- Latest available (Revised)
- Original (As enacted)
This is the original version (as it was originally enacted).
This Chapter sets out—
(a)the general obligations of controllers and processors (see sections 102 to 106);
(b)specific obligations of controllers and processors with respect to security (see section 107);
(c)specific obligations of controllers and processors with respect to personal data breaches (see section 108).
Each controller must implement appropriate measures—
(a)to ensure, and
(b)to be able to demonstrate, in particular to the Commissioner,
that the processing of personal data complies with the requirements of this Part.
(1)Where a controller proposes that a particular type of processing of personal data be carried out by or on behalf of the controller, the controller must, prior to the processing, consider the impact of the proposed processing on the rights and freedoms of data subjects.
(2)A controller must implement appropriate technical and organisational measures which are designed to ensure that—
(a)the data protection principles are implemented, and
(b)risks to the rights and freedoms of data subjects are minimised.
(1)Where two or more intelligence services jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.
(2)Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.
(3)The arrangement must designate the controller which is to be the contact point for data subjects.
(1)This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.
(2)The controller may use only a processor who undertakes—
(a)to implement appropriate measures that are sufficient to secure that the processing complies with this Part;
(b)to provide to the controller such information as is necessary for demonstrating that the processing complies with this Part.
(3)If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.
A processor, and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—
(a)on instructions from the controller, or
(b)to comply with a legal obligation.
(1)Each controller and each processor must implement security measures appropriate to the risks arising from the processing of personal data.
(2)In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to—
(a)prevent unauthorised processing or unauthorised interference with the systems used in connection with it,
(b)ensure that it is possible to establish the precise details of any processing that takes place,
(c)ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and
(d)ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.
(1)If a controller becomes aware of a serious personal data breach in relation to personal data for which the controller is responsible, the controller must notify the Commissioner of the breach without undue delay.
(2)Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.
(3)Subject to subsection (4), the notification must include—
(a)a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b)the name and contact details of the contact point from whom more information can be obtained;
(c)a description of the likely consequences of the personal data breach;
(d)a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
(4)Where and to the extent that it is not possible to provide all the information mentioned in subsection (3) at the same time, the information may be provided in phases without undue further delay.
(5)If a processor becomes aware of a personal data breach (in relation to data processed by the processor), the processor must notify the controller without undue delay.
(6)Subsection (1) does not apply in relation to a personal data breach if the breach also constitutes a relevant error within the meaning given by section 231(9) of the Investigatory Powers Act 2016.
(7)For the purposes of this section, a personal data breach is serious if the breach seriously interferes with the rights and freedoms of a data subject.
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: