This topic covers privacy, data protection and related legislation. Most of the material relates to the UK, but references to the EU, US and other jurisdictions also appear.
Are Data Controllers or Data Processors of Personal Data required to maintain any internal records or establish internal processes or documentation?
Internal Controls: Record keeping
Data Controllers and Data Processors are required to retain internal records that describe the processing of Personal Data that is carried out. These records must be maintained and provided to the ICO upon request.
For Data Controllers, the record must include the following information:
- the name and contact details of the Data Controller and, where applicable, the joint controller, and of the Data Controller’s representative and data protection officer
- the purposes of the processing
- the data subjects and categories of Personal Data processed
- the categories of recipients to whom Personal Data has been or will be disclosed
- a description of any transfers of Personal Data to third countries and the safeguards relied upon
- the envisaged time limits for erasure of the Personal Data; and
- a general description of the technical and organisational security measures implemented
For Data Processors the record must include the following information:
- the name and contact details of the processor and of each Data Controller on behalf of which the processor processes Personal Data, and of the processor’s representative and data protection officer
- the categories of processing carried out on behalf of each Data Controller
- a description of any transfers of Personal Data to third countries and the safeguards relied upon and
- a general description of the technical and organisational security measures implemented
Are Data Controllers or Data Processors of Personal Data required to register with the supervisory authority? Are there any exemptions?
Data Protection Registration and notification
In the UK, Data Controllers are required to pay an annual registration fee to the ICO. There is no obligation to do so if any of the following applies:
- no processing is carried out on a computer (or other automated equipment)
- the processing is performed solely for the maintenance of a public register
- the Data Controller is a not-for-profit organisation, and the processing is only for the purposes of establishing or maintaining membership or support of that organisation; or
- the Data Controller only processes Personal Data for one or more of these purposes:
- staff administration
- advertising, marketing and public relations
- personal, family or household affairs
- judicial functions; or
- accounts and records
An entity that is a Data Processor only is not required to make this payment.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?
Individuals are entitled to receive compensation if the individual suffers material or non-material damage as a result of the contravention of the GDPR by a Data Controller or data processor. The DPA indicates that ‘non-material’ damage includes ‘distress’.
Are the purposes for which Personal Data can be used by Data Controllers restricted? Has the ‘finality principle’ been adopted?
Personal Data may only be used for specified and lawful purposes, and may not be processed in any manner incompatible with those purposes. The purposes must be specified in the notice given to the individual.
In addition, recent case law has confirmed the existence of a tort of ‘misuse of private information’. Under this doctrine, the use of private information about an individual for purposes to which the individual has not consented may give rise to a separate action in tort against the Data Controller, independent of any action taken under the DPA.
Are the rights of individuals exercisable through the judicial system or enforced by the supervisory authority or both?
Individuals rights: Enforcement
Individuals may take action in the courts to enforce any of the rights described in questions 37-39.
The ICO has no power to order the payment of compensation to individuals. Therefore, an individual who seeks compensation must take an action to the courts. All the other rights of individuals can be enforced by the ICO using its powers granted by legislation..
New processing regulations
Data Controllers are required to carry out a Data Protection Impact Assessment (DPIA) in relation to any processing of Personal Data that is likely to result in a high risk to the rights and freedoms of natural persons
In particular, a DPIA is required in respect of any processing that involves:
- the systematic and extensive evaluation of personal aspects relating to natural persons that is based on automated processing and on which decisions are made that produce legal effects concerning the natural person or that significantly affect the natural person
- processing sensitive Personal Data or Personal Data relating to criminal convictions or offences on a large scale; or
- systematic monitoring of a publicly accessible area on a large scale
A DPIA must be carried out in relation to all high-risk processing activities that meet the criteria above before the processing begins. The DPIA must include at least the following:
- a systematic description of the processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the Data Controller
- an assessment of the proportionality and necessity of the processing in relation to the purposes
- an assessment of the risks to the rights and freedoms of affected individuals; and
- information about the measures envisaged to address any risks to affected individuals (eg, safeguards, security measures, etc).
The GDPR also implements the concepts of ‘data protection by design’ and ‘data protection by default’. In particular, this requires Data Controllers to implement appropriate technical and organisational measures in their processing systems to ensure that Personal Data is processed in accordance with the GDPR, and to ensure that, by default, only Personal Data that is necessary for each specific purpose is collected and processed. In addition, Data Controllers must ensure that by default Personal Data is not made accessible to an indefinite number of persons without any intervention by the Data Subject.
There are no specific rules or legislation that govern the processing of Personal Data through cloud computing, and such processing must be compliant with the GDPR and DPA.
The ICO has released guidance on the subject of cloud computing, which discusses the identity of Data Controllers and Data Processors in the context of cloud computing, as well as the need for written contracts, security assessments, compliance with the DPA and the use of cloud providers from outside the UK.
This guidance was published under the old law (ie, Data Protection Act 1998). The ICO has confirmed that, while much of the guidance remains relevant, it intends to update the guidance in line with the GDPR.
Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?
Legal obligations of the data protection authority
The ICO participates in the ‘one-stop shop’ under the GDPR, under which organisations with a main establishment in the EU may primarily be regulated by the supervisory authority of the jurisdiction in which the main establishment is located (lead supervisory authority).
The DPA and the GDPR confer on the ICO powers to participate in the GDPR’s one-stop shop, to cooperate with other concerned supervisory authorities, to request from and provide mutual assistance to other concerned supervisory authorities, and to conduct joint operations, including joint investigations and joint enforcement actions with other concerned supervisory authorities.
The status of the ICO’s participation in the EU’s one-stop shop once the UK has left the EU is currently not clear, but in the absence of an agreement stating otherwise, the ICO will no longer be permitted to participate in the GDPR’s one-stop shop mechanism. This eventuality would impact UK-based data controllers or data processors that are currently carrying out cross-border processing of Personal Data, across EU member state borders.
The DPA also requires the ICO, in relation to third countries and international organisations, to take steps to develop cooperation mechanisms to facilitate the effective enforcement of legislation relating to the protection of Personal Data, to provide international mutual assistance in the enforcement of legislation for the protection of Personal Data, to engage relevant stakeholders in discussion and activities, and to promote the exchange and documentation of legislation and practice for the protection of Personal Data.
Can breaches of UK data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
Breaches of data protection
In the UK, the ICO has a number of enforcement powers. Where a Data Controller or a Data Processor breaches UK data protection law, the ICO may:
- issue undertakings committing an organisation to a particular course of action to improve its compliance with data protection requirements
- serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps, to ensure they comply with the law; and
- issue fines of up to the greater of €20 million or 4 per cent of the annual worldwide turnover of the organisation, depending on the nature of the violation of the DPA and GDPR.
A number of breaches may constitute criminal offences and lead to criminal penalties e.g.
- making a false statement in relation to an information notice validly served by the ICO
- destroying, concealing, blocking or falsifying information with the intention of preventing the ICO from viewing or being provided with the information
- unlawfully obtaining Personal Data
- knowingly or recklessly re-identifying Personal Data that is de-identified without the consent of the Data Controller responsible for that Personal Data
- altering Personal Data so as to prevent disclosure of the information in response to a data subject rights request
- requiring an individual to make a Subject Access request
- obstructing execution of a warrant of entry, failing to cooperate or providing false information
Criminal offences can be prosecuted by the ICO or by or with the consent of the Director of Public Prosecutions.
Supervision: Judicial review
Data Controllers may appeal orders of the ICO to the General Regulatory Chamber (First-tier Tribunal). Appeals must be made within 28 days of the ICO notice and must state the full reasons and grounds for the appeal (ie, that the order is not in accordance with the law or the ICO should have exercised its discretion differently).
Appeals against decisions of the General Regulatory Chamber (First-tier Tribunal) can be made (on points of law only) to the Administrative Appeals Chamber of the Upper Tribunal, appeals from which may be made to the Court of Appeal.
Articles 37 - 39 of the GDPR detail the appointment and role of data protection officers (DPOs).
Appointment of a DPO is mandatory where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
- the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data or data relating to criminal convictions and offences
Restrictions on disclosure
It is a criminal offence to knowingly or recklessly obtain or disclose Personal Data without the consent of the Data Controller or procure the disclosure of Personal Data to another party without the consent of the Data Controller. This prohibition is subject to a number of exceptions, such as where the action was taken for the purposes of preventing or detecting crime. The staff of the ICO are prohibited from disclosing Personal Data obtained in the course of their functions other than in accord with those functions.
There are no other specific restrictions on the disclosure of Personal Data, other than compliance with the general principles and the cross-border restrictions (qv).
Do individuals have the right to access their Personal Data held by Data Controllers? How can this right can be exercised and are there any limitations to this right?
Rights of individuals: Access
Individuals have the right to request access to Personal Data that relates to them. Within one month of receipt of a valid request, the Data Controller must confirm that it is or is not processing the individual’s Personal Data and, if it does so, provide a description of the Personal Data, the purposes of the processing and recipients or categories of recipients of the Personal Data, the relevant retention period for the Personal Data, a description of the rights available to individuals under the GDPR and that the individual may complain to a supervisory authority and any information available to the Data Controller as to the sources of the Personal Data, the existence of automated decision-making (including profiling), and the safeguards it provides if it transfers Personal Data to a third country or international organisation. The Data Controller must also provide a copy of the Personal Data in an intelligible form.
A Data Controller must be satisfied as to the identity of the individual making the request. A Data Controller does not have to provide third-party data where that would breach the privacy of the third party and may reject repeated identical requests, or charge a reasonable fee taking into account the administrative costs of providing the information.
In some cases, the Data Controller may withhold Personal Data to protect the individual; for example, where health data is involved, or to protect other important specified public interests such as the prevention of crime. All such exceptions are specifically delineated in the law.
In most cases, the organisation cannot charge a fee to comply with a request for access. However, where the request is manifestly unfounded or excessive an organisation may charge a ‘reasonable fee’ for the administrative costs of complying with the request. A reasonable fee can also be charged if an individual requests further copies of their data following a request.
Data Protection Registration: Effect of registration
An entry on the register does not cause the Data Controller to be subject to obligations or liabilities to which it would not otherwise be subject.
Does cross-border transfer of Personal Data require notification to or authorisation from a supervisory authority?
Cross-border transfers: Notification and Further transfers
Transfer requires no specific notification to the ICO and no authorisation from the ICO.
If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?
The restrictions on transfer apply equally to transfers to data processors and Data Controllers.
Onward transfers are taken into account in assessing whether adequate protection is provided in the receiving country. Onward transfers are covered in the Commission-approved model clauses, and in the Privacy Shield.
Onward transfers are not controlled specifically where a transfer is made to a country that has been the subject of an adequacy finding by the Commission. It would be anticipated that the law of the recipient country would deal with the legitimacy of the onward transfer.
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
Exempt sectors and institutions
Exemptions from the full rigour of the law apply in some circumstances and for some instances of processing. A wide exemption applies to processing by individuals for personal and domestic use, but no sectors or institutions are outside the scope of the law.
Recent European case law has clarified that this exemption applies only to ‘purely domestic’ or household activities, with no connection to a professional or commercial activity. This means that if Personal Data is only used for such things as writing to friends and family or taking pictures for personal enjoyment, such use of Personal Data will not be subject to the GDPR.
The GDPR and the DPA apply to private and public sector bodies. That said, the processing of Personal Data by competent authorities for law enforcement purposes is outside the scope of the GDPR (e.g. the police investigating a crime). Instead, this type of processing is subject to the rules in Part 3 of the DPA.
In addition, Personal Data processed for the purposes of safeguarding national security or defence is also outside the scope of the GDPR. However, it is covered by Part 2, Chapter 3 of the DPA (also known as the ‘applied GDPR’), which contains an exemption for national security and defence.
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list what are the relevant laws in this regard?
Communications, marketing and surveillance laws
Electronic marketing is specifically regulated by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (as amended), although the GDPR and the DPA often apply to the same activities, to the extent that they involve the processing of Personal Data.
Interception and state surveillance are covered by the Investigatory Powers Act 2016 and the Regulation of Investigatory Powers Act 2000.
The interception of business communications is regulated by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.
Legitimate processing – types of personal data
Distinct grounds for legitimate processing apply to the processing of sensitive Personal Data (also known as ‘special categories of Personal Data’). ‘Sensitive’ Personal Data is defined as Personal Data relating to:
- racial or ethnic origin
- political opinions
- religious or similar beliefs
- trade union membership
- physical or mental health;
- sex life or sexual orientation
- genetic data
- biometric data (when processed for the purpose of uniquely identifying a natural person)
- commissioning or alleged commissioning of any offence
- any proceedings for committed or alleged offences, the disposal of such proceedings of sentence of any court.
The GDPR sets out a number of grounds that may be relied upon for the processing of sensitive Personal Data, including:
- explicit consent of the individual
- performance of employment law obligations
- protection of the vital interests of the individual (i.e. a life or death situation)
- processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
- the processing relates to Personal Data that is manifestly made public by the Data Subject
- the exercise of public functions
- processing in connection with legal proceedings, legal advice or in order to exercise legal rights
- processing for medical purposes
- processing necessary for reasons of public interest in certain specific areas
- processing necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
In addition to the grounds set forth in the GDPR, the DPA sets forth a number of additional grounds that also may be relied upon, including:
- processing necessary for monitoring and ensuring equality of opportunity or treatment
- preventing or detecting unlawful acts
- preventing fraud
- processing to comply with regulatory requirements relating to establishing whether a person has committed unlawful acts or has been involved in dishonesty, malpractice or other seriously improper conduct
- in connection with administering claims under insurance contracts or exercising rights and complying with obligations arising in connection with insurance contracts
The Data Controller must ensure that Personal Data is relevant, accurate and, where necessary, kept up to date in relation to the purpose(s) for which it is held.
Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?
Notification of data breach
The GDPR requires Data Controllers to notify the ICO of a data breach within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
In addition, Data Controllers must notify affected individuals of a breach without undue delay if the breach is likely to result in a high risk to the rights and freedoms of affected individuals.
Data Processors are not required to notify data breaches to supervisory authorities or to affected individuals, but Data Processors must notify the relevant Data Controller of a data breach without undue delay.
In addition to notifying breaches to the ICO and to affected individuals, Data Controllers must also document all data breaches and retain information relating to the facts of the breach, its effects and the remedial action taken.