Data Protection Act 2018

149Enforcement noticesU.K.

This adran has no associated Nodiadau Esboniadol

(1)Where the Commissioner is satisfied that a person has failed, or is failing, as described in subsection (2), (3), (4) or (5), the Commissioner may give the person a written notice (an “enforcement notice”) which requires the person—

(a)to take steps specified in the notice, or

(b)to refrain from taking steps specified in the notice,

or both (and see also sections 150 and 151).

(2)The first type of failure is where a controller or processor has failed, or is failing, to comply with any of the following—

(a)a provision of Chapter II of the [F1UK GDPR] or Chapter 2 of Part 3 or Chapter 2 of Part 4 of this Act (principles of processing);

(b)a provision of Articles 12 to 22 of the [F2UK GDPR] or Part 3 or 4 of this Act conferring rights on a data subject;

(c)a provision of Articles 25 to 39 of the [F3UK GDPR] or section 64 or 65 of this Act (obligations of controllers and processors);

(d)a requirement to communicate a personal data breach to the Commissioner or a data subject under section 67, 68 or 108 of this Act;

(e)the principles for transfers of personal data to third countries, non-Convention countries and international organisations in Articles 44 to 49 of the [F4UK GDPR] or in sections 73 to 78 or 109 of this Act.

(3)The second type of failure is where a monitoring body has failed, or is failing, to comply with an obligation under Article 41 of the [F5UK GDPR] (monitoring of approved codes of conduct).

(4)The third type of failure is where a person who is a certification provider—

(a)does not meet the requirements for accreditation,

(b)has failed, or is failing, to comply with an obligation under Article 42 or 43 of the [F6UK GDPR] (certification of controllers and processors), or

(c)has failed, or is failing, to comply with any other provision of the [F7UK GDPR] (whether in the person's capacity as a certification provider or otherwise).

(5)The fourth type of failure is where a controller has failed, or is failing, to comply with regulations under section 137.

(6)An enforcement notice given in reliance on subsection (2), (3) or (5) may only impose requirements which the Commissioner considers appropriate for the purpose of remedying the failure.

(7)An enforcement notice given in reliance on subsection (4) may only impose requirements which the Commissioner considers appropriate having regard to the failure (whether or not for the purpose of remedying the failure).

(8)The Secretary of State may by regulations confer power on the Commissioner to give an enforcement notice in respect of other failures to comply with the data protection legislation.

(9)Regulations under this section—

(a)may make provision about the giving of an enforcement notice in respect of the failure, including by amending this section and sections 150 to 152,

(b)may make provision about the giving of an information notice, an assessment notice or a penalty notice, or about powers of entry and inspection, in connection with the failure, including by amending sections 142, 143, 146, 147 and 155 to 157 and Schedules 15 and 16, and

(c)are subject to the affirmative resolution procedure.

Textual Amendments

Commencement Information

I1S. 149 in force at Royal Assent for specified purposes, see s. 212(2)(f)