United Kingdom
In this chapter:
Q1/ Applicable legislation
(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?
New legislation was passed in 2018, and updated in 2019, to address the requirements of the GDPR.
Following the UK’s departure from the EU, the GDPR was incorporated into the domestic law that applies in the UK, under section 3 of the European Union (Withdrawal) Act 2018 (the “Withdrawal Act”), and the Data Protection Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
The amended GDPR (the “UK GDPR”) is broadly aligned with the GDPR in terms of its substantive requirements. As a result, the practical compliance obligations for businesses are largely unchanged. However, provisions concerning supervisory bodies and interactions between EU Member States have been amended to reflect the fact that the UK is no longer directly subject to EU law and enforcement regimes. Powers previously held at Union level are now held by the UK’s Information Commissioner.
———
(b) Relevant legislation includes:
- UK Data Protection Act 2018 (the "Data Protection Act")
- Date in force: 25 May 2018
- Note: The Data Protection Act also applies the UK GDPR (and previously applied the GDPR) to areas that fall outside the legislative competency of the EU, such as processing by law enforcement and intelligence services. The answers in this chapter are applicable to entities processing personal data, other than for purposes of law enforcement or intelligence services.
- Link: see here
- UK GDPR
- Date in force: 31 December 2020 (from 11pm GMT)
- Note: The UK GDPR incorporates the GDPR into national law.
- Link: see here
———
(c) What is the status of national pre-GDPR data protection law?
The relevant pre-GDPR legislation has been repealed in full.
Q2/ Personal data of deceased persons
Does national law make specific rules regarding the processing of personal data of deceased persons?
The Data Protection Act does not make specific rules regarding the processing of personal data of deceased persons.
However, under the Access to Health Records Act 1990, the following rules apply in respect of access to health records (which contain personal data) relating to deceased persons:
- a person is entitled to access a deceased person’s health records only if they are either:
- a personal representative (i.e., the executor or administrator of the deceased person’s estate); or
- a person who has a claim resulting from the death (whether they are a relative or other person);
- access to a deceased person’s health records may not be granted if a patient requested confidentiality whilst they were alive; and
- disclosure of a deceased person’s health data may also not take place if there is a risk of serious harm to an individual, or if records contain information relating to another person.
Q3/ Legal bases for processing
(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?
There are no specific rules governing this issue. However, the Secretary of State may make further provisions (none have so far been issued).
———
(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?
Personal data may be processed for the performance of tasks carried out in the public interest where such processing is necessary for the performance of the following tasks:
- the administration of justice;
- parliamentary functions;
- statutory functions;
- governmental functions; or
- activities that support or promote democratic engagement.
The processing of sensitive personal data may be justified on the ground of “substantial public interest” as defined under the Data Protection Act (see Q5(b)(ii) below for further details).
———
(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?
See Q3(b) above.
———
(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?
There are no specific additional criteria governing this issue.
Q4/ Consent of children
At what age can a child give their consent to processing in relation to ISS?
13 years of age.
The Data Protection Act explicitly states that ISS does not include preventative or counselling services.
Q5/ Processing of sensitive personal data
(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?
All sensitive personal data can be processed if the data subject’s valid consent has been obtained.
———
b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:
(i) Employment, social security and/or social protection law
Processing sensitive personal data in respect of these purposes is lawful only if the following conditions are met:
- the processing is necessary to comply with obligations imposed on the controller or data subject in connection with employment, social security or social protection;
- the controller has an “appropriate policy” in place when the processing is carried out; and
- additional safeguards are implemented, including the retention of a policy document (which must be updated periodically and made available on request to the DPA) and the maintenance of a record of processing.
The “appropriate policy” should explain the controller’s procedures for securing compliance with general GDPR principles for processing and set out the retention periods for the relevant data (and erasure procedures).
(ii) Substantial public interest
Processing sensitive personal data in respect of this purpose is lawful only if the controller has an appropriate policy and additional safeguards in place (see Q5(b)(i) above) when the processing is carried out, and the processing is carried out for one of the following purposes:
- to comply with statutory requirements;
- for the exercise of government purposes;
- for the exercise of parliamentary functions;
- for the administration of justice;
- to promote and maintain equality of opportunity or treatment;
- to promote and maintain diversity in the racial and ethnic origins of individuals at senior levels of organisations;
- to prevent and detect unlawful acts;
- to protect the public against dishonesty;
- to comply with regulatory requirements relating to unlawful acts and dishonesty;
- to disclose data for journalistic, academic, artistic or literary purposes in connection with unlawful acts and dishonesty;
- to prevent fraud;
- to make disclosures in good faith relating to terrorist financing or money laundering;
- to provide support for individuals with a particular disability or medical condition;
- to provide counselling;
- to safeguard children and individuals at risk;
- to safeguard the economic well-being of individuals at economic risk;
- for certain insurance purposes (under strict conditions only);
- for making determinations in relation to occupational pensions (under strict conditions only);
- for the exercise of political activities (under strict conditions only);
- for activities connected with elected representative (under strict conditions only);
- for the publication of legal judgments; or
- for maintaining standards of behaviour in sport.
The availability and applicability of each of the above conditions is subject to further specific requirements set out in the Data Protection Act.
(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services
Processing sensitive personal data in respect of these purposes is lawful only if the following conditions are met:
- the processing is necessary for purposes of preventative or occupational medicine, assessment of an employee’s working capacity, medical diagnosis, provision of health treatment or social care, or management of health or social care systems or services; and
- the processing must be carried out:
- by or under the responsibility of a health professional or a social work professional; or
- by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
(iv) Public interest in the area of public health
Processing sensitive personal data in respect of these purposes is lawful only if the following conditions are met:
- the processing is necessary for reasons of public interest in the area of public health; and
- the processing is carried out by a health professional (or under their responsibility) or another person who owes a duty of confidentiality.
(v) Archiving purposes, scientific or historical research purposes or statistical purposes
Processing sensitive personal data in respect of these purposes is lawful only if the following conditions are met:
- the processing is necessary for archiving purposes, scientific or historical research purposes or statistical purposes;
- the processing is carried out in accordance with Art. 89(1) UK GDPR (including implementing safeguards to comply with the principle of data minimisation); and
- the processing is in the public interest.
In addition, processing will not satisfy the requirement in Art. 89(1) UK GDPR that the processing be subject to appropriate safeguards for the rights and freedoms of the data subject if:
- the processing is likely to cause substantial damage or substantial distress to a data subject; or
- the processing is carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research.
———
(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?
Processing these types of sensitive personal data may be subject to the safeguards specified in Q5(b)(i)-(v) above.
Q6/ Data relating to criminal offences or convictions
Under what conditions does national law permit the processing of personal data relating to criminal convictions?
Under the Data Protection Act, personal data relating to criminal convictions and offences include personal data relating to:
- the alleged commission of offences by the data subject; or
- proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.
Processing of personal data relating to criminal conditions and offences is lawful if any of the following conditions are met:
- processing is carried out for one or more of the purposes set out in the responses to Q5(b)(i)-(v) above;
- the data subject has given consent to the processing;
- processing is necessary to protect the vital interests of an individual;
- processing is carried out by not-for-profit bodies in the course of its legitimate activities;
- the personal data subject to processing has been manifestly made public by the data subject;
- processing is carried out in connection with a legal claim;
- processing is necessary when a court or tribunal is acting in its judicial capacity;
- processing is carried out for the administration of accounts used in the commission of indecency offences involving children; or
- processing is carried out for processing relating to insurance purposes.
An appropriate policy document (as defined in Q5(b)(i) above) and additional safeguards must also be in place.
Q7/ Exemptions
(a) Does national law specify exemptions to a data subject’s right to erasure?
The right of erasure may not apply in the following scenarios:
- processing for immigration purposes;
- processing for the prevention of crime (including risk assessments);
- processing for the assessment of tax obligations (including risk assessments); where the personal data consists of information that the controller is obliged by an enactment to make available to the public or to a third party;
- where it is necessary to disclose the personal data for the purposes of, or in connection with, legal proceedings (including prospective legal proceedings), obtaining legal advice or establishing, exercising or defending legal rights;
- processing for the purpose of discharging specific functions designed to protect the public;
- processing for the purpose of discharging audit functions (applicable to official comptrollers/auditors);
- processing for the purpose of discharging a function of the Bank of England;
- processing for the purpose of discharging a regulatory function relating to legal services, the health service and children’s services;
- processing for the purpose of discharging a regulatory function (applicable to specified regulators);
- where complying with the right of erasure would lead to an infringement of parliamentary privilege;
- processing in connection with judicial appointments, independence and proceedings;
- processing in connection with certain crown honours, dignities and appointments;
- processing for journalistic, academic, artistic or literary purposes;
- processing of health data or social work data by a court, or in connection with certain requests involving minors or persons incapable of managing their own affairs; or
- processing of education data (i.e., personal data in an educational record) processed by a court.
Some of the exemptions above apply to the extent that applying the right of erasure would be likely to prejudice, or would prevent or seriously impair the controller or the processor from processing personal data in a way that is required for the relevant purpose.
———
(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?
A data subject’s right to be provided information does not apply in the following circumstances:
- processing for immigration purposes;
- processing for the prevention of crime (including risk assessments);
- processing for the assessment of tax obligations (including risk assessments);
- where the personal data consists of information that the controller is obliged by an enactment to make available to the public or to a third party;
- where it is necessary to disclose the personal data for the purposes of, or in connection with, legal proceedings (including prospective legal proceedings), obtaining legal advice or establishing, exercising or defending legal rights;
- where legal professional privilege applies;
- where disclosure could lead to self-incrimination;
- processing for the purpose of discharging specific functions designed to protect the public;
- processing for the purpose of discharging audit functions (applicable to official comptrollers/auditors);
- processing for the purpose of discharging a function of the Bank of England;
- processing for the purpose of discharging a regulatory function relating to legal services, the health service and children’s services;
- processing for the purpose of discharging a regulatory function (applicable to specified regulators);
- where complying with the right of erasure would lead to an infringement of parliamentary privilege;
- processing in connection with judicial appointments, independence and proceedings;
- processing in connection with certain crown honours, dignities and appointments;
- processing for journalistic, academic, artistic or literary purposes;
- processing of health data or social work data by a court, or in connection with certain requests involving minors or persons incapable of managing their own affairs;
- processing of education data (i.e., personal data in an educational record) processed by a court;
- processing in connection with a corporate finance service;
- processing for the purposes of management forecasting or management planning in relation to a business or other activity;
- processing to record intentions relating to any negotiations with an individual;
- processing to give or receive a confidential reference for the purposes of prospective or actual employment, education or training; or
- processing of exam scripts.
Some of the exemptions above apply to the extent that applying the right to be provided information would be likely to prejudice, or would prevent or seriously impair the controller or processor from processing personal data in a way that is required for the relevant purpose.
———
(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?
There are no specific exemptions to the right to not be subject to automated individual decision-making.
Q8/ Restrictions on data subjects’ rights
Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?
The right to be informed where personal data are collected from the data subject (Art. 13 UK GDPR), the right of access (Art. 15 UK GDPR), the right to rectification (Art. 16 UK GDPR), the right to restrict processing (Art. 18 UK GDPR), the right to portability (Art. 20 UK GDPR) and the right to object (Art. 21 UK GDPR) may not apply in the following scenarios:
- processing for immigration purposes;
- processing for the prevention of crime (including risk assessments);
- processing for the assessment of tax obligations (including risk assessments);
- processing for scientific or historical research purposes or statistical purposes (note, this exemption is not applicable to the right to data portability under Art. 20 UK GDPR);
- processing for archiving purposes in the public interest;
- where the personal data consists of information that the controller is obliged by an enactment to make available to the public or to a third party;
- where it is necessary to disclose the personal data for the purposes of, or in connection with, legal proceedings (including prospective legal proceedings), obtaining legal advice or establishing, exercising or defending legal rights;
- processing for the purpose of discharging specific functions designed to protect the public;
- processing for the purpose of discharging audit functions (applicable to official comptrollers/auditors);
- processing for the purpose of discharging a function of the Bank of England;
- processing for the purpose of discharging a regulatory function relating to legal services, the health service and children’s services;
- processing for the purpose of discharging a regulatory function (applicable to specified regulators);
- where complying with the right of erasure would lead to an infringement of parliamentary privilege;
- processing in connection with judicial appointments, independence and proceedings;
- processing in connection with certain crown honours, dignities and appointments;
- processing for journalistic, academic, artistic or literary purposes;
- processing of health data or social work data by a court, or in connection with certain requests involving minors or persons incapable of managing their own affairs; or
- processing of education data (i.e., personal data in an educational record) processed by a court.
Some of the exemptions above apply to the extent that applying a right would be likely to prejudice, or would prevent or seriously impair the controller or processor from processing personal data in a way that is required for the relevant purpose.
In addition to the above, the right to be informed where the personal data are collected from the data subject (Art. 13 UK GDPR) and the right of access (Art. 15 UK GDPR) may not apply in the following scenarios:
- processing in connection with a corporate finance service;
- processing for the purposes of management forecasting or management planning in relation to a business or other activity;
- processing to record intentions relating to any negotiations with an individual;
- processing to give or receive a confidential reference for the purposes of prospective or actual employment, education or training;
- processing of exam scripts;
- where disclosure is prohibited or restricted by an enactment (note, this exemption is not applicable to the right to be informed under Art. 13 UK GDPR); or
- where the access request is for information containing the personal data of more than one individual (note, this exemption is not applicable to the right to be informed under Art. 13 UK GDPR).
Further, in respect of the right of access, where the controller is a credit reference agency, the controller need only comply with subject access requests in respect of personal data relating to the data subject’s financial standing, unless the data subject has indicated a contrary intention.
Q9/ Joint controllership
Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?
There are no additional rules on apportionment of liability between joint controllers.
Q10/ Processor
In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?
There are no additional pieces of legislation.
Q11/ Impact Assessments
Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?
In addition to the provisions of the GDPR, as incorporated into domestic law through the UK GDPR, Impact Assessments are required in the circumstances included in the list of “high risk processing” issued by the DPA (see here).
Q12/ Prior authorisation and public interest
Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?
Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR, as incorporated into domestic law through the UK GDPR.
Q13/ DPOs
(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?
DPOs are only mandatory in the circumstances set out in Art. 37(1) UK GDPR.
———
(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?
The DPO is bound by general common law, statutory and contractual secrecy and confidentiality obligations. This should not prevent the DPO from communicating with the DPA when he or she deems it appropriate.
Q14/ International data transfers
(a) Does national law make specific rules about transfers of personal data from public registers?
Data transfers from public registers are not subject to specific rules.
———
(b) Does national law restrict the transfer of specific categories of personal data to third countries?
The UK GDPR imposes effectively the same transfer restrictions as those set out in the GDPR, in relation to transfers of personal data to recipients located outside the UK. The UK can also introduce its own adequacy regulations in relation to transfers of personal data from the UK to recipients located outside the UK. The UK has so far deemed that all EEA jurisdictions, and all existing Adequate Jurisdictions under the GDPR are also recognized as adequate for the purposes of the UK GDPR.
Brexit Note: Following the end of the Brexit implementation period, the UK is a third country for the purposes of EU law. The UK has sought an Adequacy Decision from the European Commission. If an Adequacy Decision is granted, it will be lawful to transfer personal data from the EEA to the UK without the need for additional protections. If an Adequacy Decision is not granted, then transfers of personal data from the EEA to the UK will be subject to the usual restrictions that apply under the GDPR with respect to transfers of personal data to any third country. In practice this would typically mean that Standard Contractual Clauses (see here) would have to be implemented between parties wishing to transfer data from the EEA to the UK.
The European Commission has agreed to delay implementing the GDPR transfer mechanism requirements for third countries with respect to the UK for at least four (extendable to six) months, whilst it considers whether to grant an Adequacy Decision to the UK. During this period, data can be transferred freely between the EEA and the UK.
Q15/ DPAs
(a) Details of the DPA(s).
- Name of DPA: The Information Commissioner
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
- Website: ico.org.uk
———
(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?
Not applicable as there is only one DPA.
———
(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?
Not applicable.
———
(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?
The Data Protection Act grants the DPA powers to issue the following four types of notice:
- information notices requiring a controller, a processor or a person to provide information (within a specified timeframe) that the DPA reasonably requires to carry out their functions;
- assessment notices which require a controller or processor to grant the DPA access to premises, documents and equipment, to allow them to observe processing and to interview members of staff;
- enforcement notices which can be issued when a controller, processor, certification provider or monitoring body has failed to meet its obligations and allow the DPA to mandate or halt actions (such as processing or transfer of personal data); and
- penalty notices issued in respect of compliance failures requiring a controller, processor, certification provider or monitoring body to pay a fine.
———
(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?
Notices (including the categories of notice set out at Q15(d) above) issued by the DPA may be appealed to the First Tier Tribunal (Information Rights) within 28 calendar days of the decision.
An appeal which raises particularly complex or important issues may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. Decisions by the First Tier Tribunal may also be appealed to the Upper Tribunal. Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal.
———
(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?
Under the Data Protection Act, information necessary for the discharge of the DPA’s functions is generally disclosable. However, where the DPA issues an information notice requiring a controller or processor to provide information, the following privileged information may be withheld:
- information which, if disclosed, would involve an infringement of parliamentary privileges;
- information in respect of a communication made between lawyer and client about compliance with or proceedings under data protection law; or
- information which would reveal evidence of the commission of an offence and expose the person to proceedings for that offence.
Q16/ Claims by not-for-profit bodies
Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?
There are no not-for-profit bodies that are specifically mandated to bring such claims.
Q17/ Administrative fines, penalties and sanctions
(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?
Administrative fines may be imposed on public authorities, and there are no specific rules regarding fines for public authorities.
———
(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?
Brexit note: The Data Protection Act 2018 (as amended) provides for a GBP penalty/sanction scale as opposed to the EUR penalty scale in the GDPR. The maximum fine that can be imposed for breaches of the UK GDPR is £17,500,000 or 4% of an undertaking’s worldwide turnover for the preceding financial year.
The DPA may issue administrative fines by serving a penalty notice, as well as exercising the sanctions in Art. 58 UK GDPR through information notices, assessment notices and enforcement notices as set out in Q15(d) above.
In addition, the following are criminal offences (punishable by fines, not by imprisonment):
- making a false statement in response to an information notice served by the DPA;
- destroying or otherwise disposing of, concealing, blocking or falsifying information and documents (or causing or permitting these actions to be done);
- unlawfully obtaining criminal data;
- altering records in order to prevent disclosure in response to subject access request;
- intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data;
- requiring individuals to make a subject access request for health or criminal record information in certain circumstances (e.g., in an employment context); and
- obstructing the DPA in inspecting personal data to discharge an international obligation.
Directors, managers and similar officers are liable for offences committed by a company as a result of their consent, connivance or neglect.
The DPA can also serve monetary penalties on controllers who refuse to pay their data protection registration fee.
Q18/ Freedom of expression and information
(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?
The Data Protection Act makes exemptions based on Art. 85(2) UK GDPR for processing for the purpose of journalism, academic, artistic and literary purposes. See Q18(b) below.
———
(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?
Processing for the purpose of journalism, academic, artistic and literary purposes (the “special purposes”) is exempt from complying with the following obligations:
- all the processing principles other than the security principle (Art. 5(1)(f) UK GDPR) and accountability principle (Art. 5(2) UK GDPR);
- identifying legal bases for processing;
- conditions for consent (including children’s consent);
- conditions for processing sensitive personal data and data relating to criminal convictions and offences;
- processing which does not require identification;
- all the individual rights under Chapter III UK GDPR, other than rights related to automated individual decision-making including profiling;
- communicating personal data breaches to individual data subjects;
- consulting with the DPA regarding high-risk processing; and
- restrictions on international transfers of personal data.
The derogations only apply if the following criteria are met:
- the processing is being carried out with a view to the publication of journalistic, academic, artistic or literary material;
- the controller reasonably believes that compliance with these provisions would be incompatible with the special purposes; and
- the controller reasonably believes that publication of the material would be in the public interest, taking into account the special importance of the public interest in the freedom of expression and information. In respect of this issue specifically, controllers must have regard to codes of practice, including the BBC Editorial Guidelines, Ofcom Broadcasting Code and the Editors’ Code of Practice.
Q19/ National identification numbers
Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?
There are no specific provisions governing this issue.
Q20/ Processing in the context of employment
(a) For what purposes can employees’ personal data in the employment context be processed under national law?
There are no specific provisions governing the processing of employee data, other than those relating to employees’ sensitive personal data as set out in Q5(b)(i), Q5(b)(iii) & Q6.
———
(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?
There are no specific safeguards of this nature.
Q21/ Other material derogations
Are there any other material derogations from, or additions to, the GDPR under national law?
The Data Protection Act contains a large number of derogations from the GDPR, the most material of which have been set out in this chapter already. A notable addition under UK law is that controllers must pay an annual data protection fee to the DPA unless they are exempt. The fee payable ranges from £40 to £2,900 and depends on the size of the controller, its turnover and, in some cases, the type of organisation.
Further, as set out throughout this chapter, following the UK’s departure from the EU, the UK has materially amended the GDPR itself to create the UK GDPR. The UK GDPR is broadly aligned with the GDPR, but is amended to: (a) reflect the fact that the UK GDPR only applies to the UK and not to all EU Member States; and (b) reallocate powers from European Union bodies to the UK Information Commissioner’s Office.
Q22/ Current legal challenges
Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?
Two campaign groups were granted permission in January 2019 to bring a judicial review against the immigration exemption to various data subject rights contained in the Data Protection Act. The claimants argue that the exemption permits the Home Office (as controller) to restrict access to personal data which the government believes is likely to prejudice “effective immigration control”. A hearing was held in the High Court on 23 July 2019. The High Court dismissed the claim, but this decision is currently under appeal in the Court of Appeal.
Q23/ Enforcement
Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?
The DPA has taken a number of enforcement actions for breaches of the GDPR, including the following significant actions:
- in October 2020, issuing a penalty notice to impose a fine of £20 million on British Airways for allegedly failing to adequately safeguard customers’ personal data, resulting in the personal data of 500,000 customers being compromised (the ICO had initially issued a notice of intent to issue a fine of £183 million); and
- also in October 2020, issuing a penalty notice to impose a fine of £18 million on a global hospitality company for similarly allegedly failing to adequately safeguard customers’ personal data (the ICO had initially issued a notice of intent to issue a fine of £99 million).
Q24/ Regulatory Guidance
Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?
The DPA has issued a number of guidance materials (see here) on the application of the GDPR and/or GDPR implementation law, including the following (in English):
- general guidance on the GDPR and Data Protection Act (see here);
- guidance on the UK GDPR (see here);
- guidance on data protection and Brexit (see here);
- a privacy notice template (see here); and
- other GDPR resources for organisations (see here).
White & Case contributors
Tim Hickman |
|
Tim advises on all aspects of UK and EU privacy and data protection law, from general compliance issues (such as implementing privacy policies and consent forms) to more specialised issues (such as managing data breaches, structuring cross-border data transfers and complying with the “right to be forgotten”). Tim has a detailed knowledge of the EU’s General Data Protection Regulation (GDPR), and co-authored White & Case’s Handbook on that legislation (whitecase.com/eugdpr- handbook). Clients appreciate Tim’s ability to find pragmatic and commercial solutions to complex (and frequently multijurisdictional) data protection compliance questions. Tim has significant experience of working with a wide range of clients in the EU, Asia and the US. He has spent time on secondment at Google, advising on cutting-edge privacy and data protection issues. He has also spoken at several events at Harvard Law School, and he delivered the closing address at the Harvard European Law Conference 2019. |
John Timmons |
|
John advises on all aspects of UK and EU privacy, data protection and cybersecurity law. Key elements of his role include advising clients on general data protection compliance and providing specific advice on international data transfer solutions, compliance with local privacy and cybersecurity laws, information governance, e-privacy and direct marketing issues and online behavioural/targeted advertising strategies. John has a detailed knowledge of the EU’s General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 and associated privacy and cybersecurity legislation. As a key member of the Firm’s Global Data, Privacy & Cybersecurity Practice, John focuses on providing practical and commercially attractive solutions for clients, taking account of the wider business and commercial context. He outlines risk positions and risk profiles to assist clients when making key decisions. John has significant experience working with a wide range of clients in the EU, the US and Asia. He has spent time on secondment with a national media company and has presented to a leading cybersecurity forum and financial institutions on data protection and privacy matters. |
Other chapters
- Foreword and issue-by-issue comparison
- Country-by-country guides:
———
See also:
Our Global Data, Privacy & Cybersecurity Practice »
GDPR Handbook: Unlocking the EU General Data Protection Regulation »
———
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP