Amendment of the Privacy and Electronic Communications (EC Directive) Regulations 20032.

(1)

Schedule 1 to the Privacy and Electronic Communications (EC Directive) Regulations 20033 is amended as follows.

(2)

Before paragraph 1 insert the following heading—
“Modifications of the Data Protection Act 1998”4.

(3)

In paragraph 8AA5

(a)

after paragraph (c) insert—

“(ca)

before subsection (4) there shall be inserted the following subsections—

“(3B)

If a monetary penalty notice has been served under this section on a body, the Commissioner may also serve a monetary penalty notice on an officer of the body if the Commissioner is satisfied that the contravention in respect of which the monetary penalty notice was served on the body—

(a)

took place with the consent or connivance of the officer, or

(b)

was attributable to any neglect on the part of the officer.

(3C)

In subsection (3B)—

“body” means a body corporate or a Scottish partnership;

“officer” in relation to a body means—

(a)

in relation to a body corporate—

  1. (i)

    a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity, or

  2. (ii)

    where the affairs of the body are managed by its members, a member; or

(b)

in relation to a Scottish partnership, a partner or any person purporting to act as a partner.”

(b)

in paragraph (d), after “person” (but before the closing quotation mark following it) insert “on whom it is served”.

(4)

At the end insert the following—

“Modifications of secondary legislation

Modification of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 201012.

(1)

The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 20106 are extended for the purposes of these Regulations and have effect subject to the following modifications.

(2)

Regulation 1 applies as if in paragraph (2), at the end, there were inserted “as modified by regulation 31(1) of, and Schedule 1 to, the Privacy and Electronic Communications (EC Directive) Regulations 2003”.

(3)

Regulation 3 (notices of intent) applies as if—

(a)

in paragraph (a) for “data controller” there were substituted “person”;

(b)

paragraph (b)(i) were omitted;

(c)

for paragraph (b)(ii) there were substituted—

“(ii)

the nature of the contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003,”; and

(d)

in a case where paragraph 8AA of Schedule 1 to the Privacy and Electronic Communications (EC Directive) Regulations 2003 applies—

(i)

paragraph (b)(iv) were omitted, and

(ii)

after paragraph (v) there were inserted—

“(vi)

if the notice is served on an officer of a body, the reason the Commissioner considers that the officer has responsibility for the contravention.”.

(4)

Regulation 4 (monetary penalty notices) applies as if—

(a)

in paragraphs (a), (b) and (g) for “data controller” there were substituted “person”;

(b)

paragraph (d)(i) were omitted;

(c)

for paragraph (d)(ii) there were substituted—

“(ii)

the nature of the contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003,”; and

(d)

in a case where paragraph 8AA of Schedule 1 to the Privacy and Electronic Communications Regulations 2003 applies—

(i)

paragraph (d)(iv) were omitted, and

(ii)

after paragraph (d)(v) there were inserted—

“(vi)

if the notice is served on an officer of a body, the reason the Commissioner considers that the officer has responsibility for the contravention;”.

Modification of the Data Protection (Monetary Penalties) Order 201013.

(1)

The Data Protection (Monetary Penalties) Order 20107 is extended and has effect for the purposes of these Regulations subject to the following modifications.

(2)

Article 1(2) (interpretation) applies as if at the end there were inserted “as modified by regulation 31(1) of, and Schedule 1 to, the Privacy and Electronic Communications (EC Directive) Regulations 2003”.

(3)

Article 5(2) (monetary penalty notices: cancellation) applies as if after “take any further action” there were inserted “against the person on whom that notice was served”.

(4)

Article 6(c) (monetary penalty notices: enforcement) applies as if for “data controller” there were substituted “person on whom the notice is served””.