5.—(1) A certification-service-provider who issues a certificate to the public and to whom this paragraph applies in accordance with paragraph (6) below—
(a)shall not obtain personal data for the purpose of issuing or maintaining that certificate otherwise than directly from the data subject or after the explicit consent of the data subject, and
(b)shall not process the personal data referred to in sub-paragraph (a) above—
(i)to a greater extent than is necessary for the purpose of issuing or maintaining that certificate, or
(ii)to a greater extent than is necessary for any other purpose to which the data subject has explicitly consented,
unless the processing is necessary for compliance with any legal obligation, to which the certification-service-provider is subject, other than an obligation imposed by contract.
(2) The obligation to comply with paragraph (1) above shall be a duty owed to any data subject who may be affected by a contravention of paragraph (1).
(3) Where a duty is owed by virtue of paragraph (2) above to any data subject, any breach of that duty which causes that data subject to sustain loss or damage shall be actionable by him.
(4) Compliance with paragraph (1) above shall also be enforceable by civil proceedings brought by the Crown for an injunction or for an interdict or for any other appropriate relief or remedy.
(5) Paragraph (4) above shall not prejudice any right that a data subject may have by virtue of paragraph (3) above to bring civil proceedings for the contravention or apprehended contravention of paragraph (1) above.
(6) Paragraph (1) above applies to a certification-service-provider in respect of personal data only if the certification-service-provider is established in the United Kingdom and the personal data are processed in the context of that establishment.
(7) For the purposes of paragraph (6) above, each of the following is to be treated as established in the United Kingdom—
(a)an individual who is ordinarily resident in the United Kingdom,
(b)a body incorporated under the law of, or in any part of, the United Kingdom,
(c)a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and
(d)any person who does not fall within sub-paragraph (a), (b) or (c) above but maintains in the United Kingdom—
(i)an office, branch or agency through which he carries on any activity, or
(ii)a regular practice.
(8) In this regulation—
“data subject” and “personal data” and “processing” shall have the same meanings as in section 1(1) of the Data Protection Act 1998(1), and
“obtain” shall bear the same interpretation as “obtaining” in section 1(2) of the Data Protection Act 1998.