- Latest available (Revised)
- Original (As enacted)
Data Protection Act 2018, PART 6 is up to date with all changes known to be in force on or before 22 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
Whole provisions yet to be inserted into this Act (including any effects on those provisions):
(1)The Commissioner may, by written notice (an “information notice”)—
(a)require a controller or processor to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of carrying out the Commissioner's functions under the data protection legislation, or
(b)require any person to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of—
(i)investigating a suspected failure of a type described in section 149(2) or a suspected offence under this Act, or
(ii)determining whether the processing of personal data is carried out by an individual in the course of a purely personal or household activity.
(2)An information notice must state—
(a)whether it is given under subsection (1)(a), (b)(i) or (b)(ii), and
(b)why the Commissioner requires the information.
(3)An information notice—
(a)may specify or describe particular information or a category of information;
(b)may specify the form in which the information must be provided;
(c)may specify the time at which, or the period within which, the information must be provided;
(d)may specify the place where the information must be provided;
(but see the restrictions in subsections (5) to (7)).
(4)An information notice must provide information about—
(a)the consequences of failure to comply with it, and
(b)the rights under sections 162 and 164 (appeals etc).
(5)An information notice may not require a person to provide information before the end of the period within which an appeal can be brought against the notice.
(6)If an appeal is brought against an information notice, the information need not be provided pending the determination or withdrawal of the appeal.
(7)If an information notice—
(a)states that, in the Commissioner's opinion, the information is required urgently, and
(b)gives the Commissioner's reasons for reaching that opinion,
subsections (5) and (6) do not apply but the notice must not require the information to be provided before the end of the period of 24 hours beginning when the notice is given.
(8)The Commissioner may cancel an information notice by written notice to the person to whom it was given.
(9)In subsection (1), in relation to a person who is a controller or processor for the purposes of the [F1UK GDPR], the reference to a controller or processor includes a representative of a controller or processor designated under Article 27 of the [F1UK GDPR] (representatives of controllers or processors not established in [F2the United Kingdom]).
(10)Section 3(14)(c) does not apply to the reference to the processing of personal data in subsection (1)(b).
Textual Amendments
F1Words in s. 142(9) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 59(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F2Words in s. 142(9) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 59(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)The Commissioner may not give an information notice with respect to the processing of personal data for the special purposes unless—
(a)a determination under section 174 with respect to the data or the processing has taken effect, or
(b)the Commissioner—
(i)has reasonable grounds for suspecting that such a determination could be made, and
(ii)the information is required for the purposes of making such a determination.
(2)An information notice does not require a person to give the Commissioner information to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament.
(3)An information notice does not require a person to give the Commissioner information in respect of a communication which is made—
(a)between a professional legal adviser and the adviser's client, and
(b)in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
(4)An information notice does not require a person to give the Commissioner information in respect of a communication which is made—
(a)between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
(b)in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
(c)for the purposes of such proceedings.
(5)In subsections (3) and (4), references to the client of a professional legal adviser include references to a person acting on behalf of the client.
(6)An information notice does not require a person to provide the Commissioner with information if doing so would, by revealing evidence of the commission of an offence expose the person to proceedings for that offence.
(7)The reference to an offence in subsection (6) does not include an offence under—
(a)this Act;
(b)section 5 of the Perjury Act 1911 (false statements made otherwise than on oath);
(c)section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath);
(d)Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
(8)An oral or written statement provided by a person in response to an information notice may not be used in evidence against that person on a prosecution for an offence under this Act (other than an offence under section 144) unless in the proceedings—
(a)in giving evidence the person provides information inconsistent with the statement, and
(b)evidence relating to the statement is adduced, or a question relating to it is asked, by that person or on that person's behalf.
(9)In subsection (6), in relation to an information notice given to a representative of a controller or processor designated under Article 27 of the [F3UK GDPR], the reference to the person providing the information being exposed to proceedings for an offence includes a reference to the controller or processor being exposed to such proceedings.
Textual Amendments
F3Words in s. 143(9) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 60 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
It is an offence for a person, in response to an information notice—
(a)to make a statement which the person knows to be false in a material respect, or
(b)recklessly to make a statement which is false in a material respect.
(1)This section applies if, on an application by the Commissioner, a court is satisfied that a person has failed to comply with a requirement of an information notice.
(2)The court may make an order requiring the person to provide to the Commissioner some or all of the following—
(a)information referred to in the information notice;
(b)other information which the court is satisfied the Commissioner requires, having regard to the statement included in the notice in accordance with section 142(2)(b).
(3)The order—
(a)may specify the form in which the information must be provided,
(b)must specify the time at which, or the period within which, the information must be provided, and
(c)may specify the place where the information must be provided.
(1)The Commissioner may by written notice (an “assessment notice”) require a controller or processor to permit the Commissioner to carry out an assessment of whether the controller or processor has complied or is complying with the data protection legislation.
(2)An assessment notice may require the controller or processor to do any of the following—
(a)permit the Commissioner to enter specified premises;
(b)direct the Commissioner to documents on the premises that are of a specified description;
(c)assist the Commissioner to view information of a specified description that is capable of being viewed using equipment on the premises;
(d)comply with a request from the Commissioner for a copy (in such form as may be requested) of—
(i)the documents to which the Commissioner is directed;
(ii)the information which the Commissioner is assisted to view;
(e)direct the Commissioner to equipment or other material on the premises which is of a specified description;
(f)permit the Commissioner to inspect or examine the documents, information, equipment or material to which the Commissioner is directed or which the Commissioner is assisted to view;
(g)provide the Commissioner with an explanation of such documents, information, equipment or material;
(h)permit the Commissioner to observe the processing of personal data that takes place on the premises;
(i)make available for interview by the Commissioner a specified number of people of a specified description who process personal data on behalf of the controller, not exceeding the number who are willing to be interviewed.
(3)In subsection (2), references to the Commissioner include references to the Commissioner's officers and staff.
(4)An assessment notice must, in relation to each requirement imposed by the notice, specify the time or times at which, or period or periods within which, the requirement must be complied with (but see the restrictions in subsections (6) to (9)).
(5)An assessment notice must provide information about—
(a)the consequences of failure to comply with it, and
(b)the rights under sections 162 and 164 (appeals etc).
(6)An assessment notice may not require a person to do anything before the end of the period within which an appeal can be brought against the notice.
(7)If an appeal is brought against an assessment notice, the controller or processor need not comply with a requirement in the notice pending the determination or withdrawal of the appeal.
(8)If an assessment notice—
(a)states that, in the Commissioner's opinion, it is necessary for the controller or processor to comply with a requirement in the notice urgently,
(b)gives the Commissioner's reasons for reaching that opinion, and
(c)does not meet the conditions in subsection (9)(a) to (d),
subsections (6) and (7) do not apply but the notice must not require the controller or processor to comply with the requirement before the end of the period of 7 days beginning when the notice is given.
(9)If an assessment notice—
(a)states that, in the Commissioner's opinion, there are reasonable grounds for suspecting that a controller or processor has failed or is failing as described in section 149(2) or that an offence under this Act has been or is being committed,
(b)indicates the nature of the suspected failure or offence,
(c)does not specify domestic premises,
(d)states that, in the Commissioner's opinion, it is necessary for the controller or processor to comply with a requirement in the notice in less than 7 days, and
(e)gives the Commissioner's reasons for reaching that opinion,
subsections (6) and (7) do not apply.
(10)The Commissioner may cancel an assessment notice by written notice to the controller or processor to whom it was given.
(11)Where the Commissioner gives an assessment notice to a processor, the Commissioner must, so far as reasonably practicable, give a copy of the notice to each controller for whom the processor processes personal data.
(12)In this section—
“domestic premises” means premises, or a part of premises, used as a dwelling;
“specified” means specified in an assessment notice.
(1)An assessment notice does not require a person to do something to the extent that requiring the person to do it would involve an infringement of the privileges of either House of Parliament.
(2)An assessment notice does not have effect so far as compliance would result in the disclosure of a communication which is made—
(a)between a professional legal adviser and the adviser's client, and
(b)in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
(3)An assessment notice does not have effect so far as compliance would result in the disclosure of a communication which is made—
(a)between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
(b)in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
(c)for the purposes of such proceedings.
(4)In subsections (2) and (3)—
(a)references to the client of a professional legal adviser include references to a person acting on behalf of such a client, and
(b)references to a communication include—
(i)a copy or other record of the communication, and
(ii)anything enclosed with or referred to in the communication if made as described in subsection (2)(b) or in subsection (3)(b) and (c).
(5)The Commissioner may not give a controller or processor an assessment notice with respect to the processing of personal data for the special purposes.
(6)The Commissioner may not give an assessment notice to—
(a)a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters), or
(b)the Office for Standards in Education, Children's Services and Skills in so far as it is a controller or processor in respect of information processed for the purposes of functions exercisable by Her Majesty's Chief Inspector of Education, Children's Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000.
(1)This section applies where a person—
(a)has been given an information notice requiring the person to provide the Commissioner with information, or
(b)has been given an assessment notice requiring the person to direct the Commissioner to a document, equipment or other material or to assist the Commissioner to view information.
(2)It is an offence for the person—
(a)to destroy or otherwise dispose of, conceal, block or (where relevant) falsify all or part of the information, document, equipment or material, or
(b)to cause or permit the destruction, disposal, concealment, blocking or (where relevant) falsification of all or part of the information, document, equipment or material,
with the intention of preventing the Commissioner from viewing, or being provided with or directed to, all or part of the information, document, equipment or material.
(3)It is a defence for a person charged with an offence under subsection (2) to prove that the destruction, disposal, concealment, blocking or falsification would have occurred in the absence of the person being given the notice.
(1)Where the Commissioner is satisfied that a person has failed, or is failing, as described in subsection (2), (3), (4) or (5), the Commissioner may give the person a written notice (an “enforcement notice”) which requires the person—
(a)to take steps specified in the notice, or
(b)to refrain from taking steps specified in the notice,
or both (and see also sections 150 and 151).
(2)The first type of failure is where a controller or processor has failed, or is failing, to comply with any of the following—
(a)a provision of Chapter II of the [F4UK GDPR] or Chapter 2 of Part 3 or Chapter 2 of Part 4 of this Act (principles of processing);
(b)a provision of Articles 12 to 22 of the [F5UK GDPR] or Part 3 or 4 of this Act conferring rights on a data subject;
(c)a provision of Articles 25 to 39 of the [F6UK GDPR] or section 64 or 65 of this Act (obligations of controllers and processors);
(d)a requirement to communicate a personal data breach to the Commissioner or a data subject under section 67, 68 or 108 of this Act;
(e)the principles for transfers of personal data to third countries, non-Convention countries and international organisations in Articles 44 to 49 of the [F7UK GDPR] or in sections 73 to 78 or 109 of this Act.
(3)The second type of failure is where a monitoring body has failed, or is failing, to comply with an obligation under Article 41 of the [F8UK GDPR] (monitoring of approved codes of conduct).
(4)The third type of failure is where a person who is a certification provider—
(a)does not meet the requirements for accreditation,
(b)has failed, or is failing, to comply with an obligation under Article 42 or 43 of the [F9UK GDPR] (certification of controllers and processors), or
(c)has failed, or is failing, to comply with any other provision of the [F10UK GDPR] (whether in the person's capacity as a certification provider or otherwise).
(5)The fourth type of failure is where a controller has failed, or is failing, to comply with regulations under section 137.
(6)An enforcement notice given in reliance on subsection (2), (3) or (5) may only impose requirements which the Commissioner considers appropriate for the purpose of remedying the failure.
(7)An enforcement notice given in reliance on subsection (4) may only impose requirements which the Commissioner considers appropriate having regard to the failure (whether or not for the purpose of remedying the failure).
(8)The Secretary of State may by regulations confer power on the Commissioner to give an enforcement notice in respect of other failures to comply with the data protection legislation.
(9)Regulations under this section—
(a)may make provision about the giving of an enforcement notice in respect of the failure, including by amending this section and sections 150 to 152,
(b)may make provision about the giving of an information notice, an assessment notice or a penalty notice, or about powers of entry and inspection, in connection with the failure, including by amending sections 142, 143, 146, 147 and 155 to 157 and Schedules 15 and 16, and
(c)are subject to the affirmative resolution procedure.
Textual Amendments
F4Words in s. 149(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F5Words in s. 149(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F6Words in s. 149(2)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F7Words in s. 149(2)(e) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F8Words in s. 149(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F9Words in s. 149(4)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F10Words in s. 149(4)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Commencement Information
I1S. 149 in force at Royal Assent for specified purposes, see s. 212(2)(f)
(1)An enforcement notice must—
(a)state what the person has failed or is failing to do, and
(b)give the Commissioner's reasons for reaching that opinion.
(2)In deciding whether to give an enforcement notice in reliance on section 149(2), the Commissioner must consider whether the failure has caused or is likely to cause any person damage or distress.
(3)In relation to an enforcement notice given in reliance on section 149(2), the Commissioner's power under section 149(1)(b) to require a person to refrain from taking specified steps includes power—
(a)to impose a ban relating to all processing of personal data, or
(b)to impose a ban relating only to a specified description of processing of personal data, including by specifying one or more of the following—
(i)a description of personal data;
(ii)the purpose or manner of the processing;
(iii)the time when the processing takes place.
(4)An enforcement notice may specify the time or times at which, or period or periods within which, a requirement imposed by the notice must be complied with (but see the restrictions in subsections (6) to (8)).
(5)An enforcement notice must provide information about—
(a)the consequences of failure to comply with it, and
(b)the rights under sections 162 and 164 (appeals etc).
(6)An enforcement notice must not specify a time for compliance with a requirement in the notice which falls before the end of the period within which an appeal can be brought against the notice.
(7)If an appeal is brought against an enforcement notice, a requirement in the notice need not be complied with pending the determination or withdrawal of the appeal.
(8)If an enforcement notice—
(a)states that, in the Commissioner's opinion, it is necessary for a requirement to be complied with urgently, and
(b)gives the Commissioner's reasons for reaching that opinion,
subsections (6) and (7) do not apply but the notice must not require the requirement to be complied with before the end of the period of 24 hours beginning when the notice is given.
(9)In this section, “specified” means specified in an enforcement notice.
(1)Subsections (2) and (3) apply where an enforcement notice is given in respect of a failure by a controller or processor—
(a)to comply with a data protection principle relating to accuracy, or
(b)to comply with a data subject's request to exercise rights under Article 16, 17 or 18 of the [F11UK GDPR] (right to rectification, erasure or restriction on processing) or section 46, 47 or 100 of this Act.
(2)If the enforcement notice requires the controller or processor to rectify or erase inaccurate personal data, it may also require the controller or processor to rectify or erase any other data which—
(a)is held by the controller or processor, and
(b)contains an expression of opinion which appears to the Commissioner to be based on the inaccurate personal data.
(3)Where a controller or processor has accurately recorded personal data provided by the data subject or a third party but the data is inaccurate, the enforcement notice may require the controller or processor—
(a)to take steps specified in the notice to ensure the accuracy of the data,
(b)if relevant, to secure that the data indicates the data subject's view that the data is inaccurate, and
(c)to supplement the data with a statement of the true facts relating to the matters dealt with by the data that is approved by the Commissioner,
(as well as imposing requirements under subsection (2)).
(4)When deciding what steps it is reasonable to specify under subsection (3)(a), the Commissioner must have regard to the purpose for which the data was obtained and further processed.
(5)Subsections (6) and (7) apply where—
(a)an enforcement notice requires a controller or processor to rectify or erase personal data, or
(b)the Commissioner is satisfied that the processing of personal data which has been rectified or erased by the controller or processor involved a failure described in subsection (1).
(6)An enforcement notice may, if reasonably practicable, require the controller or processor to notify third parties to whom the data has been disclosed of the rectification or erasure.
(7)In determining whether it is reasonably practicable to require such notification, the Commissioner must have regard, in particular, to the number of people who would have to be notified.
(8)In this section, “data protection principle relating to accuracy” means the principle in—
(a)Article 5(1)(d) of the [F12UK GDPR],
(b)section 38(1) of this Act, or
(c)section 89 of this Act.
Textual Amendments
F11Words in s. 151(1)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 62 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F12Words in s. 151(8)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 62 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)The Commissioner may not give a controller or processor an enforcement notice in reliance on section 149(2) with respect to the processing of personal data for the special purposes unless—
(a)a determination under section 174 with respect to the data or the processing has taken effect, and
(b)a court has granted leave for the notice to be given.
(2)A court must not grant leave for the purposes of subsection (1)(b) unless it is satisfied that—
(a)the Commissioner has reason to suspect a failure described in section 149(2) which is of substantial public importance, and
(b)the controller or processor has been given notice of the application for leave in accordance with rules of court or the case is urgent.
(3)An enforcement notice does not require a person to do something to the extent that requiring the person to do it would involve an infringement of the privileges of either House of Parliament.
(4)In the case of a joint controller in respect of the processing of personal data to which Part 3 or 4 applies whose responsibilities for compliance with that Part are determined in an arrangement under section 58 or 104, the Commissioner may only give the controller an enforcement notice in reliance on section 149(2) if the controller is responsible for compliance with the provision, requirement or principle in question.
(1)The Commissioner may cancel or vary an enforcement notice by giving written notice to the person to whom it was given.
(2)A person to whom an enforcement notice is given may apply in writing to the Commissioner for the cancellation or variation of the notice.
(3)An application under subsection (2) may be made only—
(a)after the end of the period within which an appeal can be brought against the notice, and
(b)on the ground that, by reason of a change of circumstances, one or more of the provisions of that notice need not be complied with in order to remedy the failure identified in the notice.
Schedule 15 makes provision about powers of entry and inspection.
(1)If the Commissioner is satisfied that a person—
(a)has failed or is failing as described in section 149(2), (3), (4) or (5), or
(b)has failed to comply with an information notice, an assessment notice or an enforcement notice,
the Commissioner may, by written notice (a “penalty notice”), require the person to pay to the Commissioner an amount in sterling specified in the notice.
(2)Subject to subsection (4), when deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commissioner must have regard to the following, so far as relevant—
(a)to the extent that the notice concerns a matter to which the [F13UK GDPR] applies, the matters listed in Article 83(1) and (2) of the [F13UK GDPR];
(b)to the extent that the notice concerns another matter, the matters listed in subsection (3).
(3)Those matters are—
(a)the nature, gravity and duration of the failure;
(b)the intentional or negligent character of the failure;
(c)any action taken by the controller or processor to mitigate the damage or distress suffered by data subjects;
(d)the degree of responsibility of the controller or processor, taking into account technical and organisational measures implemented by the controller or processor in accordance with section 57, 66, 103 or 107;
(e)any relevant previous failures by the controller or processor;
(f)the degree of co-operation with the Commissioner, in order to remedy the failure and mitigate the possible adverse effects of the failure;
(g)the categories of personal data affected by the failure;
(h)the manner in which the infringement became known to the Commissioner, including whether, and if so to what extent, the controller or processor notified the Commissioner of the failure;
(i)the extent to which the controller or processor has complied with previous enforcement notices or penalty notices;
(j)adherence to approved codes of conduct or certification mechanisms;
(k)any other aggravating or mitigating factor applicable to the case, including financial benefits gained, or losses avoided, as a result of the failure (whether directly or indirectly);
(l)whether the penalty would be effective, proportionate and dissuasive.
(4)Subsections (2) and (3) do not apply in the case of a decision or determination relating to a failure described in section 149(5).
(5)Schedule 16 makes further provision about penalty notices, including provision requiring the Commissioner to give a notice of intent to impose a penalty and provision about payment, variation, cancellation and enforcement.
(6)The Secretary of State may by regulations—
(a)confer power on the Commissioner to give a penalty notice in respect of other failures to comply with the data protection legislation, and
(b)provide for the maximum penalty that may be imposed in relation to such failures to be either the standard maximum amount or the higher maximum amount.
(7)Regulations under this section—
(a)may make provision about the giving of penalty notices in respect of the failure,
(b)may amend this section and sections 156 to 158, and
(c)are subject to the affirmative resolution procedure.
(8)In this section, “higher maximum amount” and “standard maximum amount” have the same meaning as in section 157.
Textual Amendments
F13Words in s. 155(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 63 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Commencement Information
I2S. 155 in force at Royal Assent for specified purposes, see s. 212(2)(f)
(1)The Commissioner may not give a controller or processor a penalty notice in reliance on section 149(2) with respect to the processing of personal data for the special purposes unless—
(a)a determination under section 174 with respect to the data or the processing has taken effect, and
(b)a court has granted leave for the notice to be given.
(2)A court must not grant leave for the purposes of subsection (1)(b) unless it is satisfied that—
(a)the Commissioner has reason to suspect a failure described in section 149(2) which is of substantial public importance, and
(b)the controller or processor has been given notice of the application for leave in accordance with rules of court or the case is urgent.
(3)The Commissioner may not give a controller or processor a penalty notice with respect to the processing of personal data where the purposes and manner of the processing are determined by or on behalf of either House of Parliament.
(4)The Commissioner may not give a penalty notice to—
(a)the Crown Estate Commissioners, or
(b)a person who is a controller by virtue of section 209(4) (controller for the Royal Household etc).
(5)In the case of a joint controller in respect of the processing of personal data to which Part 3 or 4 applies whose responsibilities for compliance with that Part are determined in an arrangement under section 58 or 104, the Commissioner may only give the controller a penalty notice in reliance on section 149(2) if the controller is responsible for compliance with the provision, requirement or principle in question.
(1)In relation to an infringement of a provision of the [F14UK GDPR], the maximum amount of the penalty that may be imposed by a penalty notice is—
(a)the amount specified in Article 83 of the [F14UK GDPR], or
(b)if an amount is not specified there, the standard maximum amount.
(2)In relation to an infringement of a provision of Part 3 of this Act, the maximum amount of the penalty that may be imposed by a penalty notice is—
(a)in relation to a failure to comply with section 35, 36, 37, 38(1), 39(1), 40, 44, 45, 46, 47, 48, 49, 52, 53, 73, F15... 75, 76, 77 or 78, the higher maximum amount, and
(b)otherwise, the standard maximum amount.
(3)In relation to an infringement of a provision of Part 4 of this Act, the maximum amount of the penalty that may be imposed by a penalty notice is—
(a)in relation to a failure to comply with section 86, 87, 88, 89, 90, 91, 93, 94, 100 or 109, the higher maximum amount, and
(b)otherwise, the standard maximum amount.
(4)In relation to a failure to comply with an information notice, an assessment notice or an enforcement notice, the maximum amount of the penalty that may be imposed by a penalty notice is the higher maximum amount.
(5)The “higher maximum amount” is—
(a)in the case of an undertaking, [F16£17,500,000] or 4% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher, or
(b)in any other case, [F16£17,500,000].
(6)The “standard maximum amount” is—
(a)in the case of an undertaking, [F17£8,700,000] or 2% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher, or
(b)in any other case, [F17£8,700,000].
F18(7). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F14Words in s. 157(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 64(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F15Word in s. 157(2)(a) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 64(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F16Sum in s. 157(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 64(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F17Sum in s. 157(6) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 64(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F18S. 157(7) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 64(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)The Commissioner must produce and publish a document specifying the amount of the penalty for a failure to comply with regulations made under section 137.
(2)The Commissioner may specify different amounts for different types of failure.
(3)The maximum amount that may be specified is 150% of the highest charge payable by a controller in respect of a financial year in accordance with the regulations, disregarding any discount available under the regulations.
(4)The Commissioner—
(a)may alter or replace the document, and
(b)must publish any altered or replacement document.
(5)Before publishing a document under this section (including any altered or replacement document), the Commissioner must consult—
(a)the Secretary of State, and
(b)such other persons as the Commissioner considers appropriate.
(6)The Commissioner must arrange for a document published under this section (including any altered or replacement document) to be laid before Parliament.
(1)For the purposes of Article 83 of the [F19UK GDPR] and section 157, the Secretary of State may by regulations—
(a)provide that a person of a description specified in the regulations is or is not an undertaking, and
(b)make provision about how an undertaking's turnover is to be determined.
(2)For the purposes of Article 83 of the [F20UK GDPR], section 157 and section 158, the Secretary of State may by regulations provide that a period is or is not a financial year.
(3)Regulations under this section are subject to the affirmative resolution procedure.
Textual Amendments
F19Words in s. 159(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 65 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F20Words in s. 159(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 65 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Commencement Information
I3S. 159 in force at Royal Assent for specified purposes, see s. 212(2)(f)
(1)The Commissioner must produce and publish guidance about how the Commissioner proposes to exercise the Commissioner's functions in connection with—
(a)information notices,
(b)assessment notices,
(c)enforcement notices, and
(d)penalty notices.
(2)The Commissioner may produce and publish guidance about how the Commissioner proposes to exercise the Commissioner's other functions under this Part.
(3)In relation to information notices, the guidance must include—
(a)provision specifying factors to be considered in determining the time at which, or the period within which, information is to be required to be provided;
(b)provision about the circumstances in which the Commissioner would consider it appropriate to give an information notice to a person in reliance on section 142(7) (urgent cases);
(c)provision about how the Commissioner will determine how to proceed if a person does not comply with an information notice.
(4)In relation to assessment notices, the guidance must include—
(a)provision specifying factors to be considered in determining whether to give an assessment notice to a person;
(b)provision about the circumstances in which the Commissioner would consider it appropriate to give an assessment notice in reliance on section 146(8) or (9) (urgent cases);
(c)provision specifying descriptions of documents or information that—
(i)are not to be examined or inspected in accordance with an assessment notice, or
(ii)are to be so examined or inspected only by a person of a description specified in the guidance;
(d)provision about the nature of inspections and examinations carried out in accordance with an assessment notice;
(e)provision about the nature of interviews carried out in accordance with an assessment notice;
(f)provision about the preparation, issuing and publication by the Commissioner of assessment reports in respect of controllers and processors that have been given assessment notices;
(g)provision about how the Commissioner will determine how to proceed if a person does not comply with an assessment notice.
(5)The guidance produced in accordance with subsection (4)(c) must include provisions that relate to—
(a)documents and information concerning an individual's physical or mental health;
(b)documents and information concerning the provision of social care for an individual.
(6)In relation to enforcement notices, the guidance must include—
(a)provision specifying factors to be considered in determining whether to give an enforcement notice to a person;
(b)provision about the circumstances in which the Commissioner would consider it appropriate to give an enforcement notice to a person in reliance on section 150(8) (urgent cases);
(c)provision about how the Commissioner will determine how to proceed if a person does not comply with an enforcement notice.
(7)In relation to penalty notices, the guidance must include—
(a)provision about the circumstances in which the Commissioner would consider it appropriate to issue a penalty notice;
(b)provision about the circumstances in which the Commissioner would consider it appropriate to allow a person to make oral representations about the Commissioner's intention to give the person a penalty notice;
(c)provision explaining how the Commissioner will determine the amount of penalties;
(d)provision about how the Commissioner will determine how to proceed if a person does not comply with a penalty notice.
(8)The Commissioner—
(a)may alter or replace guidance produced under this section, and
(b)must publish any altered or replacement guidance.
(9)Before producing guidance under this section (including any altered or replacement guidance), the Commissioner must consult—
(a)the Secretary of State, and
(b)such other persons as the Commissioner considers appropriate.
(10)Section 161 applies in relation to the first guidance under subsection (1).
(11)The Commissioner must arrange for other guidance under this section (including any altered or replacement guidance) to be laid before Parliament.
(12)In this section, “social care” has the same meaning as in Part 1 of the Health and Social Care Act 2008 (see section 9(3) of that Act).
(1)When the first guidance is produced under section 160(1)—
(a)the Commissioner must submit the final version to the Secretary of State, and
(b)the Secretary of State must lay the guidance before Parliament.
(2)If, within the 40-day period, either House of Parliament resolves not to approve the guidance—
(a)the Commissioner must not issue the guidance, and
(b)the Commissioner must produce another version of the guidance (and this section applies to that version).
(3)If, within the 40-day period, no such resolution is made—
(a)the Commissioner must issue the guidance, and
(b)the guidance comes into force at the end of the period of 21 days beginning with the day on which it is issued.
(4)Nothing in subsection (2)(a) prevents another version of the guidance being laid before Parliament.
(5)In this section, “the 40-day period” means—
(a)if the guidance is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or
(b)if the guidance is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.
(6)In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.
(1)A person who is given any of the following notices may appeal to the Tribunal—
(a)an information notice;
(b)an assessment notice;
(c)an enforcement notice;
(d)a penalty notice;
(e)a penalty variation notice.
(2)A person who is given an enforcement notice may appeal to the Tribunal against the refusal of an application under section 153 for the cancellation or variation of the notice.
(3)A person who is given a penalty notice or a penalty variation notice may appeal to the Tribunal against the amount of the penalty specified in the notice, whether or not the person appeals against the notice.
(4)Where a determination is made under section 174 in respect of the processing of personal data, the controller or processor may appeal to the Tribunal against the determination.
(1)Subsections (2) to (4) apply where a person appeals to the Tribunal under section 162(1) or (3).
(2)The Tribunal may review any determination of fact on which the notice or decision against which the appeal is brought was based.
(3)If the Tribunal considers—
(a)that the notice or decision against which the appeal is brought is not in accordance with the law, or
(b)to the extent that the notice or decision involved an exercise of discretion by the Commissioner, that the Commissioner ought to have exercised the discretion differently,
the Tribunal must allow the appeal or substitute another notice or decision which the Commissioner could have given or made.
(4)Otherwise, the Tribunal must dismiss the appeal.
(5)On an appeal under section 162(2), if the Tribunal considers that the enforcement notice ought to be cancelled or varied by reason of a change in circumstances, the Tribunal must cancel or vary the notice.
(6)On an appeal under section 162(4), the Tribunal may cancel the Commissioner's determination.
(1)This section applies where an information notice, an assessment notice or an enforcement notice given to a person contains an urgency statement.
(2)The person may apply to the court for either or both of the following—
(a)the disapplication of the urgency statement in relation to some or all of the requirements of the notice;
(b)a change to the time at which, or the period within which, a requirement of the notice must be complied with.
(3)On an application under subsection (2), the court may do any of the following—
(a)direct that the notice is to have effect as if it did not contain the urgency statement;
(b)direct that the inclusion of the urgency statement is not to have effect in relation to a requirement of the notice;
(c)vary the notice by changing the time at which, or the period within which, a requirement of the notice must be complied with;
(d)vary the notice by making other changes required to give effect to a direction under paragraph (a) or (b) or in consequence of a variation under paragraph (c).
(4)The decision of the court on an application under this section is final.
(5)In this section, “urgency statement” means—
(a)in relation to an information notice, a statement under section 142(7)(a),
(b)in relation to an assessment notice, a statement under section 146(8)(a) or (9)(d), and
(c)in relation to an enforcement notice, a statement under section 150(8)(a).
(1)Articles 57(1)(f) and (2) and 77 of the [F21UK GDPR] (data subject's right to lodge a complaint) confer rights on data subjects to complain to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of the [F21UK GDPR].
(2)A data subject may make a complaint to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of Part 3 or 4 of this Act.
(3)The Commissioner must facilitate the making of complaints under subsection (2) by taking steps such as providing a complaint form which can be completed electronically and by other means.
(4)If the Commissioner receives a complaint under subsection (2), the Commissioner must—
(a)take appropriate steps to respond to the complaint,
(b)inform the complainant of the outcome of the complaint,
(c)inform the complainant of the rights under section 166, and
(d)if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.
(5)The reference in subsection (4)(a) to taking appropriate steps in response to a complaint includes—
(a)investigating the subject matter of the complaint, to the extent appropriate, and
(b)informing the complainant about progress on the complaint, including about whether further investigation or co-ordination with [F22a] foreign designated authority is necessary.
F23(6). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(7)In this section—
“foreign designated authority” means an authority designated for the purposes of Article 13 of the Data Protection Convention by a party, other than the United Kingdom, which is bound by that Convention;
F24...
Textual Amendments
F21Words in s. 165(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 66(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F22Word in s. 165(5)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 66(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F23S. 165(6) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 66(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F24Words in s. 165(7) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 66(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)This section applies where, after a data subject makes a complaint under section 165 or Article 77 of the [F25UK GDPR], the Commissioner—
(a)fails to take appropriate steps to respond to the complaint,
(b)fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or
(c)if the Commissioner's consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months.
(2)The Tribunal may, on an application by the data subject, make an order requiring the Commissioner—
(a)to take appropriate steps to respond to the complaint, or
(b)to inform the complainant of progress on the complaint, or of the outcome of the complaint, within a period specified in the order.
(3)An order under subsection (2)(a) may require the Commissioner—
(a)to take steps specified in the order;
(b)to conclude an investigation, or take a specified step, within a period specified in the order.
(4)Section 165(5) applies for the purposes of subsections (1)(a) and (2)(a) as it applies for the purposes of section 165(4)(a).
Textual Amendments
F25Words in s. 166(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 67 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)This section applies if, on an application by a data subject, a court is satisfied that there has been an infringement of the data subject's rights under the data protection legislation in contravention of that legislation.
(2)A court may make an order for the purposes of securing compliance with the data protection legislation which requires the controller in respect of the processing, or a processor acting on behalf of that controller—
(a)to take steps specified in the order, or
(b)to refrain from taking steps specified in the order.
(3)The order may, in relation to each step, specify the time at which, or the period within which, it must be taken.
(4)In subsection (1)—
(a)the reference to an application by a data subject includes an application made in exercise of the right under Article 79(1) of the [F26UK GDPR] (right to an effective remedy against a controller or processor);
(b)the reference to the data protection legislation does not include Part 4 of this Act or regulations made under that Part.
(5)In relation to a joint controller in respect of the processing of personal data to which Part 3 applies whose responsibilities are determined in an arrangement under section 58, a court may only make an order under this section if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.
Textual Amendments
F26Words in s. 167(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 68 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)In Article 82 of the [F28UK GDPR] (right to compensation for material or non-material damage), “non-material damage” includes distress.
(2)Subsection (3) applies where—
(a)in accordance with rules of court, proceedings under Article 82 of the [F29UK GDPR] are brought by a representative body on behalf of a person, and
(b)a court orders the payment of compensation.
(3)The court may make an order providing for the compensation to be paid on behalf of the person to—
(a)the representative body, or
(b)such other person as the court thinks fit.
Textual Amendments
F27Words in s. 168 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 69(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F28Words in s. 168(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 69(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F29Words in s. 168(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 69(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)A person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the [F30UK GDPR], is entitled to compensation for that damage from the controller or the processor, subject to subsections (2) and (3).
(2)Under subsection (1)—
(a)a controller involved in processing of personal data is liable for any damage caused by the processing, and
(b)a processor involved in processing of personal data is liable for damage caused by the processing only if the processor—
(i)has not complied with an obligation under the data protection legislation specifically directed at processors, or
(ii)has acted outside, or contrary to, the controller's lawful instructions.
(3)A controller or processor is not liable as described in subsection (2) if the controller or processor proves that the controller or processor is not in any way responsible for the event giving rise to the damage.
(4)A joint controller in respect of the processing of personal data to which Part 3 or 4 applies whose responsibilities are determined in an arrangement under section 58 or 104 is only liable as described in subsection (2) if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.
(5)In this section, “damage” includes financial loss and damage not involving financial loss, such as distress.
Textual Amendments
F30Words in s. 169(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 70 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)It is an offence for a person knowingly or recklessly—
(a)to obtain or disclose personal data without the consent of the controller,
(b)to procure the disclosure of personal data to another person without the consent of the controller, or
(c)after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
(2)It is a defence for a person charged with an offence under subsection (1) to prove that the obtaining, disclosing, procuring or retaining—
(a)was necessary for the purposes of preventing or detecting crime,
(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
(c)in the particular circumstances, was justified as being in the public interest.
(3)It is also a defence for a person charged with an offence under subsection (1) to prove that—
(a)the person acted in the reasonable belief that the person had a legal right to do the obtaining, disclosing, procuring or retaining,
(b)the person acted in the reasonable belief that the person would have had the consent of the controller if the controller had known about the obtaining, disclosing, procuring or retaining and the circumstances of it, or
(c)the person acted—
(i)for the special purposes,
(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and
(iii)in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.
(4)It is an offence for a person to sell personal data if the person obtained the data in circumstances in which an offence under subsection (1) was committed.
(5)It is an offence for a person to offer to sell personal data if the person—
(a)has obtained the data in circumstances in which an offence under subsection (1) was committed, or
(b)subsequently obtains the data in such circumstances.
(6)For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the data.
(7)In this section—
(a)references to the consent of a controller do not include the consent of a person who is a controller by virtue of Article 28(10) of the [F31UK GDPR] or section 59(8) or 105(3) of this Act (processor to be treated as controller in certain circumstances);
(b)where there is more than one controller, such references are references to the consent of one or more of them.
Textual Amendments
F31Words in s. 170(7) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 71 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.
(2)For the purposes of this section and section 172—
(a)personal data is “de-identified” if it has been processed in such a manner that it can no longer be attributed, without more, to a specific data subject;
(b)a person “re-identifies” information if the person takes steps which result in the information no longer being de-identified within the meaning of paragraph (a).
(3)It is a defence for a person charged with an offence under subsection (1) to prove that the re-identification—
(a)was necessary for the purposes of preventing or detecting crime,
(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
(c)in the particular circumstances, was justified as being in the public interest.
(4)It is also a defence for a person charged with an offence under subsection (1) to prove that—
(a)the person acted in the reasonable belief that the person—
(i)is the data subject to whom the information relates,
(ii)had the consent of that data subject, or
(iii)would have had such consent if the data subject had known about the re-identification and the circumstances of it,
(b)the person acted in the reasonable belief that the person—
(i)is the controller responsible for de-identifying the personal data,
(ii)had the consent of that controller, or
(iii)would have had such consent if that controller had known about the re-identification and the circumstances of it,
(c)the person acted—
(i)for the special purposes,
(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and
(iii)in the reasonable belief that in the particular circumstances the re-identification was justified as being in the public interest, or
(d)the effectiveness testing conditions were met (see section 172).
(5)It is an offence for a person knowingly or recklessly to process personal data that is information that has been re-identified where the person does so—
(a)without the consent of the controller responsible for de-identifying the personal data, and
(b)in circumstances in which the re-identification was an offence under subsection (1).
(6)It is a defence for a person charged with an offence under subsection (5) to prove that the processing—
(a)was necessary for the purposes of preventing or detecting crime,
(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
(c)in the particular circumstances, was justified as being in the public interest.
(7)It is also a defence for a person charged with an offence under subsection (5) to prove that—
(a)the person acted in the reasonable belief that the processing was lawful,
(b)the person acted in the reasonable belief that the person—
(i)had the consent of the controller responsible for de-identifying the personal data, or
(ii)would have had such consent if that controller had known about the processing and the circumstances of it, or
(c)the person acted—
(i)for the special purposes,
(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and
(iii)in the reasonable belief that in the particular circumstances the processing was justified as being in the public interest.
(8)In this section—
(a)references to the consent of a controller do not include the consent of a person who is a controller by virtue of Article 28(10) of the [F32UK GDPR] or section 59(8) or 105(3) of this Act (processor to be treated as controller in certain circumstances);
(b)where there is more than one controller, such references are references to the consent of one or more of them.
Textual Amendments
F32Words in s. 171(8)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 72 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)For the purposes of section 171, in relation to a person who re-identifies information that is de-identified personal data, “the effectiveness testing conditions” means the conditions in subsections (2) and (3).
(2)The first condition is that the person acted—
(a)with a view to testing the effectiveness of the de-identification of personal data,
(b)without intending to cause, or threaten to cause, damage or distress to a person, and
(c)in the reasonable belief that, in the particular circumstances, re-identifying the information was justified as being in the public interest.
(3)The second condition is that the person notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification—
(a)without undue delay, and
(b)where feasible, not later than 72 hours after becoming aware of it.
(4)Where there is more than one controller responsible for de-identifying personal data, the requirement in subsection (3) is satisfied if one or more of them is notified.
(1)Subsection (3) applies where—
(a)a request has been made in exercise of a data subject access right, and
(b)the person making the request would have been entitled to receive information in response to that request.
(2)In this section, “data subject access right” means a right under—
(a)Article 15 of the [F33UK GDPR] (right of access by the data subject);
(b)Article 20 of the [F34UK GDPR] (right to data portability);
(c)section 45 of this Act (law enforcement processing: right of access by the data subject);
(d)section 94 of this Act (intelligence services processing: right of access by the data subject).
(3)It is an offence for a person listed in subsection (4) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.
(4)Those persons are—
(a)the controller, and
(b)a person who is employed by the controller, an officer of the controller or subject to the direction of the controller.
(5)It is a defence for a person charged with an offence under subsection (3) to prove that—
(a)the alteration, defacing, blocking, erasure, destruction or concealment of the information would have occurred in the absence of a request made in exercise of a data subject access right, or
(b)the person acted in the reasonable belief that the person making the request was not entitled to receive the information in response to the request.
Textual Amendments
F33Words in s. 173(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 73 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F34Words in s. 173(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 73 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)In this Part, “the special purposes” means one or more of the following—
(a)the purposes of journalism;
(b)academic purposes;
(c)artistic purposes;
(d)literary purposes.
(2)In this Part, “special purposes proceedings” means legal proceedings against a controller or processor which relate, wholly or partly, to personal data processed for the special purposes and which are—
(a)proceedings under section 167 (including proceedings on an application under Article 79 of the [F35UK GDPR]), or
(b)proceedings under Article 82 of the [F36UK GDPR] or section 169.
(3)The Commissioner may make a written determination, in relation to the processing of personal data, that—
(a)the personal data is not being processed only for the special purposes;
(b)the personal data is not being processed with a view to the publication by a person of journalistic, academic, artistic or literary material which has not previously been published by the controller.
(4)The Commissioner must give written notice of the determination to the controller and the processor.
(5)The notice must provide information about the rights of appeal under section 162.
(6)The determination does not take effect until one of the following conditions is satisfied—
(a)the period for the controller or the processor to appeal against the determination has ended without an appeal having been brought, or
(b)an appeal has been brought against the determination and—
(i)the appeal and any further appeal in relation to the determination has been decided or has otherwise ended, and
(ii)the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.
Textual Amendments
F35Words in s. 174(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 74 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F36Words in s. 174(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 74 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)An individual who is a party, or prospective party, to special purposes proceedings may apply to the Commissioner for assistance in those proceedings.
(2)As soon as reasonably practicable after receiving an application under subsection (1), the Commissioner must decide whether, and to what extent, to grant it.
(3)The Commissioner must not grant the application unless, in the Commissioner's opinion, the case involves a matter of substantial public importance.
(4)If the Commissioner decides not to provide assistance, the Commissioner must, as soon as reasonably practicable, notify the applicant of the decision, giving reasons for the decision.
(5)If the Commissioner decides to provide assistance, the Commissioner must—
(a)as soon as reasonably practicable, notify the applicant of the decision, stating the extent of the assistance to be provided, and
(b)secure that the person against whom the proceedings are, or are to be, brought is informed that the Commissioner is providing assistance.
(6)The assistance that may be provided by the Commissioner includes—
(a)paying costs in connection with the proceedings, and
(b)indemnifying the applicant in respect of liability to pay costs, expenses or damages in connection with the proceedings.
(7)In England and Wales or Northern Ireland, the recovery of expenses incurred by the Commissioner in providing an applicant with assistance under this section (as taxed or assessed in accordance with rules of court) is to constitute a first charge for the benefit of the Commissioner—
(a)on any costs which, by virtue of any judgment or order of the court, are payable to the applicant by any other person in respect of the matter in connection with which the assistance is provided, and
(b)on any sum payable to the applicant under a compromise or settlement arrived at in connection with that matter to avoid, or bring to an end, any proceedings.
(8)In Scotland, the recovery of such expenses (as taxed or assessed in accordance with rules of court) is to be paid to the Commissioner, in priority to other debts—
(a)out of any expenses which, by virtue of any judgment or order of the court, are payable to the applicant by any other person in respect of the matter in connection with which the assistance is provided, and
(b)out of any sum payable to the applicant under a compromise or settlement arrived at in connection with that matter to avoid, or bring to an end, any proceedings.
(1)In any special purposes proceedings before a court, if the controller or processor claims, or it appears to the court, that any personal data to which the proceedings relate—
(a)is being processed only for the special purposes,
(b)is being processed with a view to the publication by any person of journalistic, academic, artistic or literary material, and
(c)has not previously been published by the controller,
the court must stay or, in Scotland, sist the proceedings.
(2)In considering, for the purposes of subsection (1)(c), whether material has previously been published, publication in the immediately preceding 24 hours is to be ignored.
(3)Under subsection (1), the court must stay or sist the proceedings until either of the following conditions is met—
(a)a determination of the Commissioner under section 174 with respect to the personal data or the processing takes effect;
(b)where the proceedings were stayed or sisted on the making of a claim, the claim is withdrawn.
(1)The Commissioner must produce and publish guidance about the steps that may be taken where an individual considers that a media organisation is failing or has failed to comply with the data protection legislation.
(2)In this section, “media organisation” means a body or other organisation whose activities consist of or include journalism.
(3)The guidance must include provision about relevant complaints procedures, including—
(a)who runs them,
(b)what can be complained about, and
(c)how to make a complaint.
(4)For the purposes of subsection (3), relevant complaints procedures include procedures for making complaints to the Commissioner, the Office of Communications, the British Broadcasting Corporation and other persons who produce or enforce codes of practice for media organisations.
(5)The guidance must also include provision about—
(a)the powers available to the Commissioner in relation to a failure to comply with the data protection legislation,
(b)when a claim in respect of such a failure may be made before a court and how to make such a claim,
(c)alternative dispute resolution procedures,
(d)the rights of bodies and other organisations to make complaints and claims on behalf of data subjects, and
(e)the Commissioner's power to provide assistance in special purpose proceedings.
(6)The Commissioner—
(a)may alter or replace the guidance, and
(b)must publish any altered or replacement guidance.
(7)The Commissioner must produce and publish the first guidance under this section before the end of the period of 1 year beginning when this Act is passed.
(1)The Commissioner must—
(a)review the extent to which, during each review period, the processing of personal data for the purposes of journalism complied with—
(i)the data protection legislation, and
(ii)good practice in the processing of personal data for the purposes of journalism,
(b)prepare a report of the review, and
(c)submit the report to the Secretary of State.
(2)In this section—
“good practice in the processing of personal data for the purposes of journalism” has the same meaning as in section 124;
“review period” means—
the period of 4 years beginning with the day on which Chapter 2 of Part 2 of this Act comes into force, and
each subsequent period of 5 years beginning with the day after the day on which the previous review period ended.
(3)The Commissioner must start a review under this section, in respect of a review period, within the period of 6 months beginning when the review period ends.
(4)The Commissioner must submit the report of a review under this section to the Secretary of State—
(a)in the case of the first review, before the end of the period of 18 months beginning when the Commissioner started the review, and
(b)in the case of each subsequent review, before the end of the period of 12 months beginning when the Commissioner started the review.
(5)The report must include consideration of the extent of compliance (as described in subsection (1)(a)) in each part of the United Kingdom.
(6)The Secretary of State must—
(a)lay the report before Parliament, and
(b)send a copy of the report to—
(i)the Scottish Ministers,
(ii)the Welsh Ministers, and
(iii)the Executive Office in Northern Ireland.
(7)Schedule 17 makes further provision for the purposes of a review under this section.
(1)The Secretary of State must, before the end of each review period, lay before Parliament a report produced by the Secretary of State or an appropriate person on—
(a)the use of relevant alternative dispute resolution procedures, during that period, in cases involving a failure, or alleged failure, by a relevant media organisation to comply with the data protection legislation, and
(b)the effectiveness of those procedures in such cases.
(2)In this section—
“appropriate person” means a person who the Secretary of State considers has appropriate experience and skills to produce a report described in subsection (1);
“relevant alternative dispute resolution procedures” means alternative dispute resolution procedures provided by persons who produce or enforce codes of practice for relevant media organisations;
“relevant media organisation” means a body or other organisation whose activities consist of or include journalism, other than a broadcaster;
“review period” means—
the period of 3 years beginning when this Act is passed, and
each subsequent period of 3 years.
(3)The Secretary of State must send a copy of the report to—
(a)the Scottish Ministers,
(b)the Welsh Ministers, and
(c)the Executive Office in Northern Ireland.
(1)The jurisdiction conferred on a court by the provisions listed in subsection (2) is exercisable—
(a)in England and Wales, by the High Court or the county court,
(b)in Northern Ireland, by the High Court or a county court, and
(c)in Scotland, by the Court of Session or the sheriff,
subject to subsections (3) and (4).
(2)Those provisions are—
(a)section 145 (information orders);
(b)section 152 (enforcement notices and processing for the special purposes);
(c)section 156 (penalty notices and processing for the special purposes);
(d)section 167 and Article 79 of the [F37UK GDPR] (compliance orders);
(e)sections 168 and 169 and Article 82 of the [F38UK GDPR] (compensation).
(3)In relation to the processing of personal data to which Part 4 applies, the jurisdiction conferred by the provisions listed in subsection (2) is exercisable only by the High Court or, in Scotland, the Court of Session.
(4)In relation to an information notice which contains a statement under section 142(7), the jurisdiction conferred on a court by section 145 is exercisable only by the High Court or, in Scotland, the Court of Session.
(5)The jurisdiction conferred on a court by section 164 (applications in respect of urgent notices) is exercisable only by the High Court or, in Scotland, the Court of Session.
Textual Amendments
F37Words in s. 180(2)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 75 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F38Words in s. 180(2)(e) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 75 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
In this Part—
“assessment notice” has the meaning given in section 146;
“certification provider” has the meaning given in section 17;
“enforcement notice” has the meaning given in section 149;
“information notice” has the meaning given in section 142;
“penalty notice” has the meaning given in section 155;
“penalty variation notice” has the meaning given in Schedule 16;
“representative”, in relation to a controller or processor, means a person designated by the controller or processor under Article 27 of the [F39UK GDPR] to represent the controller or processor with regard to the controller's or processor's obligations under the [F39UK GDPR].
Textual Amendments
F39Words in s. 181 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 76 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: