Each controller must implement appropriate measures—
(a)to ensure, and
(b)to be able to demonstrate, in particular to the Commissioner,
that the processing of personal data complies with the requirements of this Part.
Commencement Information
I1S. 102 in force at 16.9.2019 by S.I. 2019/1188, reg. 2(b)
(1)Where a controller proposes that a particular type of processing of personal data be carried out by or on behalf of the controller, the controller must, prior to the processing, consider the impact of the proposed processing on the rights and freedoms of data subjects.
(2)A controller must implement appropriate technical and organisational measures which are designed to ensure that—
(a)the data protection principles are implemented, and
(b)risks to the rights and freedoms of data subjects are minimised.
Commencement Information
I2S. 103 in force at 16.9.2019 by S.I. 2019/1188, reg. 2(c)
(1)Where two or more intelligence services jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.
(2)Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.
(3)The arrangement must designate the controller which is to be the contact point for data subjects.
Commencement Information
I3S. 104 in force at 16.9.2019 by S.I. 2019/1188, reg. 2(d)
(1)This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.
(2)The controller may use only a processor who undertakes—
(a)to implement appropriate measures that are sufficient to secure that the processing complies with this Part;
(b)to provide to the controller such information as is necessary for demonstrating that the processing complies with this Part.
(3)If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.
Commencement Information
I4S. 105 in force at 16.9.2019 by S.I. 2019/1188, reg. 2(e)
A processor, and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—
(a)on instructions from the controller, or
(b)to comply with a legal obligation.