The Data Protection (Charges and Information) Regulations 2018

Citation, commencement and interpretation

1.—(1) These Regulations may be cited as the Data Protection (Charges and Information) Regulations 2018 and come into force on 25th May 2018.

(2) In these Regulations—

“business” includes any trade or profession;

“charge period” has the meaning given in regulation 2(6);

“data controller’s financial year” means—

“exempt processing” has the meaning given in the Schedule;

“financial year”, in paragraph (b) of the definition of “data controller’s financial year”—

“member of staff” means any—

“number of members of staff” means the number calculated by—

“processing”, in relation to personal data, means an operation or set of operations which is performed on personal data;

“public authority” means a public authority as defined by the Freedom of Information Act 2000(5) or a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002(6);

“turnover”—

Requirements on data controllers

2.—(1) A data controller must comply with the requirements of this regulation unless all of the processing of personal data they undertake is exempt processing.

(2) Within the first 21 days of each charge period a data controller must pay a charge to the Information Commissioner, determined in accordance with regulation 3.

(3) Within the first 21 days of each charge period a data controller must provide to the Information Commissioner the following information, as of the first day of each charge period—

(a)the name and address of the data controller;

(b)whether the number of members of staff of the data controller is—

(i)less than or equal to 10,

(ii)greater than 10 but less than or equal to 250, or

(iii)greater than 250;

(c)whether the turnover for the data controller’s financial year is—

(i)less than or equal to £632,000,

(ii)greater than £632,000 but less than or equal to £36 million, or

(iii)greater than £36 million; and

(d)whether the data controller is a public authority.

(4) Paragraph (3)(c) does not apply to a data controller that is a public authority.

(5) For the purposes of paragraph (3)(a)—

(a)the address of a registered company is that of its registered office, and

(b)the address of a person (other than a registered company) carrying on a business is that of the person’s principal place of business in the UK.

(6) In this regulation—

“charge period” means—

“registered company” means a company registered under the Companies Acts as defined by section 2(1) of the Companies Act 2006.

Amount of charge payable under regulation 2

3.—(1) For the purposes of regulation 2(2), the charge payable by a data controller in—

(a)tier 1 (micro organisations), is £40;

(b)tier 2 (small and medium organisations), is £60;

(c)tier 3 (large organisations), is £2,900.

(2) For the purposes of this regulation, a data controller is, subject to paragraph (3)—

(a)in tier 1 if—

(i)it has a turnover of less than or equal to £632,000 for the data controller’s financial year,

(ii)the number of members of staff of the data controller is less than or equal to 10,

(iii)it is a charity, or

(iv)it is a small occupational pension scheme;

(b)in tier 2 if it is not in tier 1 and—

(i)it has a turnover of less than or equal to £36 million for the data controller’s financial year, or

(ii)the number of members of staff of the data controller is less than or equal to 250;

(c)in tier 3 if it is not in tier 1 or tier 2.

(3) Paragraphs (2)(a)(i) and (2)(b)(i) are to be disregarded in relation to a public authority.

(4) For the purposes of regulation 3(2), the turnover and number of members of staff is determined on the first day of the charge period to which the charge relates.

(5) The applicable charge in paragraph (1) is reduced by £5.00 for a data controller that makes payment of the charge by direct debit.

(6) In this regulation—

“charity”—

“small occupational pension scheme” has the meaning given in regulation 4 of the Occupational and Personal Pension Schemes (Consultation by Employers and Miscellaneous Amendment) Regulations 2006(11).

Requirements in respect of partnerships

4.—(1) In any case in which two or more persons carrying on a business in partnership are the data controllers in respect of personal data for the purposes of that business, the requirements of regulation 2 may be satisfied in respect of those persons in the name of the firm.

(2) Where the requirements of regulation 2 are satisfied in the name of a firm under paragraph (1) above—

(a)the name to be specified for the purposes of regulation 2(3)(a) is the name of that firm, and

(b)the address to be specified for the purposes of regulation 2(3)(a) is the address of that firm’s principal place of business.

(3) For the purposes of regulations 2 and 3, references to the turnover and number of members of staff of a data controller which is a partnership are references to the turnover and number of members of staff of the firm as a whole.

Requirements in respect of the governing body of, and head teacher at, any school

5.—(1) In any case in which a governing body of a school and a head teacher at a school are both data controllers for the purposes of that school, the requirements of regulation 2 may be satisfied in respect of that governing body and head teacher in the name of the school.

(2) Where the requirements of regulation 2 are satisfied in the name of a school under paragraph (1) above, the name and address to be specified for the purposes of regulation 2(3)(a) are those of the school.

(3) For the purposes of this regulation, in the definition of “number of members of staff” in regulation 1(2) any reference to a data controller is to be treated as a reference to the school.

(4) In this regulation—

“head teacher” includes, in Northern Ireland, the principal of a school;

“school”—

Crown application

6.  These Regulations bind the Crown but do not apply to—

(a)Her Majesty in Her private capacity,

(b)Her Majesty in right of the Duchy of Lancaster, or

(c)the Duke of Cornwall.