Chwilio Deddfwriaeth

Data Protection Act 2018

Status:

Point in time view as at 31/12/2020.

Changes to legislation:

Data Protection Act 2018, Cross Heading: Enforcement notices is up to date with all changes known to be in force on or before 16 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

Enforcement noticesU.K.

149Enforcement noticesU.K.

(1)Where the Commissioner is satisfied that a person has failed, or is failing, as described in subsection (2), (3), (4) or (5), the Commissioner may give the person a written notice (an “enforcement notice”) which requires the person—

(a)to take steps specified in the notice, or

(b)to refrain from taking steps specified in the notice,

or both (and see also sections 150 and 151).

(2)The first type of failure is where a controller or processor has failed, or is failing, to comply with any of the following—

(a)a provision of Chapter II of the [F1UK GDPR] or Chapter 2 of Part 3 or Chapter 2 of Part 4 of this Act (principles of processing);

(b)a provision of Articles 12 to 22 of the [F2UK GDPR] or Part 3 or 4 of this Act conferring rights on a data subject;

(c)a provision of Articles 25 to 39 of the [F3UK GDPR] or section 64 or 65 of this Act (obligations of controllers and processors);

(d)a requirement to communicate a personal data breach to the Commissioner or a data subject under section 67, 68 or 108 of this Act;

(e)the principles for transfers of personal data to third countries, non-Convention countries and international organisations in Articles 44 to 49 of the [F4UK GDPR] or in sections 73 to 78 or 109 of this Act.

(3)The second type of failure is where a monitoring body has failed, or is failing, to comply with an obligation under Article 41 of the [F5UK GDPR] (monitoring of approved codes of conduct).

(4)The third type of failure is where a person who is a certification provider—

(a)does not meet the requirements for accreditation,

(b)has failed, or is failing, to comply with an obligation under Article 42 or 43 of the [F6UK GDPR] (certification of controllers and processors), or

(c)has failed, or is failing, to comply with any other provision of the [F7UK GDPR] (whether in the person's capacity as a certification provider or otherwise).

(5)The fourth type of failure is where a controller has failed, or is failing, to comply with regulations under section 137.

(6)An enforcement notice given in reliance on subsection (2), (3) or (5) may only impose requirements which the Commissioner considers appropriate for the purpose of remedying the failure.

(7)An enforcement notice given in reliance on subsection (4) may only impose requirements which the Commissioner considers appropriate having regard to the failure (whether or not for the purpose of remedying the failure).

(8)The Secretary of State may by regulations confer power on the Commissioner to give an enforcement notice in respect of other failures to comply with the data protection legislation.

(9)Regulations under this section—

(a)may make provision about the giving of an enforcement notice in respect of the failure, including by amending this section and sections 150 to 152,

(b)may make provision about the giving of an information notice, an assessment notice or a penalty notice, or about powers of entry and inspection, in connection with the failure, including by amending sections 142, 143, 146, 147 and 155 to 157 and Schedules 15 and 16, and

(c)are subject to the affirmative resolution procedure.

Textual Amendments

Commencement Information

I1S. 149 in force at Royal Assent for specified purposes, see s. 212(2)(f)

150Enforcement notices: supplementaryU.K.

(1)An enforcement notice must—

(a)state what the person has failed or is failing to do, and

(b)give the Commissioner's reasons for reaching that opinion.

(2)In deciding whether to give an enforcement notice in reliance on section 149(2), the Commissioner must consider whether the failure has caused or is likely to cause any person damage or distress.

(3)In relation to an enforcement notice given in reliance on section 149(2), the Commissioner's power under section 149(1)(b) to require a person to refrain from taking specified steps includes power—

(a)to impose a ban relating to all processing of personal data, or

(b)to impose a ban relating only to a specified description of processing of personal data, including by specifying one or more of the following—

(i)a description of personal data;

(ii)the purpose or manner of the processing;

(iii)the time when the processing takes place.

(4)An enforcement notice may specify the time or times at which, or period or periods within which, a requirement imposed by the notice must be complied with (but see the restrictions in subsections (6) to (8)).

(5)An enforcement notice must provide information about—

(a)the consequences of failure to comply with it, and

(b)the rights under sections 162 and 164 (appeals etc).

(6)An enforcement notice must not specify a time for compliance with a requirement in the notice which falls before the end of the period within which an appeal can be brought against the notice.

(7)If an appeal is brought against an enforcement notice, a requirement in the notice need not be complied with pending the determination or withdrawal of the appeal.

(8)If an enforcement notice—

(a)states that, in the Commissioner's opinion, it is necessary for a requirement to be complied with urgently, and

(b)gives the Commissioner's reasons for reaching that opinion,

subsections (6) and (7) do not apply but the notice must not require the requirement to be complied with before the end of the period of 24 hours beginning when the notice is given.

(9)In this section, “specified” means specified in an enforcement notice.

151Enforcement notices: rectification and erasure of personal data etcU.K.

(1)Subsections (2) and (3) apply where an enforcement notice is given in respect of a failure by a controller or processor—

(a)to comply with a data protection principle relating to accuracy, or

(b)to comply with a data subject's request to exercise rights under Article 16, 17 or 18 of the [F8UK GDPR] (right to rectification, erasure or restriction on processing) or section 46, 47 or 100 of this Act.

(2)If the enforcement notice requires the controller or processor to rectify or erase inaccurate personal data, it may also require the controller or processor to rectify or erase any other data which—

(a)is held by the controller or processor, and

(b)contains an expression of opinion which appears to the Commissioner to be based on the inaccurate personal data.

(3)Where a controller or processor has accurately recorded personal data provided by the data subject or a third party but the data is inaccurate, the enforcement notice may require the controller or processor—

(a)to take steps specified in the notice to ensure the accuracy of the data,

(b)if relevant, to secure that the data indicates the data subject's view that the data is inaccurate, and

(c)to supplement the data with a statement of the true facts relating to the matters dealt with by the data that is approved by the Commissioner,

(as well as imposing requirements under subsection (2)).

(4)When deciding what steps it is reasonable to specify under subsection (3)(a), the Commissioner must have regard to the purpose for which the data was obtained and further processed.

(5)Subsections (6) and (7) apply where—

(a)an enforcement notice requires a controller or processor to rectify or erase personal data, or

(b)the Commissioner is satisfied that the processing of personal data which has been rectified or erased by the controller or processor involved a failure described in subsection (1).

(6)An enforcement notice may, if reasonably practicable, require the controller or processor to notify third parties to whom the data has been disclosed of the rectification or erasure.

(7)In determining whether it is reasonably practicable to require such notification, the Commissioner must have regard, in particular, to the number of people who would have to be notified.

(8)In this section, “data protection principle relating to accuracy” means the principle in—

(a)Article 5(1)(d) of the [F9UK GDPR],

(b)section 38(1) of this Act, or

(c)section 89 of this Act.

152Enforcement notices: restrictionsU.K.

(1)The Commissioner may not give a controller or processor an enforcement notice in reliance on section 149(2) with respect to the processing of personal data for the special purposes unless—

(a)a determination under section 174 with respect to the data or the processing has taken effect, and

(b)a court has granted leave for the notice to be given.

(2)A court must not grant leave for the purposes of subsection (1)(b) unless it is satisfied that—

(a)the Commissioner has reason to suspect a failure described in section 149(2) which is of substantial public importance, and

(b)the controller or processor has been given notice of the application for leave in accordance with rules of court or the case is urgent.

(3)An enforcement notice does not require a person to do something to the extent that requiring the person to do it would involve an infringement of the privileges of either House of Parliament.

(4)In the case of a joint controller in respect of the processing of personal data to which Part 3 or 4 applies whose responsibilities for compliance with that Part are determined in an arrangement under section 58 or 104, the Commissioner may only give the controller an enforcement notice in reliance on section 149(2) if the controller is responsible for compliance with the provision, requirement or principle in question.

153Enforcement notices: cancellation and variationU.K.

(1)The Commissioner may cancel or vary an enforcement notice by giving written notice to the person to whom it was given.

(2)A person to whom an enforcement notice is given may apply in writing to the Commissioner for the cancellation or variation of the notice.

(3)An application under subsection (2) may be made only—

(a)after the end of the period within which an appeal can be brought against the notice, and

(b)on the ground that, by reason of a change of circumstances, one or more of the provisions of that notice need not be complied with in order to remedy the failure identified in the notice.

Yn ôl i’r brig

Options/Help

Print Options

You have chosen to open The Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act as a PDF

The Whole Act you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open The Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act without Schedules as a PDF

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open y Ddeddf Gyfan

Y Ddeddf Gyfan you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open y Ddeddf Gyfan heb Atodlenni

Y Ddeddf Gyfan heb Atodlenni you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open Schedules only

Y Rhestrau you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

Close

Mae deddfwriaeth ar gael mewn fersiynau gwahanol:

Y Diweddaraf sydd Ar Gael (diwygiedig):Y fersiwn ddiweddaraf sydd ar gael o’r ddeddfwriaeth yn cynnwys newidiadau a wnaed gan ddeddfwriaeth ddilynol ac wedi eu gweithredu gan ein tîm golygyddol. Gellir gweld y newidiadau nad ydym wedi eu gweithredu i’r testun eto yn yr ardal ‘Newidiadau i Ddeddfwriaeth’.

Gwreiddiol (Fel y’i Deddfwyd neu y’i Gwnaed): Mae'r wreiddiol fersiwn y ddeddfwriaeth fel ag yr oedd pan gafodd ei deddfu neu eu gwneud. Ni wnaed unrhyw newidiadau i’r testun.

Pwynt Penodol mewn Amser: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.

Close

Gweler y wybodaeth ychwanegol ochr yn ochr â’r cynnwys

Rhychwant ddaearyddol: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.

Dangos Llinell Amser Newidiadau: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.

Close

Dewisiadau Agor

Dewisiadau gwahanol i agor deddfwriaeth er mwyn gweld rhagor o gynnwys ar y sgrin ar yr un pryd

Close

Nodiadau Esboniadol

Testun a grëwyd gan yr adran o’r llywodraeth oedd yn gyfrifol am destun y Ddeddf i esbonio beth mae’r Ddeddf yn ceisio ei wneud ac i wneud y Ddeddf yn hygyrch i ddarllenwyr nad oes ganddynt gymhwyster cyfreithiol. Cyflwynwyd Nodiadau Esboniadol ym 1999 ac maent yn cyd-fynd â phob Deddf Gyhoeddus ac eithrio Deddfau Adfeddiannu, Cronfa Gyfunol, Cyllid a Chyfnerthiad.

Close

Rhagor o Adnoddau

Gallwch wneud defnydd o ddogfennau atodol hanfodol a gwybodaeth ar gyfer yr eitem ddeddfwriaeth o’r tab hwn. Yn ddibynnol ar yr eitem ddeddfwriaeth sydd i’w gweld, gallai hyn gynnwys:

  • y PDF print gwreiddiol y fel deddfwyd fersiwn a ddefnyddiwyd am y copi print
  • rhestr o newidiadau a wnaed gan a/neu yn effeithio ar yr eitem hon o ddeddfwriaeth
  • manylion rhoi grym a newid cyffredinol
  • pob fformat o’r holl ddogfennau cysylltiedig
  • slipiau cywiro
  • dolenni i ddeddfwriaeth gysylltiedig ac adnoddau gwybodaeth eraill
Close

Llinell Amser Newidiadau

This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.

Close

Rhagor o Adnoddau

Defnyddiwch y ddewislen hon i agor dogfennau hanfodol sy’n cyd-fynd â’r ddeddfwriaeth a gwybodaeth am yr eitem hon o ddeddfwriaeth. Gan ddibynnu ar yr eitem o ddeddfwriaeth sy’n cael ei gweld gall hyn gynnwys:

  • y PDF print gwreiddiol y fel deddfwyd fersiwn a ddefnyddiwyd am y copi print
  • slipiau cywiro

liciwch ‘Gweld Mwy’ neu ddewis ‘Rhagor o Adnoddau’ am wybodaeth ychwanegol gan gynnwys

  • rhestr o newidiadau a wnaed gan a/neu yn effeithio ar yr eitem hon o ddeddfwriaeth
  • manylion rhoi grym a newid cyffredinol
  • pob fformat o’r holl ddogfennau cysylltiedig
  • dolenni i ddeddfwriaeth gysylltiedig ac adnoddau gwybodaeth eraill