Search Legislation

Data Protection Act 2018

What Version

 Help about what version
  • Latest available (Revised)
  • Original (As enacted)

Status:

This is the original version (as it was originally enacted). This item of legislation is currently only available in its original format.

CHAPTER 4Controller and processor

Overview

101Overview

This Chapter sets out—

(a)the general obligations of controllers and processors (see sections 102 to 106);

(b)specific obligations of controllers and processors with respect to security (see section 107);

(c)specific obligations of controllers and processors with respect to personal data breaches (see section 108).

General obligations

102General obligations of the controller

Each controller must implement appropriate measures—

(a)to ensure, and

(b)to be able to demonstrate, in particular to the Commissioner,

that the processing of personal data complies with the requirements of this Part.

103Data protection by design

(1)Where a controller proposes that a particular type of processing of personal data be carried out by or on behalf of the controller, the controller must, prior to the processing, consider the impact of the proposed processing on the rights and freedoms of data subjects.

(2)A controller must implement appropriate technical and organisational measures which are designed to ensure that—

(a)the data protection principles are implemented, and

(b)risks to the rights and freedoms of data subjects are minimised.

104Joint controllers

(1)Where two or more intelligence services jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.

(2)Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.

(3)The arrangement must designate the controller which is to be the contact point for data subjects.

105Processors

(1)This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.

(2)The controller may use only a processor who undertakes—

(a)to implement appropriate measures that are sufficient to secure that the processing complies with this Part;

(b)to provide to the controller such information as is necessary for demonstrating that the processing complies with this Part.

(3)If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.

106Processing under the authority of the controller or processor

A processor, and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—

(a)on instructions from the controller, or

(b)to comply with a legal obligation.

Obligations relating to security

107Security of processing

(1)Each controller and each processor must implement security measures appropriate to the risks arising from the processing of personal data.

(2)In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to—

(a)prevent unauthorised processing or unauthorised interference with the systems used in connection with it,

(b)ensure that it is possible to establish the precise details of any processing that takes place,

(c)ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and

(d)ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.

Obligations relating to personal data breaches

108Communication of a personal data breach

(1)If a controller becomes aware of a serious personal data breach in relation to personal data for which the controller is responsible, the controller must notify the Commissioner of the breach without undue delay.

(2)Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.

(3)Subject to subsection (4), the notification must include—

(a)a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b)the name and contact details of the contact point from whom more information can be obtained;

(c)a description of the likely consequences of the personal data breach;

(d)a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(4)Where and to the extent that it is not possible to provide all the information mentioned in subsection (3) at the same time, the information may be provided in phases without undue further delay.

(5)If a processor becomes aware of a personal data breach (in relation to data processed by the processor), the processor must notify the controller without undue delay.

(6)Subsection (1) does not apply in relation to a personal data breach if the breach also constitutes a relevant error within the meaning given by section 231(9) of the Investigatory Powers Act 2016.

(7)For the purposes of this section, a personal data breach is serious if the breach seriously interferes with the rights and freedoms of a data subject.

Back to top

Options/Help

Print Options

You have chosen to open The Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act as a PDF

The Whole Act you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open The Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act without Schedules as a PDF

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open the Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open the Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open Schedules only

The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made):The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

See additional information alongside the content

Show Explanatory Notes for Sections: Displays relevant parts of the explanatory notes interweaved within the legislation content.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Notes

Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources