Publications & Events
Article

GDPR Guide to National Implementation: United Kingdom

A practical guide to national GDPR compliance requirements across the EEA

United Kingdom

Other chapters

Foreword and issue-by-issue comparison

Austria

Belgium

Bulgaria

Croatia

Cyprus

Czech Republic

Denmark

Estonia

Finland

France

Germany

Greece

Hungary

Iceland

Ireland

Italy

Latvia

Liechtenstein

Lithuania

Luxembourg

Malta

Netherlands

Norway

Poland

Portugal

Romania

Slovakia

Slovenia

Spain

Sweden

United Kingdom

Glossary

[back to top of page]

 

Get your copy

Request a hard copy of the GDPR Guide to National Implementation »

 

In this chapter:

Q1/ Applicable legislation

Q2/ Personal data of deceased persons

Q3/ Legal bases for processing

Q4/ Consent of children

Q5/ Processing of sensitive personal data

Q6/ Data relating to criminal offences or convictions

Q7/ Exemptions

Q8/ Restrictions on data subjects’ rights

Q9/ Joint controllership

Q10/ Processor

Q11/ Data protection Impact Assessments

Q12/ Prior authorisation and public interest

Q13/ DPOs

Q14/ International data transfers

Q15/ DPAs

Q16/ Claims by not-for-profit bodies

Q17/ Administrative fines, penalties and sanctions

Q18/ Freedom of expression and information

Q19/ National identification numbers

Q20/ Processing in the context of employment

Q21/ Other material derogations

Q22/ Current legal challenges

Q23/ Enforcement

Q24/ Regulatory Guidance

———

[back to top of page]

 

 

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

New legislation has been passed.

Brexit Note: The GDPR will apply in the UK until it leaves the EU. The UK government has incorporated the GDPR into the UK’s domestic law under section 3 of the European Union (Withdrawal) Act 2018 (the “Withdrawal Act”). Once this section comes into force, data protection law in the UK will remain aligned with the GDPR.

———

(b) Relevant legislation includes:

  • UK Data Protection Act 2018 (the “Data Protection Act”)
    • Date in force: 25 May 2018
    • Note: The Data Protection Act also applies the GDPR 
      to areas that fall outside the legislative competency of
      the EU, such as processing by law enforcement and
      intelligence services. The answers in this chapter are
      applicable to entities processing personal data, other than
      for purposes of law enforcement or intelligence services.
    • Link: see here

———

(c) What is the status of national pre-GDPR data protection law?

The relevant pre-GDPR legislation has been repealed in full.

———

[back to top of page]

 

 

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

The Data Protection Act does not make specific rules regarding the processing of personal data of deceased persons.

However, under the Access to Health Records Act 1990, the following rules apply in respect of access to health records (which contains personal data) relating to deceased persons:

  • a person is entitled to access a deceased person’s health records only if they are either:
    • a personal representative (i.e., the executor or administrator of the deceased person’s estate); or
    • a person who has a claim resulting from the death (whether they are a relative or other person);
  • access to a deceased person’s health records may not be granted if a patient requested confidentiality whilst they were alive; and
  • disclosure of a deceased person’s health data may also not take place if there is a risk of serious harm to an individual, or if records contain information relating to another person.

———

[back to top of page]

 

 

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

There are no specific rules governing this issue. However, the Secretary of State may make further provisions (none have so far been issued).

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

Personal data may be processed for the performance of tasks carried out in the public interest where such processing is necessary for the performance of the following tasks:

  • the administration of justice;
  • parliamentary functions;
  • statutory functions;
  • governmental functions; or
  • activities that support or promote democratic engagement.

The processing of sensitive personal data may be justified on the ground of “substantial public interest” as defined under the Data Protection Act (see Q5(b)(ii) below for further details).

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

See Q3(b) above.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue.

———

[back to top of page]

 

 

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

13 years of age.

The Data Protection Act explicitly states that ISS does not include preventative or counselling services.

———

[back to top of page]

 

 

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

All sensitive personal data can be processed if the data subject’s valid consent has been obtained.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

Processing sensitive personal data in respect of these purposes is lawful only if the following conditions are met:

  • the processing is necessary to comply with obligations imposed on the controller or data subject in connection with employment, social security or social protection;
  • the controller has an “appropriate policy” in place when the processing is carried out; and
  • additional safeguards are implemented, including the retention of a policy document (which must be updated periodically and made available on request to the DPA) and the maintenance of a record of processing.

The “appropriate policy” should explain the controller’s procedures for securing compliance with general GDPR principles for processing and set out the retention periods for the relevant data (and erasure procedures).

(ii) Substantial public interest

Processing sensitive personal data in respect of this purpose is lawful only if the controller has an appropriate policy and additional safeguards in place (see Q5(b)(i) above) when the processing is carried out, and the processing is carried out for one of the following purposes:

  • to comply with statutory requirements;
  • for the exercise of government purposes;
  • for the exercise of parliamentary functions;
  • for the administration of justice;
  • to promote and maintain equality of opportunity or treatment;
  • to promote and maintain diversity in the racial and ethnic origins of individuals at senior levels of organisations;
  • to prevent and detect unlawful acts;
  • to protect the public against dishonesty;
  • to comply with regulatory requirements relating to unlawful acts and dishonesty;
  • to disclose data for journalistic, academic, artistic or literary purposes in connection with unlawful acts and dishonesty;
  • to prevent fraud; ……to make disclosures in good faith relating to terrorist financing or money laundering;
  • to provide support for individuals with a particular disability or medical condition;
  • to provide counselling;
  • to safeguard children and individuals at risk;
  • to safeguard the economic well-being of individuals at economic risk;
  • for certain insurance purposes (under strict conditions only);
  • for making determinations in relation to occupational pensions (under strict conditions only);
  • for the exercise of political activities (under strict conditions only);
  • for activities connected with elected representative (under strict conditions only);
  • for the publication of legal judgments; or
  • for maintaining standards of behaviour in sport.

The availability and applicability of each of the above conditions is subject to further specific requirements set out in the Data Protection Act.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

Processing sensitive personal data in respect of these purposes is lawful only if the following conditions are met:

  • the processing is necessary for purposes of preventative or occupational medicine, assessment of an employee’s working capacity, medical diagnosis, provision of health treatment or social care, or management of health or social care systems or services; and
  • the processing must be carried out:
    • by or under the responsibility of a health professional or a social work professional; or
    • by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

(iv) Public interest in the area of public health

Processing sensitive personal data in respect of these purposes is lawful only if the following conditions are met:

  • the processing is necessary for reasons of public interest in the area of public health; and
  • the processing is carried out by a health professional (or under their responsibility) or another person who owes a duty of confidentiality.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

Processing sensitive personal data in respect of these purposes is lawful only if the following conditions are met:

  • the processing is necessary for archiving purposes, scientific or historical research purposes or statistical purposes;
  • the processing is carried out in accordance with Art. 89(1) GDPR (including implementing safeguards to comply with the principle of data minimisation); and
  • the processing is in the public interest.

In addition, processing will not satisfy the requirement in Art. 89(1) GDPR that the processing be subject to appropriate safeguards for the rights and freedoms of the data subject if:

  • the processing is likely to cause substantial damage or substantial distress to a data subject; or
  • the processing is carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

Processing these types of sensitive personal data may be subject to the safeguards specified in Q5(b)(i)-(v) above.

———

[back to top of page]

 

 

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

Under the Data Protection Act, personal data relating to criminal convictions and offences include personal data relating to:

  • the alleged commission of offences by the data subject; or
  • proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

Processing of personal data relating to criminal conditions and offences is lawful if any of the following conditions are met:

  • processing is carried out for one or more of the purposes set out in the responses to Q5(b)(i)-(v) above;
  • the data subject has given consent to the processing;
  • processing is necessary to protect the vital interests of an individual;
  • processing is carried out by not-for-profit bodies in the course of its legitimate activities;
  • the personal data subject to processing has been manifestly made public by the data subject;
  • processing is carried out in connection with a legal claim;
  • processing is necessary when a court or tribunal is acting in its judicial capacity;
  • processing is carried out for the administration of accounts used in the commission of indecency offences involving children; or
  • processing is carried out for processing relating to insurance purposes.

An appropriate policy document (as defined in Q5(b)(i) above) and additional safeguards must also be in place.

———

[back to top of page]

 

 

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

The right of erasure may not apply in the following scenarios:

  • processing for immigration purposes;
  • processing for the prevention of crime (including risk assessments);
  • processing for the assessment of tax obligations (including risk assessments); ……where the personal data consists of information that the controller is obliged by an enactment to make available to the public or to a third party;
  • where it is necessary to disclose the personal data for the purposes of, or in connection with, legal proceedings (including prospective legal proceedings), obtaining legal advice or establishing, exercising or defending legal rights;
  • processing for the purpose of discharging specific functions designed to protect the public;
  • processing for the purpose of discharging audit functions (applicable to official comptrollers/auditors);
  • processing for the purpose of discharging a function of the Bank of England;
  • processing for the purpose of discharging a regulatory function relating to legal services, the health service and children’s services;
  • processing for the purpose of discharging a regulatory function (applicable to specified regulators);
  • where complying with the right of erasure would lead to an infringement of parliamentary privilege;
  • processing in connection with judicial appointments, independence and proceedings;
  • processing in connection with certain crown honours, dignities and appointments;
  • processing for journalistic, academic, artistic or literary purposes;
  • processing of health data or social work data by a court, or in connection with certain requests involving minors or persons incapable of managing their own affairs; or
  • processing of education data (i.e., personal data in an educational record) processed by a court.

Some of the exemptions above apply to the extent that applying the right of erasure would be likely to prejudice, or would prevent or seriously impair the controller or the processor from processing personal data in a way that is required for the relevant purpose.

———

(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?

A data subject’s right to be provided information does not apply in the following circumstances:

  • processing for immigration purposes;
  • processing for the prevention of crime (including risk assessments);
  • processing for the assessment of tax obligations (including risk assessments);
  • where the personal data consists of information that the controller is obliged by an enactment to make available to the public or to a third party;
  • where it is necessary to disclose the personal data for the purposes of, or in connection with, legal proceedings (including prospective legal proceedings), obtaining legal advice or establishing, exercising or defending legal rights;
  • where legal professional privilege applies;
  • where disclosure could lead to self-incrimination;
  • processing for the purpose of discharging specific functions designed to protect the public;
  • processing for the purpose of discharging audit functions (applicable to official comptrollers/auditors);
  • processing for the purpose of discharging a function of the Bank of England;
  • processing for the purpose of discharging a regulatory function relating to legal services, the health service and children’s services;
  • processing for the purpose of discharging a regulatory function (applicable to specified regulators);
  • where complying with the right of erasure would lead to an infringement of parliamentary privilege;
  • processing in connection with judicial appointments, independence and proceedings;
  • processing in connection with certain crown honours, dignities and appointments;
  • processing for journalistic, academic, artistic or literary purposes;
  • processing of health data or social work data by a court, or in connection with certain requests involving minors or persons incapable of managing their own affairs;
  • processing of education data (i.e., personal data in an educational record) processed by a court;
  • processing in connection with a corporate finance service;
  • processing for the purposes of management forecasting or management planning in relation to a business or other activity;
  • processing to record intentions relating to any negotiations with an individual;
  • processing to give or receive a confidential reference for the purposes of prospective or actual employment, education or training; or
  • processing of exam scripts.

Some of the exemptions above apply to the extent that applying the right to be provided information would be likely to prejudice, or would prevent or seriously impair the controller or processor from processing personal data in a way that is required for the relevant purpose.

———

(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?

There are no specific exemptions to the right to not be subject to automated individual decision-making.

———

[back to top of page]

 

 

Q8/ Restrictions on data subjects’ rights

Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?

The right to be informed where personal data are collected from the data subject (Art. 13 GDPR), the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to restrict processing (Art. 18 GDPR), the right to portability (Art. 20 GDPR) and the right to object (Art. 21 GDPR) may not apply in the following scenarios:

  • processing for immigration purposes;
  • processing for the prevention of crime (including risk assessments);
  • processing for the assessment of tax obligations (including risk assessments);
  • processing for scientific or historical research purposes or statistical purposes (note, this exemption is not applicable to the right to data portability under Art. 20 GDPR);
  • processing for archiving purposes in the public interest;
  • where the personal data consists of information that the controller is obliged by an enactment to make available to the public or to a third party;
  • where it is necessary to disclose the personal data for the purposes of, or in connection with, legal proceedings (including prospective legal proceedings), obtaining legal advice or establishing, exercising or defending legal rights;
  • processing for the purpose of discharging specific functions designed to protect the public;
  • processing for the purpose of discharging audit functions (applicable to official comptrollers/auditors);
  • processing for the purpose of discharging a function of the Bank of England;
  • processing for the purpose of discharging a regulatory function relating to legal services, the health service and children’s services;
  • processing for the purpose of discharging a regulatory function (applicable to specified regulators);
  • where complying with the right of erasure would lead to an infringement of parliamentary privilege;
  • processing in connection with judicial appointments, independence and proceedings;
  • processing in connection with certain crown honours, dignities and appointments;
  • processing for journalistic, academic, artistic or literary purposes;
  • processing of health data or social work data by a court, or in connection with certain requests involving minors or persons incapable of managing their own affairs; or
  • processing of education data (i.e., personal data in an educational record) processed by a court.

Some of the exemptions above apply to the extent that applying a right would be likely to prejudice, or would prevent or seriously impair the controller or processor from processing personal data in a way that is required for the relevant purpose.

In addition to the above, the right to be informed where the personal data are collected from the data subject (Art. 13 GDPR) and the right of access (Art. 15 GDPR) may not apply in the following scenarios:

  • processing in connection with a corporate finance service;
  • processing for the purposes of management forecasting or management planning in relation to a business or other activity;
  • processing to record intentions relating to any negotiations with an individual;
  • processing to give or receive a confidential reference for the purposes of prospective or actual employment, education or training;
  • processing of exam scripts;
  • where disclosure is prohibited or restricted by an enactment (note, this exemption is not applicable to the right to be informed under Art. 13 GDPR); or
  • where the access request is for information containing the personal data of more than one individual (note, this exemption is not applicable to the right to be informed under Art. 13 GDPR).

Further, in respect of the right of access, where the controller is a credit reference agency, the controller need only comply with subject access requests in respect of personal data relating to the data subject’s financial standing, unless the data subject has indicated a contrary intention.

———

[back to top of page]

 

 

Q9/ Joint controllership

Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?

There are no additional rules on apportionment of liability between joint controllers.

———

[back to top of page]

 

 

Q10/ Processor

In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?

There are no additional pieces of legislation.

———

[back to top of page]

 

 

Q11/ Impact Assessments

Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?

In addition to the provisions of the GDPR, Impact Assessments are required in the circumstances included in the list of “high risk processing” issued by the DPA (see here).

———

[back to top of page]

 

 

Q12/ Prior authorisation and public interest

Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?

Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.

———

[back to top of page]

 

 

Q13/ DPOs

(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?

DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.

———

(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?

The DPO is bound by general common law, statutory and contractual secrecy and confidentiality obligations. This should not prevent the DPO from communicating with the DPA when he or she deems it appropriate.

———

[back to top of page]

 

 

Q14/ International data transfers

(a) Does national law make specific rules about transfers of personal data from public registers?

Data transfers from public registers are not subject to specific rules.

———

(b) Does national law restrict the transfer of specific categories of personal data to third countries?

Data transfers are not subject to restrictions beyond those set out in the GDPR. The UK government can issue regulations specifying that certain types of transfer are deemed to be in the public interest or prohibited. No such restrictions have been issued yet.

Brexit Note: In the event of a so-called “no-deal Brexit”, the UK will become a third country for the purposes of EU law. Accordingly, transfers from the EEA to the UK will be subject to the transfer mechanism requirements for third countries. In practice this means that, in the absence of an adequacy decision (see here) being granted in favour of the UK by the Commission, Standard Contractual Clauses (see here) will have to be implemented between parties wishing to transfer data from the EEA to the UK.

In the event of a no-deal Brexit, data transfers from the UK to the EEA may continue without the need to implement any measures, according to guidance (see here) issued by the UK Government.

The EDPB have also issued guidance (see here) on international data transfers in the event of a no-deal Brexit.

———

[back to top of page]

 

 

Q15/ DPAs

(a) Details of the DPA(s).

  • Name of DPA: The Information Commissioner
    • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
    • Website: ico.org.uk

———

(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?

Not applicable as there is only one DPA.

———

(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?

Not applicable.

———

(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?

The Data Protection Act grants the DPA powers to issue the following four types of notice:

  • information notices requiring a controller, a processor or a person to provide information (within a specified timeframe) that the DPA reasonably requires to carry out their functions;
  • assessment notices which require a controller or processor to grant the DPA access to premises, documents and equipment, to allow them to observe processing and to interview members of staff;
  • enforcement notices which can be issued when a controller, processor, certification provider or monitoring body has failed to meet its obligations and allows the DPA to mandate or halt actions (such as processing or transfer of personal data); and
  • penalty notices issued in respect of compliance failures requiring a controller, processor, certification provider or monitoring body to pay a fine.

———

(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?

Notices (including the categories of notice set out at Q15(d) above) issued by the DPA may be appealed to the First Tier Tribunal (Information Rights) within 28 calendar days of the decision.

An appeal which raises particularly complex or important issues may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. Decisions by the First Tier Tribunal may also be appealed to the Upper Tribunal. Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal.

———

(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?

Under the Data Protection Act, information necessary for the discharge of the DPA’s functions is generally disclosable. However, where the DPA issues an information notice requiring a controller or processor to provide information, the following privileged information may be withheld:

  • information which, if disclosed, would involve an infringement of parliamentary privileges;
  • information in respect of a communication made between lawyer and client about compliance with or proceedings under data protection law; or
  • information which would reveal evidence of the commission of an offence and expose the person to proceedings for that offence.

———

[back to top of page]

 

 

Q16/ Claims by not-for-profit bodies

Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?

There are no not-for-profit bodies that are specifically mandated to bring such claims.

———

[back to top of page]

 

 

Q17/ Administrative fines, penalties and sanctions

(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?

Administrative fines may be imposed on public authorities, and there are no specific rules regarding fines for public authorities.

———

(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?

The DPA may issue administrative fines by serving a penalty notice, as well as exercising the sanctions in Art. 58 GDPR through information notices, assessment notices and enforcement notices as set out in Q15(d) above.

In addition, the following are criminal offences (punishable by fines, not by imprisonment):

  • making a false statement in response to an information notice served by the DPA;
  • destroying or otherwise disposing of, concealing, blocking or falsifying information and documents (or causing or permitting these actions to be done);
  • unlawfully obtaining criminal data;
  • altering records in order to prevent disclosure in response to subject access request;
  • intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data;
  • requiring individuals to make a subject access request for health or criminal record information in certain circumstances (e.g., in an employment context); and
  • obstructing the DPA in inspecting personal data to discharge an international obligation. 

Directors, managers and similar officers are liable for offences committed by a company as a result of their consent, connivance or neglect.

The DPA can also serve monetary penalties on controllers who refuse to pay their data protection registration fee.

———

[back to top of page]

 

 

Q18/ Freedom of expression and information

(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?

The Data Protection Act makes exemptions based on Art. 85(2) GDPR for processing for the purpose of journalism, academic, artistic and literary purposes. See Q18(b) below.

———

(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?

Processing for the purpose of journalism, academic, artistic and literary purposes (the “special purposes”) is exempt from complying with the following obligations:
all the processing principles other than the security principle (Art. 5(1)(f) GDPR) and accountability principle (Art. 5(2) GDPR);

  • identifying lawful bases for processing;
  • conditions for consent (including children’s consent);
  • conditions for processing sensitive personal data and data relating to criminal convictions and offences;
  • processing which does not require identification;
  • all the individual rights under Chapter III GDPR, other than rights related to automated individual decision-making including profiling;
  • communicating personal data breaches to individual data subjects;
  • consulting with the DPA regarding high-risk processing;
  • restrictions on international transfers of personal data; and
  • cooperating with European DPAs.

The derogations only apply if the following criteria are met:

  • the processing is being carried out with a view to the publication of journalistic, academic, artistic or literary material;
  • the controller reasonably believes that compliance with these provisions would be incompatible with the special purposes; and
  • the controller reasonably believes that publication of the material would be in the public interest, taking into account the special importance of the public interest in the freedom of expression and information. In respect of this issue specifically, controllers must have regard to codes of practice, including the BBC Editorial Guidelines, Ofcom Broadcasting Code and the Editors’ Code of Practice.
     

———

[back to top of page]

 

 

Q19/ National identification numbers

Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?

There are no specific provisions governing this issue.

———

[back to top of page]

 

 

Q20/ Processing in the context of employment

(a) For what purposes can employees’ personal data in the employment context be processed under national law?

There are no specific provisions governing the processing of employee data, other than those relating to employees’ sensitive personal data as set out in Q5(b)(i), Q5(b)(iii) & Q6.

———

(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?

There are no specific safeguards of this nature.

———

[back to top of page]

 

 

Q21/ Other material derogations

Are there any other material derogations from, or additions to, the GDPR under national law?

The Data Protection Act contains a large number of derogations from the GDPR, the most material of which have been set out in this chapter already. A notable addition under UK law is that controllers must pay an annual data protection fee to the DPA unless they are exempt. The fee payable ranges from £40 to £2,900 and depends on the size of the controller, its turnover and, in some cases, the type of organisation.

———

[back to top of page]

 

 

Q22/ Current legal challenges

Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?

Two campaign groups were granted permission in January 2019 to bring a judicial review against the immigration exemption to various data subject rights contained in the Data Protection Act. The claimants argue that the exemption permits the Home Office (as controller) to restrict access to personal data which the government believes is likely to prejudice “effective immigration control”. A hearing was held in the High Court on 23 July 2019. No judgment has been handed down yet.

———

[back to top of page]

 

 

Q23/ Enforcement

Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?

The DPA has taken a number of enforcement actions for breaches of the GDPR, including the following significant actions:

  • in July 2019, issuing a notice of intention to impose a fine of £183 million on British Airways for allegedly failing to adequately safeguard customers’ personal data, resulting in the personal data of 500,000 customers being compromised; and
  • also in July 2019, issuing a notice of intention to impose a fine of £99 million on a global hospitality company for similarly allegedly failing to adequately safeguard customers’ personal data.

———

[back to top of page]

 

 

Q24/ Regulatory Guidance

Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?

The DPA has issued a number of guidance materials (see here) on the application of the GDPR and/or GDPR implementation law, including the following (in English):

  • general guidance on the GDPR and Data Protection Act (see here);
  • guidance on data protection and Brexit (see here);
  • a privacy notice template (see here); and
  • other GDPR resources for organisations (see here).

———

[back to top of page]

 

 

White & Case contributors

Tim Hickman

Tim Hickman
Partner, White & Case
T +44 20 7532 2517
E [email protected]

Tim advises on all aspects of UK and EU privacy and data protection law, from general compliance issues (such as implementing privacy policies and consent forms) to more specialised issues (such as managing data breaches, structuring cross-border data transfers and complying with the “right to be forgotten”). Tim has a detailed knowledge of the EU’s General Data Protection Regulation (GDPR), and co-authored White & Case’s Handbook on that legislation (whitecase.com/eugdpr- handbook).

Clients appreciate Tim’s ability to find pragmatic and commercial solutions to complex (and frequently multijurisdictional) data protection compliance questions.

Tim has significant experience of working with a wide range of clients in the EU, Asia and the US. He has spent time on secondment at Google, advising on cutting-edge privacy and data protection issues. He has also spoken at several events at Harvard Law School, and he delivered the closing address at the Harvard European Law Conference 2019.

John Timmons

John Timmons
Associate, White & Case
T +44 20 7532 1598
E [email protected]

John advises on all aspects of UK and EU privacy, data protection and cybersecurity law. Key elements of his role include advising clients on general data protection compliance and providing specific advice on international data transfer solutions, compliance with local privacy and cybersecurity laws, information governance, e-privacy and direct marketing issues and online behavioural/targeted advertising strategies. John has a detailed knowledge of the EU’s General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 and associated privacy and cybersecurity legislation.

As a key member of the Firm’s Global Data, Privacy & Cybersecurity Practice, John focuses on providing practical and commercially attractive solutions for clients, taking account of the wider business and commercial context. He outlines risk positions and risk profiles to assist clients when making key decisions.

John has significant experience working with a wide range of clients in the EU, the US and Asia. He has spent time on secondment with a national media company and has presented to a leading cybersecurity forum and financial institutions on data protection and privacy matters.

———

[back to top of page]

 

 

Other chapters

class="table table-bordered">

———

See also:

Our Global Data, Privacy & Cybersecurity Practice »

GDPR Handbook: Unlocking the EU General Data Protection Regulation »

———

[back to top of page]

 

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP