Legalease Home page
Data protection

Data protection

This section deals with the following topics:

Introduction

Effect of Brexit

UK Data Protection Act 2018

Information Commissioner's Office guidance

Registration with the ICO and annual fee

General Data Protection Regulation

What are main changes introduced by the GDPR?

Scope of GDPR

Definitions

Data processing principles

Rights of data subjects

  Consent to processing

  Right of access

  Right to rectification

  Right to erasure (‘right to be forgotten’)

  Right to restriction of processing

  Right to portability

  Right to object

  Automated decision-making

Duty to provide information

Controllers' responsibilities to ensure compliance

Security of processing

Data protection impact assessment

Records of processing activities

Engagement of a processor

Joint controllers

Data protection officer

Representatives of controllers or processors not established in the EU

Processors' obligations

Notification of a personal data breach

Codes of conduct and certification

Transfers of personal data to third countries or international organisations
Enforcement: compensation; fines

What's new

Introduction


This section provides a summary of Data Protection legislation primarily from the point of view of owners and managers of SMEs.

The European Union enacted on 6 April 2016 a major reform of data protection legislation by adopting the General Data Protection Regulation (GDPR) which replaced the former Directive of 1995, Directive 95/46/EC2. The GDPR will have direct effect from 25 May 2018 in all EU member states. The law prior to 25 May 2018 is explained here.

In the United Kingdom, the GDPR will therefore supersede the UK legislation, in particular the Data Protection Act 1998 (DPA).

For the detailed legislation, as always the full text should be referred to, as interpreted by the courts.

 

Effect of Brexit

Although the terms of withdrawal of the United Kingdom from the European Union are not finally settled as at the time of writing, the passing of the European Union (Withdrawal) Bill by the UK Parliament will continue the application of the GDPR in the UK during the Brexit transition period and beyond until changed by Parliament.

The GDPR however is drafted on the basis that it applies to EU member states, the European Court of Justice having ultimate jurisdiction over interpretation, and that personal data must flow freely throughout the EU. It remains to be seen how these concepts will be dealt with in the Brexit legislation.

UK Data Protection Act 2018

New UK legislation will provide for the enforcement and supplementary provisions in relation to the GDPR. The Data Protection Bill is currently gong through the Parliamentary legislative process and is expected in due course to be enacted as the Data Protection Act 2018..

What do businesses have to do to comply with the GDPR?

There are obligations on both 'Controllers* 'and 'Processors' of personal data. Businesses need to undertake thorough reviews of their use of personal data and to clearly identify which data they hold, for what purpose and on what legal basis. They should also assess the contracts in place, in particular those between controllers and processors, the avenues for international transfers and the overall governance (what IT and organisational measures to have in place), including the appointment of a Data Protection Officer. 

Information Commissioner's Office guidance

The Information Commissioner's Office continues to be the government agency responsible for data protection policy and regulatory enforcement. It has General Data Protection Regulation (GDPR) FAQs for small organisations

Guide to the General Data Protection Regulation (GDPR): this guide has been prepared by the UK Information Commissioner’s Office (ICO); it is intended for individuals who have day-to-day responsibility for data protection and is a “living document” subject to expansion.

Guidance on upcoming new data protection rules across the EU: this is a link to the following EU materials:

* Communication from the Commission to the European Parliament and the Council Stronger protection, new opportunities - Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018 COM(2018)43 final

* Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

* Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Registration with the ICO and annual fee

The Data Protection Act 1998 (DPA) ss.18/19 and regulations made under the DPA required all persons who process personal data to notify (i.e. register) the data processing to the Information Commissioner’s Office (ICO), unless they were exempt. A fee on registration fee and thereafter an annual fee is payable, currently £35 and £500 for tiers 1 and 2.

The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and apply directly to all EU Member States. The GDPR does not require organisations to register with national data protection supervisory authorities in order to process personal data. However, the GDPR does require such authorities to be adequately funded. Therefore in the UK, while the existing statutory requirements to provide a notification and pay a fee to the ICO will be repealed, the new system will still require businesses to register with the ICO and pay an annual fee, subject to exemptions similar to the existing exemptions from notification.

The Data Protection (Charges and Information) Regulations 2018 [SI 2018/480] sets out the new system of charges and come into force on 25 May 2018 at the same time as the GDPR. However, businesses currently registered with the ICO will not need to pay the fee until their current registration period expires. There are three tiers of charges payable by data controllers:

* Tier 1 Micro Organisations [have maximums of 10 members of staff or turnover of £632,000 per annum]: £40;

* Tier 2 Small and Medium Organisations [not in tier 1 and have max. 250 members of staff or turnover of £36 million per annum]: £60; and

* Tier 3 Large Organisations: £2900).

There is a £5 discount applied to each tier for data controllers paying by direct debit. Organisations which qualify as micro organisations and pay by direct debit will
therefore be subject to the same charge as under tier 1 of the current charge structure.

General Data Protection Regulation

According to the European Commission [Communication from the Commission to the European Parliament and the Council Stronger protection, Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018], the Regulation did not substantially change the core concepts and principles of the data protection legislation put in place back in 1995. This should mean that the vast majority of controllers and processors, provided that they are already in compliance with the existing EU data protection laws, will not need to make major changes to their data processing operations to comply with the Regulation.

The Regulation impacts most on operators whose core business is data processing and/or dealing with sensitive data. It also impacts on those that regularly and systematically monitor individuals on a large scale. These operators will most probably have to appoint a data protection officer, conduct a data protection impact assessment and notify data breaches if there is a risk to the rights and freedoms of individuals. Operators, in particular SMEs, which do not engage in high risk processing as their core activity will normally not be subject to these specific obligations of the Regulation.

What are the main changes introduced by the GDPR compared with the Data Protection Act?

* One single set of rules

There is one single set of rules for citizens and businesses throughout the European Union, ending the situation where EU Member States have implemented the 1995 Directive’s rules differently. One level-playing field will apply for all companies operating in the EU market, whereby businesses based outside the EU must apply the same rules as those based in the EU if they are offering goods and services related to the personal data or are monitoring the behaviour of individuals in the Union.

See: Article 2 GDPR

* Detailed definitions

The GDPR sets out more detailed definitions of what is meant by key expressions including 'personal data', 'processing', 'controller', 'processor' and others. See Definitions below

* Stronger individuals’ rights:

Consent to processing: when data processing is based on consent, the data controller shall be able to demonstrate that the individual to whom the data relates (data subject) has consented to processing of his or her personal data. Reliance on ticking of an opt-out box or consent to terms and conditions covering matters in addition to data processing will not be sufficient.

Right to withdraw: the data subject has the right to withdraw consent at any time and withdrawal of consent must be as easy as giving it. The data subject must be informed of this right before giving consent. For children under 16: in relation to the offer of information society services* directly to a child below the age of 16 years, consent to processing must be given the holder of parental responsibility over the child.

See below for the specific rights of data subjects.

* Duty to provide information

At the time of collecting the data, the data controller must provide the data subject with all of the following information (unless he/she already has the information). See below

* Self-responsibility

Data controllers and data processors are required to take responsibiity for designing and operating data processing systems in a way to ensure compliance with the GDPR.

Scope of GDPR

Subject-matter and objectives

The purposes of the GDPR are:

* the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data;

* ensure the free movement of personal data within the EU so that it is neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

See: Article 1 GDPR

Scope of data processing covered

The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

The Regulation does not apply to the processing of personal data:

(a) in the course of an activity which falls outside the scope of EU law;

(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union [Common foreign and security policy];

(c) by a natural person in the course of a purely personal or household activity;

(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

See: Article 2 GDPR

Territorial scope

Controller or a processor with an establishment in the EU

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the EU or not.

Controller or a process not established in the EU

The Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

See: Article 3 GDPR

Definitions of personal data, processing etc.

Key expressions defined in the GDPR include:

* ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

* ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

* ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

* ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

" ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis

See: Article 4 GDPR

Data processing principles

Principles relating to processing of personal data

1. Personal data must be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

(c) adequate, relevant and limited to what is necessary ;

(d) accurate and, where necessary, kept up to date;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

(f) processed in a manner that ensures appropriate security of the personal data

See: Article 5 GDPR

2. The controller is responsible for and must be able to demonstrate compliance with, paragraph 1.

Lawfulness of processing

1. Processing is lawful only to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes [see conditions for consent];

(b) processing is necessary for the performance of a contract to which the data subject is party;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

See: Article 6 GDPR

Conditions for consent

1. Where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which infringes this Regulation is not be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. Prior to giving consent, the data subject must be informed of this right. It must be as easy to withdraw as to give consent.

4.  If the controller makes the performance of a contract, including the provision of a service, conditional on consent to the processing of personal data that is not necessary for the performance of that contract, the utmost account of this must be taken when assessing whether consent is freely given.

See: Article 7 GDPR

Conditions applicable to child's consent in relation to information society services

1. If the data subject's consent is the basis for the lawfulness of processing data, in relation to the offer of information society services directly to a child, the processing of the personal data of a child is lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing ise lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

3. Paragraph 1 does not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

See: Article 8 GDPR

Processing of special categories of personal data

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation is prohibited.

2. The prohibtion on  processing of  special categories of personal data does not apply in the following cases:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law.

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3..

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

See: Article 9 GDPR

Processing of personal data relating to criminal convictions and offences

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

See: Conditions for consent above; Article 10 GDPR

Processing which does not require identification

1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

2. Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.

See: Article 11 GDPR

Rights of data subjects

Consent to processing

When data processing is based on consent, the data controller shall be able to demonstrate that the individual to whom the data relates (data subject) has consented to processing of his or her personal data. 'Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

See: Article 7 and the definition in Article 4(11) GDPR

Comment: reliance on ticking of an opt-out box or consent to terms and conditions covering matters in addition to data processing will not be sufficient.

Right to withdraw: the data subject has the right to withdraw consent at any time and withdrawal of consent must be as easy as giving it. The data subject must be informed of this right before giving consent.

See:Article 7 GDPR

Children under 16: in relation to the offer of information society services* directly to a child below the age of 16 years, consent to processing must be given the holder of parental responsibility over the child.

* i.e. , any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services [see: article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council

See:Article 8 GDPR

Right of access

The data subject has the right to obtain from the controller the information outlined below.

See: See:Article 13 GDPR

Right to rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

See: Article 16 GDPR

Right to erasure (‘right to be forgotten’)

The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller must erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1)and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) (see below);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

If the controller has made the personal data to be erased public, he must, taking account of available technology and the cost of implementation, take reasonable steps to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links and copies of those personal data.

The right to erasure does not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e) for the establishment, exercise or defence of legal claims.

See:Article 17 GDPR

What's new

13/04/2018: High Court rules on ‘right to be forgotten’ data claims against Google

NT 1 and NT 2 v Google LLC (Information Commissioner intervening)

[2018] EWHC 799 (QB)

Two claims about the "right to be forgotten" or, more accurately, the right to have personal information "delisted" or "de-indexed" by the operators of internet search engines were heard by the High Court.

Comment: although this case concerned the pre GDPR law, it will continue to have relevance.

Right to restriction of processing

The data subject hase the right to obtain from the controller restriction of processing where one of the following applies:

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where data processing has been restricted under this right, except in the case of storage it must only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a Member State.

The data controller must inform a data subject who has obtained restriction of processing before the restriction of processing is lifted.

See:Article 18 GDPR

Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller must communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with the above rights to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

See:Article 19 GDPR

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent or on a contract pursuant to point (b) of Article 6(1); and

(b) the processing is carried out by automated means.

In exercising his or her right to data portability, the data subject shall hashe right to have the personal data transmitted directly from one controller to another, where technically feasible.

The right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The right rmay not adversely affect the rights and freedoms of others.

See:Article 20 GDPR

Right to object

The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1)*, including profiling based on those provisions. The controller must no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

* i.e. processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

See:Article 21 GDPR

Automated individual decision-making, including profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

There are exceptions to this right if the decision:

(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b) is authorised by EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

(c) is based on the data subject's explicit consent.

In the cases in points (a) and (c) above, the data controller must implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

Decisions referred to in paragraph 2 must not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

See:Article 22 GDPR

Duty to provide information

Information to be provided where personal data are collected from the data subject

At the time of collecting the data, the data controller must provide the data subject with all of the following information (unless he/she already has the information):

(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;

(b) the contact details of the data protection officer, where applicable*

* See section 4 of the GDPR

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) where the processing is based on necessity for the purposes of the legitimate interests pursued by the controller or by a third party, the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission;

In addition to the information referred to above, the controller must at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(c) where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(d) the right to lodge a complaint with a supervisory authority;

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f) the existence of automated decision-making, including profiling*, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

* as referred to in Article 22 GDPR

Where personal data have not been obtained from the data subject

Where personal data have not been obtained from the data subject,in addition the controller must provide the data subject with the source from which the personal data originate, and if applicable, whether it came from publicly accessible sources. This must be given within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed. If the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject.

There are certain exceptions* to the above paragraph, including:

- the data subject already has the information;

- the provision of such information proves impossible or would involve a disproportionate effort;

- obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests;

- where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller mustl provide the data subject prior to that further processing with the required information on that other purpose.

Data controllers must provide information to data subjects in response to requests in exercise of their rights in a concise, transparent, intelligible and easliy accesible form, using clear and plain language.

The controller must respond to a data subject's request in exercise of a right without undue delay and in any event within one month of receipt of the request unless special reasons apply.

see: Article 14 GDPR

Controllers' responsibilities to ensure compliance

 Responsibility to take technical and organisational measures

The data controller must implement appropriate to ensure and be able to demonstrate that processing is performed in accordance with the GDPR. The measures must be reviewed and updated where necessary. The data controller must take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons,

The above measures must include the implementation of appropriate data protection policies by the controller, where proportionate in relation to processing activities.

Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

see: Article 24 GDPR

Data protection by design and by default

The data controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

see: Article 25 GDPR

Security of processing

The controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The measures must take take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons,

 In assessing the appropriate level of security, account must be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

3Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with these requirements.

 The controller and processor must ensure that any individual acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by law. .

see: Article 32 GDPR

Data protection impact assessment

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

A single assessment may address a set of similar processing operations that present similar high risks.

The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

A data protection impact assessment must in particular be required in the case of:

(a) a systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect the individual;

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or

(c) a systematic monitoring of a publicly accessible area on a large scale.

The supervisory authority mustl establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment.

The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required.

The assessment must contain at least:

(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

(c) an assessment of the risks to the rights and freedoms of data subjects; and

(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors will be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.

Where appropriate, the controller must seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

Where necessary, the controller must carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

see: Article 35 GDPR

Prior consultation with the data protection authority

The controller must consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

hen consulting the supervisory authority, the controller shall provide the supervisory authority with:

(a) where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;

(b) the purposes and means of the intended processing;

(c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the Regulation;

(d) where applicable, the contact details of the data protection officer;

(e) the data protection impact assessment ; and

(f) any other information requested by the supervisory authority.

see: Article 36 GDPR

Records of processing activities

A controller must maintain a record of processing activities under its responsibility which must contain all of the following information:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

(e) transfers of personal data to a third country or an international organisation, , including the identification of that third country or international organisation and the documentation of suitable safeguards;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1) [security of processing].

The records referred must be in writing, including in electronic form.

The controller  must make the record available to the supervisory authority on request.

The record-keeping obligations do not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

see: Article 30 GDPR

Engagement of a processor

A controller must use only processors providing sufficient guarantees to process data in compliance with the GDPR. Processing by a processor must be governed by a contract. [see below: Processor]

Joint controllers

Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers. They are required to determine by agreement (unless laid down by more specific laws) their respective responsibilities for compliance with the obligations under this Regulation in a transparent manner, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14,


see: Article 26 GDPR

Data protection officer

Designation of the data protection officer

A data protection officer must be designated by a data controller and a data processor in any case where:

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

The data protection officer must be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks required [see below].

The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. 7. The controller or the processor must publish the contact details of the data protection officer and communicate them to the supervisory authority.5. The data protection officer ise bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with EU or Member State law.

Position of the data protection officer

The controller and the processor must ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

The controller and processor must support the data protection officer in performing the tasks referred to below by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.

The controller and processor must ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer must directly report to the highest management level of the controller or the processor.

Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under the Regulation.

Tasks of the data protection officer

The data protection officer must have at least the following tasks:

(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the Regulation and to other legal data protection provisions;

(b) to monitor compliance with the Regulation, with other legal data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance;

(d) to cooperate with the supervisory authority;

(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to above, and to consult, where appropriate, with regard to any other matter.

The data protection officer must have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

The data protection officer may fulfil other tasks and duties but the controller or processor must ensure that any such tasks and duties do not result in a conflict of interests.

see: Article37-39 GDPR

Representatives of controllers or processors not established in the EU

A controller or processor not established in the EU whose activities are within the scopr of the GDPR [see Scope of GDPR is required to designate in writing a representative in the EU..

This obligation does not apply to:

(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

(b) a public authority or body.

The representative must be established in one of the Member States where the data subjects are located. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by supervisory authorities and data subjects on all issues related to compliance with the Regulation.

see: Article 27 GDPR

Processors' obligations

Warranties by processor

Where processing is to be carried out on behalf of a controller, the controller must use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.

The processor must not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Requirement for a processing contract

Processing by a processor must be governed by a contract binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. The contract must stipulate, in particular, that the processor:

(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by the law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) takes all measures required pursuant to Article 32 [security of processing];

(d) complies with the second paragraph above about engaging another processor;

(e) assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights;

(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 [security of personal data, notification of personal data breach, data protection impact assessment and prior consultation], taking into account the nature of processing and the information available to the processor;

(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless the law requires storage of the personal data;

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this section [i.e. Article 28] and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.


The processor must immediately inform the controller if, in its opinion, an instruction infringes the Regulation or other legal data protection provisions.

Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as required by the Regulation must be imposed on that other processor by way of a contract.

Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 [Certification] may be used as an element by which to demonstrate sufficient guarantees as referred to in this section.

The contract for processing must be in writing, including in electronic form.

Processing under the authority of the ontroller or processor

The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, must not process those data except on instructions from the controller, unless required to do so by law.

If a processor infringes the Regulation by determining the purposes and means of processing, the processor will be treated as if he were a controller in respect of that processing.

See: Article 28/29 GDPR

Record of processing

Each processor and, where applicable, the processor's representative must maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;

(b) the categories of processing carried out on behalf of each controller;

(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) [non-approved countries], the documentation of suitable safeguards;

(d) where possible, a general description of the technical and organisational security measures see: Security of processing.

The records must be in writing, including in electronic form.

The processor and, where applicable, the processor's representative, shall make the record available to the supervisory authority on request.

This obligation does not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

see: Article 30 GDPR

Notification of a personal data breach

Personal data breach

A ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; [see: Article 4(12) GDPR].

Notification of a personal data breach to the supervisory authority

In the case of a personal data breach, the controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55 [i.e. in the UK the ICO]], unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. Where the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay.

A processor must notify the controller without undue delay after becoming aware of a personal data breach.

The notification must at least:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c) describe the likely consequences of the personal data breach;

(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. The documentation must enable the supervisory authority to verify compliance with the notification requirement..

see: Article 33 GDPR

Communication of a personal data breach to the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the personal data breach to the data subject without undue delay.

The communication to the data subject must describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) [seeabove in relation to notification to the data protection authority]..

The communication to the data subject of a personal data breach is not required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;

(c) it would involve disproportionate effort. In such a case, there must instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to above are met.

see: Article 34 GDPR

Codes of conduct and certification

The GDPR require EU Member States,supervisory authorities and relevant EU bodies to encourage:

* the drawing up of codes of conduct intended to contribute to the proper application of the Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

* the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with the Regulation of processing operations by controllers and processors. the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.

8. The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.

see: Articles 40-43 GDPR

Transfers of personal data to third countries or international organisations

General principle for transfers

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation must take place only if, subject to the other provisions of the Regulation, the conditions laid down in the GDPR are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.

All provisions in te GDPR must be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

see: Articles 44-48 GDPR

Enforcement and fines

The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

Any person who has suffered material or non-material damage as a result of an infringement of theRegulation has the right to receive compensation from the controller or processor for the damage suffered.

The Regulation gives all data protection authorities in the EU the power to impose fines on controllers and processors (currently not all of them have such powers). s power. Administrative fines may be imposed up to EUR 20 million or, in the case
of a business undertaking, 4% of the worldwide annual turnover.

see:

Article 31, 82-84 GDPR

UK Data Protection Act 2018

What’s New items on this topic [go to the What's New page or archive for the full item]:

13/04/2018: New Data Protection charges

The Data Protection (Charges and Information) Regulations 2018 [SI 2018/480] sets out the new system of charges and come into force on 25 May 2018 at the same time as the GDPR. However, businesses currently registered with the ICO will not need to pay the fee until their current registration period expires. There are three tiers of charges payable by data controllers:. See Registration with the ICO and annual fee

28/02/2018 Institute of Fundraising publishes joint guidance on GDPR

Source: Institute of Fundraising

The Institute of Fundraising has published a joint guidance on GDPR for fundraisers and charities, which gives an overview of fundraising methods and how personal data is likely to be used in each case. This guidance is indicative of more detailed guidance that fully prepares fundraisers ahead of GDPR coming into effect on 25 May 2018.

Reviewed and co-badged by the Information Commissioner’s Office, the guidance offers fundraisers and charities a guideline for their future work and encourages practical application of the law to real life scenarios.

The guidance is free and supported by regulators and membership bodies throughout the UK, including the Charity Commission, National Council for Voluntary Organisations, Wales Council for Voluntary Action, the Charity Commission Northern Ireland, Northern Ireland Council for Voluntary Action and the Scottish Independent Fundraising Panel.

[Page updated: 28/04/2018]

Back to>
Data protection introduction