Re: GDPR?
" even though I'd not submitted it or given informed consent even though I'd not submitted it or given informed consent"
Recital 44 states "Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract" and Article 6(1)(b) states "(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"
Unfortunately, as reported, the ICO seems in this case to have interpreted the filling in of the unsubmitted form as constituting a 'request' associated with an intent to enter into a contract.
That's pretty far fetched as, in normal interpretation, hitting the submit button would be considered as making the 'request', but since the GDPR came into force the ICO appears to have consistently tried to avoid getting involved in low key individual cases, concentrating instead in high profile large scale breaches of trust and data leakages. Consequently, it is possible that decisions in such individual cases might sometimes be subject to liberal interpretation of the law.
I have myself been informed by an ICO case officer that it is lawful for an organisation not to disclose all processing conducted on the basis of legitimate interest, but when I challenged that I was told that it was only 'an opinion' and I was entitled to pursue the matter in court at my own expense. That 'opinion' of course specifically contravenes the Regulation, as it denies data subjects their statutory right to object to specific processing on that basis by allowing it to be concealed from the data subject. However, as the regulator, the ICO is the arbiter, so there's nowhere affordable to go to challenge it.
So much for the reality of data protection. This sort of decision clearly encourages the 'box ticking' pseudo compliance which HMG are now seeking to 'eliminate' (i.e. bury under a cloud of vague "results oriented" directives). It has even been recommended that the Article 30 requirement to maintain records of processing should be eliminated as too burdensome, despite such records being the sole evidential reference point for ensuring that procesing remains lawful. I suspect we're doomed.