from their deceptive KADOE request, VARS Technology's obfuscation became all too obvious. According to the forecourt's solicitor, ESSO Braywick had no involvement in the functioning of the ANPR equipment which is owned and operated by VARS Technology, and the capture of registration marks is relayed to VARS Technology automatically. Furthermore, the solicitor also noted that:
".......we do not instruct VARS for each individual matter.......and so there is no communication [from Esso Braywick to VARS Technology] in relation to this incident."
Thus, it was suspected that, under the circumstances obtaining in this 'case', it was not possible for VARS Technology to be solely a data processor for SV's personal information. When an anonymised, hypothetical opinion was sought from the ICO regarding this matter they replied:
"In this case they [VARS Technology] would be a joint controller and processor."
However, when this opinion from the regulatory body for data protection law was put to VARS Technology they disputed it. For example, from two further emails:
"We must advise you we are the Data Processor and not the Data Controller" and "Due to the contracts in place with our client, we can confirm we are not the joint data controller........we must reiterate that it is not our responsibility to directly respond. "
The definition of data controller is rather more coarse grained than VARS Technology were claiming. Because VARS Technology receive ANPR images from "the site" and because they have "contracts in place" does not automatically make them only data processors. Despite what VARS Technology repeatedly tried to convey, UK GDPR 2018 (and the ICO) do not allow organisations to self-define their data role. The definitions of data controller and data processor are predicated solely on how businesses deal with data. Data controllers' and processors' labels and obligations cannot be shaped via contract, and supervisory bodies are not bound by any contractual or private arrangements made between companies. If you solely initiate (i.e., not act under specific documented instruction) the collection of someone's personal data, either purposefully or accidentally, then you become a data controller, even though you may not care to label yourself as such. Data processors are required to process data only by implementing instructions and legally do so only with documentation. Yet, in communications with SV, ESSO Braywick's solicitor stated, on more than one occasion, that there was no documentation available to the effect that ESSO Braywick had instructed VARS Technology to process SV's personal data.
According to the ICO you are deemed to be a data controller for several reasons, which include:
-
- you are the organisation which had collected the data in the first place;
-
- you are responsible for the lawful basis by which you acquired the data;
In the context of the acquisition of SV's personal data, both principles appeared to directly apply to VARS Technology. Nothing depicted within the forecourt's CCTV data or from VARS Technology's own ANPR equipment would have given VARS Technology reasonable cause to lawfully acquire SV's personal information. Despite this, VARS Technology did collect her data, and they did so not via the forecourt's own technology, nor via documented instruction, but via KADOE, under their own contractual relationship with the DVLA. By doing so, they were using their own technology and KADOE contract to determine and act upon a decision made by themselves. They thus made themselves the legally responsible party because they alone had acquired these data "in the first place." This scenario had VARS Technology meet the definition of data controller laid down by Art 4(7) of UK GDPR 2018.
Interestingly, VARS Technology do appear on the ICO's Register of Data Controllers and they have no problem labelling themselves as data controller when operating the parking enforcement arm of their business, which also relies on their own ANPR technology. From their Complaints Policy (bold added):
"Please note, when a complaint concerns the issuing of a Parking Charge Notice issued by us, VARS Technology LTD are the data controller."
VARS Technology are, in effect, an ongoing repository of images of vehicle registration plates collected from their own ANPR technology which they operate independently of the immediate direction of the owners of parking and forecourt sites on which they are situated. Based on their visual captures (even sometimes based on what is not present in the visual captures) they then collect personal data, or not, by their own decision, through a contractual arrangement made in their own name. This is a textbook description of a data controller. So, being far more inclined to accept the wording of the relevant legislation and the register and legal opinion of the statutory supervisory body rather than a company who had unlawfully collected her personal data, SV replied:
"You are obfuscating the issue and ignoring my lawful request to address your use of my personally identifiable information. I'm asking solely about my personally identifiable data. The photograph.......clearly does not include any personally identifiable data regarding me or my vehicle."
Exasperated, she then shifted from a request for deletion of data to the submitting of a Subject Access Request (SAR):
"Therefore, under the provisions of the Data Protection Act and the UK GDPR I formally make a Subject Access Request for any and all data VARS Technology hold on the registration plate F****** and any personally identifiable information emanating from this number plate. In particular I would like you to furnish me with the wording of the application made to DVLA to substantiate your necessary claim of just cause to acquire such information."
This SAR was in no way ambiguous. It was a specific request for data that VARS Technology alone had "collected.......in the first place". However, when confronted with this perfectly legal request to which they had an obligation to respond, VARS Technology still would not comply:
".......your Subject Access Request would need to be submitted to the correct party, our client EG……The only documentation we have in our office with the vehicle registration is the DVLA application, the response form and the notice issued to you."
Once again, VARS Technology were attempting to hide from legal obligations. According to the ICO any company operating within a larger organisational structure is expected to have public facing staff able to identify and direct a SAR to the correct person; a data subject making a request should not have to find their way through organisational bureaucracy. A data processing company, for example, cannot 'dead end' a SAR on the basis that it has been misaddressed. Even if SV had incorrectly addressed her SAR to VARS Technology (as postulated data processor only), they still had a legal duty to act, according to the ICO "promptly forwarding any request" to ESSO Braywick (or their parent company, as postulated data controller) in accordance with Art. 28(3)e UK GDPR 2018.
The irony burned bright too; the DVLA application included in "the only documentation we have in our office" was precisely what SV had included in her SAR. She didn't ask for a list of documents held by VARS Technology; she was asking for actual copies of the documents. It was, of course, blindingly obvious why VARS Technology were ignoring these legitimate requests. They were attempting to 'dead end' all data requests and pointing SV to ESSO Braywick to shift attention away from their deceptive application to the DVLA which had kick-started their scam. The forecourt were obviously an informational 'dead end' here as no personal data pertaining to SV had been collected by either ESSO Braywick's CCTV or VARS Technology's ANPR equipment. As ESSO Braywick's solicitor again put it (bold added):
"We do not hold any communications with VARS regarding your personal data. Each site uses automatic number plate recognition software to identify registration plates that enter our forecourts. VARS.......manage any offences that occur in relation to a vehicle automatically once receiving notification of this through their systems."
Of course, SV had already obtained VARS Technology's deceptive DVLA request and so knew it was pivotal to their scam; i.e., without it, she would not be a victim of their scam. She wanted VARS Technology to provide her with the evidence themselves, to which they were legally obliged, but kept refusing to do. Thus, VARS Technology were (seemingly unwittingly) confirming their guilt as to operating a scam, though they didn't seem to realise it. Just as sly, however, the "only documentation we have in our office" conspicuously missed two important things. Firstly, VARS Technology were claiming all along that they were only acting under instruction from and were continually communicating with Esso Braywick. If this had been true it is a legal requirement that any instructions issued by ESSO Braywick (as postulated data controller) to VARS Technology (as postulated data processor) be documented. Yet VARS Technology (and ESSO Braywick's solicitor) claimed to have no documentation to that effect. Amusingly, VARS Technology didn't seem to realise that, by denying the existence of these documents, they were effectively incriminating themselves as acting alone and so data controllers. Secondly, recall that VARS Technology had concluded:
"…….whilst we appreciate that the vehicle is showing the character 'E' we are aware this has been tampered with and has been identified as the vehicle F******."
If VARS Technology had genuinely become aware (i.e., they had tangible evidence) that SV had tampered with her registration plate (and so the two vehicles were in fact, identical, despite also being different colours) they must have collected data additional to that inherent in their forecourt image. Again, documentation to that effect should have been included in their inventory. On the other hand, if they didn't hold any such documentation, then VARS Technology were clearly being untruthful about being 'aware' that SV had deliberately altered her registration plate.
Despite VARS Technology eventually claiming that they had forwarded the SAR to ESSO Braywick, no acknowledgment was received. So it appears either that VARS Technology did not forward the request to them, or alternatively, it might have been the case that this perfectly legitimate SAR was forwarded but simply ignored. In either case obligations under data protection legislation were being disregarded.
•VARS Technology Forced To End Their Scam•
Playing along with VARS Technology's data protection shenanigans, SV next sent a SAR via signed post to ESSO Braywick. This included the following specific requests:
- Please provide any and all untampered footage and any and all untampered still images captured by cameras on your premises on 11 September 2024 which includes the vehicle with registration number F****** and the driver. Still images should include any available unaltered EXIF information.
- Please provide any and all untampered footage/still images captured by cameras on your premises on 11 September 2024 of any other vehicle referenced in VARS Technology incident number EG*********.
- Please provide the full and unredacted application made by yourselves to the DVLA for the personally identifiable information of the keeper of the vehicle with registration number F******.
- Regardless of whether you can supply footage/still images of the vehicle F****** and/or the driver can you confirm that under your contractual arrangement with VARS Technology you have explicitly instructed them to act as a data processor for any personally identifiable information concerning and originating from registration number F******?
Bear in mind here that SV knew it was impossible for ESSO Braywick to possess any video footage or still photographs containing her vehicle registration mark or her physical image. Nor was it they who had applied to the DVLA for SV's personal data. The expectation was, therefore, that much (if not all) of the SAR would be legitimately declined by ESSO Braywick (or their parent company), on the bases that:
-
- disclosing such would be an obvious breach of the driver's personal data as the driver in the CCTV footage and any still images captured from that footage was obviously not SV; and/or
-
- that the registration mark F****** referenced in the SAR differed from the registration mark on the vehicle in the CCTV footage; and/or
-
- that they possessed no imagery of any kind depicting any vehicle with the registration mark F******; and/or
-
- ESSO Braywick had not made a KADOE application for the personal details of the keeper of the vehicle F******; and/or
-
- ESSO Braywick had not explicitly instructed VARS Technology to process personal data concerning and originating with the registration mark F******.
If refusal or inability to provide on any single one of these grounds obtained, it would have immediately nullified VARS Technology's 'case' as it would be a comprehensive denial, from the party they had identified as the sole data controller, that the registration mark F****** was involved in any way with the alleged drive event. It would be confirmation that VARS Technology were acting alone, and that their processing of any personal data related to the registration mark F****** was not being performed on behalf of their postulated data controller. Despite stating that she was happy for them to communicate back via email, this SAR went unacknowledged by either ESSO Braywick or VARS Technology. Instead, six days later, on 27 November 2024, VARS Technology emailed SV (bold added):
"As we have maintained through our correspondence, we have wished to resolve the matter with you. We have contacted the forecourt continuously in order to do so and they have confirmed that CCTV is no longer available, therefore, they wish to close this claim. We can confirm that claim has been closed and no further action will be taken."
•Confirmation That VARS Technology Were Conducting a Scam Of Their Own Volition•
Note that VARS Technology do not state that VARS Technology have closed the 'claim' but "they wish to close this claim" despite "they", i.e., ESSO Braywick (or their parent company) stating, through their solicitor, in simple and direct language, that "we do not instruct VARS for each individual matter." Thus the fact that it was VARS Technology, and not ESSO Braywick's solicitor who notified SV of the 'case' being ended strongly suggests that VARS Technology were fulfilling this duty as data controller. However, SV's SAR was still being ignored. The question arose, then, had the CCTV 'evidence' been purposely deleted by ESSO Braywick in an attempt to protect VARS Technology from having to reveal that they had fabricated the allegation of fuel theft made toward SV? Section 173 of the Data Protection Act 2018 makes it an offence to block, erase, destroy or conceal information with the intention of preventing disclosure. To ascertain whether this was the case SV submitted a second SAR by post to ESSO Braywick, identical to the first with an added request of the date of deletion. She wrote:
"I have yet to receive either acknowledgment or reply from you.......Note that, regardless of the claim being closed the SAR still stands. You have a legal obligation to provide the information I have requested. VARS Technology's decision and email in no way absolves you, as the data controller in this matter, from your obligations under the Freedom of Information Act 2000 and/or Article 15 of the Data Protection Act 2018 (UK GDPR)…….If you are unable to provide any of the information I have requested, please supply the date(s) on which my personally identifiable information was permanently deleted from your databases."
A week later, ESSO Braywick's solicitor emailed, informing SV (bold added):
"In relation to your data subject access request, our CCTV is held on a 30-day retention basis and so unfortunately, at the time of your original request to VARS……..footage from 11 September 2024 had been automatically deleted……..As requested in point 5 of your letter, the date of deletion was 30 days following the incident and so was on 11 October 2024."
Once again, note the pertinent dates here. The CCTV 'evidence' was deleted on 11 October 2024 and the first demand letter to SV was issued by VARS Technology on 30 October 2024. Regardless of what it did or did not depict, the CCTV footage had been deleted by ESSO Braywick (or their parent company) almost three weeks before VARS Technology had posted their first demand letter. The Data Protection Act 2018 states that CCTV footage should only be kept for as long as is necessary, which accounts for the 30-day retention policy, considered a standard time frame for non-critical data retention. VARS Technology would surely have been aware of the forecourt's 30-day retention policy and so would have been aware of the nonexistence of any CCTV 'evidence' due to its non-critical status. For, according to VARS Technology, throughout their 'case':
"We have contacted the forecourt continuously."
Many victims of VARS Technology's drive off scams have, after having submitted a SAR to service stations, found that CCTV footage had been deleted well before VARS Technology had sent their first demand letter. One respondent found that CCTV footage had been deleted 47 days before VARS Technology sent their first demand letter, while another reported receiving a letter on 15 September for an alleged drive off event on 2 July. By providing the date of deletion, the forecourt's own legal counsel had dispelled any sliver of doubt remaining that VARS Technology had been conducting the scam entirely of their own volition. She even stated as much (bold added):
"VARS uses its own technology to capture licence plates" going on, "the data retention limits from the CCTV are unrelated to VARS case."
Thus, VARS Technology were clearly lying as to their reason for closing their 'case'. It wasn't any sudden realisation of the lack of CCTV evidence that had caused them to to drop their 'case'. VARS Technology possessed exactly zero evidence of SV's guilt from the time of the alleged drive off event itself. Any CCTV footage was always a non-starter as evidence and so was always irrelevant to their 'case'. But this was obvious to any rational person all along. The real reason was more likely that their scam had run its course. They had probably gauged that SV was never going to concede and was prepared to fight them all the way to the courtroom. She definitely would have done this, and in as public an arena as possible. They couldn't risk this; it would have cost them more than they could recoup and also risk making them, and their legal representatives, a laughing stock when they presented their 'evidence'. Of course, if VARS Technology had dealt with previous requests for data deletion and SARs promptly in accordance with data protection legislation they would have been forced to end their scam much sooner.
In all, three written SARs were made to VARS Technology; on 6 November, 12 November and 19 November 2024. All were 'dead-ended'. Two written SARs were made to ESSO Braywick; on 21 November and 16 December 2024. Only the second of these was acknowledged but, most importantly, not one of these five requests resulted in a single item of documentation being provided.
•VARS Technology's Continued Refusal To Comply With Data Protection Law•
This particular instance of VARS Technology's drive off scam was now doomed. However, there was still the matter of SV's personal data. Notably absent from VARS Technology's capitulation email was any mention, never mind guarantee, of the permanent deletion of that data. So, SV recontacted VARS Technology:
"As the purpose of your holding my personally identifiable information is no longer valid please confirm that any and all of my personally identifiable information has been permanently deleted from Vars Technology databases and any hard copies destroyed. Please provide dates on which these actions were implemented."
This request was not unreasonable and was well within the requirements and obligations set out in data protection legislation, e.g., Art. 5(1)(e) UK GDPR 2018. The ICO list the specific circumstances which should guarantee deletion of personal data on request. They include:
-
- The data is no longer needed for the initial purpose it was collected.
-
- The data subject objects to the use of the data.
-
- There are no overriding legitimate grounds to retain the data.
-
- The data was collected unlawfully.
All four of these reasons were applicable if VARS Technology continued to retain SV's personal data. Indeed, all were equally applicable on her very first request for deletion, made on her very first response to their drive off scam. According to Art. 5.2 of UK GDPR 2018, the burden of proof for the legality of holding subject data is always on the controller, but even if VARS Technology had wished to persist with the unconvincing notion that they were merely a data processor they would still have had to conform to SV's request. As Art. 32 UK GDPR 2018 states:
"…….on termination of the processing activities the processor must…….delete or return all the personal data to the controller and delete existing copies."
Of course, VARS Technology would be unable to return any of SV's personal data to ESSO Braywick (as their supposed data controller), because VARS Technology had never received any of her personal data from them. To comply with legislation, therefore, their only option was to delete on request. After one week, however, there was no reply from VARS Technology. So a follow up email was sent:
"I have not received any response to the email I sent you…….Please can you confirm as per my request and provide the relevant date for actioning."
VARS Technology finally replied to SV and the response was quite astonishing. Given their abject loss of face, one might expect VARS Technology to at least try to be a little contrite. Sadly not. Scammers never apologise. Art. 12(4) of UK GDPR 2018 states that an explanation must be given if a refusal to delete data is made. VARS Technology did that, but the reason they gave grossly misstated their legal position. They were also typically curt (bold added):
".......we can confirm that the claim was closed....... as a result, any data that we are not required to keep for contractual obligations had been removed on the date this was closed.......No further action will be taken and any data we are not required to keep has been removed."
The words "not required to keep", could only mean one thing; VARS Technology were refusing to delete the entirety of SV's personal data. This was confusing, because, as outlined earlier, the only personal data they ever claimed to hold was the completely discredited image from the forecourt and the deceptive application made to the DVLA, along with the demand letters sent. So, what personal data were they deleting and what other personal data had they also surreptitiously acquired along the way and unlawfully retained? SV answered:
"You emailed me…….to inform me that the case was closed and no further action. Please can you confirm that this was the date that my personally identifiable information was removed. If not please provide the specific date."
Note that VARS Technology's sole reason for denying SV her statutory right to deletion was their disingenuous attempt to hide behind "contractual obligations." Not once did they expand on those "contractual obligations", but even if they had their explanation would be unconvincing because it is not possible to contractually 'opt out' of data protection legislation. SV had no contract with VARS Technology (or with ESSO Braywick). She had never given consent for either party to collect or process her personal data and neither party had any legitimate reason to do so. Yet VARS were claiming that, despite having acquired SV's personal data by deception, they considered they had a right to continue processing her data, as they pleased, on the grounds that they had some contractual relationship with ESSO Braywick to do so. However, there is no legal context in which a company can unlawfully, even if accidentally, collect personal data and then choose to not delete it at the data subject's request, due to "contractual obligations." Further, VARS Technology and/or ESSO Braywick (or their parent company) were obligated to notify SV of the content of the data being retained and the purpose underlying these so-called "contractual obligations." Art. 14 UK GDPR 2018 states (bold added):
"Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information……."
SV quite rightly considered VARS Technology's derisive attitude to data protection legislation to be intolerable, so she penned a strongly worded return email:
"The legal situation is very clear; you are not allowed to retain personally identifiable data other than for the purpose for which it was specifically collected. Your reply indicates that you are retaining some of my personally identifiable data despite the purpose for which it was collected being no longer valid. Therefore, I wish to know exactly what personally identifiable data you have retained……..Please note that any contractual obligation you have entered into cannot override data protection legislation. In particular, it is unlawful to retain personally identifiable data 'in case' it may be 'required' in the future. In accordance with data protection legislation, I expect you to delete my personally identifiable data in its entirety. Please confirm that you have done so and if you are unwilling to do this please provide the legal reasons you are relying on for not doing so."
The comment about retaining data 'in case' it may be needed in the future was especially pertinent here because simply storing data and not acting upon it in any other way is still classed as processing data per Article 4(2) UK GDPR 2018. This demand brought VARS Technology to their senses and they finally deigned to comply with data protection legislation. The VARS Technology employee who replied to SV was customarily short:
"To ensure full compliance with your request, any identifiable data has been deleted and is no longer associated with this reference."
No apology was forthcoming. Even at the very funeral of their drive off scam VARS Technology had neither the courtesy nor the courage to admit they had done anything wrong. SV's question, "I wish to know exactly what personally identifiable data you have retained" was ignored. They even took the tone that they were doing SV a favour; "full compliance with your request" should have read "full compliance with data protection legislation", a point later confirmed to SV after she checked with ESSO Braywick's solicitor (who seemed, or at least acted, surprisingly naïve to VARS Technology's underhand practices; bold added):
"Once you put a data deletion request in, companies are required by law to abide and so will not retain any data and therefore, there is no data responsive to your request that I can provide you with."
Given VARS Technology's consistently arrogant attitude to data protection legislation it seemed reasonable to consider, despite their assurances, the notion that they hadn't actually deleted her personal data. Perhaps we'll never know. The case reference number they provided did vanish from the pay portal on the VARS Technology website, but that is no guarantee. If the F****** registration mark is found to be blacklisted on any VARS Technology protected forecourt that would be prima facie evidence that they haven't deleted her (now out of date and erroneous) personal data. What we can be sure of is, if it does transpire that VARS Technology have retained any of SV's personal data, it cannot be because of any legal or contractual obligations, but for some nefarious reason. By way of example, this VARS Technology scam 'case' shows some striking similarities to SV's 'case' (from a female victim on Trustpilot; bold added):
"I had my registration plates stolen off my car, I reported it to the police, obtained a crime reference number. Weeks later somebody had stolen fuel from a petrol station, picture evidence of two men and a different colour car with my stolen registration plates on. After months of back and forth with this company trying to prove and defend myself they finally told me they'd closed the case! Only that's not what they did! They had sold this debt onto a debt collection agency who then pursued me to pay this outstanding balance which was not done by me! They lied...."
Reports of VARS Technology's debt collection partners DCBL ignoring documented evidence of a 'case' being closed and continuing to send demand letters are easily found. It seems reasonable, then, to conclude that their reluctance to delete SV's personal data was to keep the door open to resurrect the scam. Another possibility is that they might decide to sell the 'debt' on. However, if VARS Technology did sell the alleged 'debt' on, this would once again place them in direct contravention of their KADOE contract. As the DVLA have stated:
"DVLA will not allow vehicle keeper data originating from DVLA records to be provided to third parties as part of a debt assignment arrangement. The Agency will consider disclosure of data obtained from DVLA to third parties as part of a debt assignment arrangement as a breach of contract."
In SV's 'case', the KADOE application signed by a VARS Technology company director also clearly states that personal information can only be passed on to a third party with permission from the DVLA. Should a third party attempt to pursue payment from SV at a later date, they would be inviting losing court proceedings not only due to a paucity of evidence and/or breach of KADOE contract, but also via a defence of 'estoppel by representation'. This legal manoeuvre prevents an initial claimant from enforcing any debt, either by themselves through legal representatives or by a third party, if a prior statement has been issued to the defendant that the case is closed and the 'debt' is no longer owed.
•The VARS Technology Drive Off Scam: Conclusion•
As noted, VARS Technology's business model and dealings with the public do not exclusively involve scams. They do perform legitimate work by pursuing payment for bona-fide drive off events, i.e., where the accurately identified driver has intended to steal fuel and tangible, believable evidence suggests that they have proceeded to act with that intention. This is the litmus test for whether a claimant like VARS Technology has a viable legal case; that they are able to present an articulate and logical argument based on evidence. However, where the alleged perpetrator of the fuel theft cannot be identified, or their ability to collect an alleged debt is otherwise thwarted, VARS Technology do seem to resort to concocting fictitious scenarios in order to procure money from innocent parties. This was certainly the case in the case study outlined here.
Therefore, at least a portion of VARS Technology's business practice appears to rely on misrepresenting their own legal status and ignoring and/or misrepresenting the legal rights and obligations of the members of the public with which they have chosen to deal. At no point in their correspondence with SV did VARS Technology ever attempt to present a viable legal basis for their 'case' and at no point did VARS Technology demonstrate that they were acting in good faith. The whole tenor of their 'case' consisted of deception, legally unenforcable demands and expectations, outright lies, attempts at intimidation and plainly empty threats of legal consequences. Arguably, in the present case study, the only plausible conclusion is that VARS Technology were conducting a well-orchestrated, though blunt and unsophisticated scam. The evidence presented here combined with the numerous and growing reports of VARS Technology's involvement in drive off scams, across varied media, only serves to bolster that conclusion.
In the interests of fairness, however, perhaps the last word should go to VARS Technology. This is difficult to achieve, however, as VARS Technology appear to have a policy of either ignoring public criticism. For example, on Trustpilot, where companies are permitted (and encouraged) to interact with individual complainants, VARS Technology are conspicuously absent. Nevertheless there is one 'review' on Trustpilot written by someone calling themselves 'Dillon'. At time of writing, it was Dillon's only review on the website and the only contribution awarding VARS Technology 5-stars (bold added):
"As someone who used to work for VARS I can assure everyone that they are a legitimate company who don't pursue anyone unless directed so by a forecourt. Even then the evidence needs to be conclusive. They work tirelessly to make our parking and forecourts more safe and even work with the Police, other security companies and the DVLA. If you're angry it's likely you messed up and need to own your mistakes a little better."
We can dismiss this effort outright; "the evidence needs to be conclusive"? Really? This contribution only makes sense if 'Dillon' is a 'sock puppet' account. Indeed, each of the first two sentences contain statements which are patently untrue with regard to the present case study. The second offering comes directly from an unnamed spokesperson at VARS Technology, quoted in the Guardian article of 20 December 2025 (bold added):
"Incidents like those flagged up are rare, and when they do happen, we make every effort to resolve them promptly and fairly."
Again, given their course of action in the present case study, does this response come anywhere near to ringing true? Neither of these efforts address any specific issues raised, here or elsewhere. It speaks volumes that these two brief boilerplate responses consist of nothing more than enfeebled denials, probably the best that can be mustered in defence of VARS Technology's drive off scams.
"Falsehood flies, and the truth comes limping after it; so that when men come to be undeceived, it is too late, the jest is over, and the tale has had its effect." (Jonathan Swift)
Case Study of the VARS Technology Drive Off Scam © 2026 by Dandy Odds.
This article is provided in the public interest. Hopefully, current and future victims of VARS Technology's drive off scam will be better informed as to how to neutralise this threat to the innocent. This work is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International. Click here to read the full licence. Short version: Feel free to share this work widely (attribution back to this website would be appreciated). The author can be contacted at dandyodds@driveoffscam.uk
This website takes data protection seriously. No personal data is collected except for that voluntarily disclosed by emailing the author. No cookies are set directly by this website nor are any cookies set by any third party. ISPs and IP addresses are not identified and no tracking or browser fingerprinting or tracking technology is used. No advertising nor affiliate marketing is used.