Search Legislation

The Data Protection (Charges and Information) Regulations 2018

What Version

 Help about what version
  • Latest available (Revised)
  • Original (As made)

Status:

This is the original version (as it was originally made). This item of legislation is currently only available in its original format.

Citation, commencement and interpretation

1.—(1) These Regulations may be cited as the Data Protection (Charges and Information) Regulations 2018 and come into force on 25th May 2018.

(2) In these Regulations—

“business” includes any trade or profession;

“charge period” has the meaning given in regulation 2(6);

“data controller’s financial year” means—

(a)

if the data controller(1) has been in existence for less than 12 months, the period of its existence, or

(b)

in any other case, the most recent financial year of the data controller that ended prior to the first day of the charge period in respect of which information is being provided, or a charge is being paid, pursuant to regulation 2;

“exempt processing” has the meaning given in the Schedule;

“financial year”, in paragraph (b) of the definition of “data controller’s financial year”—

(a)

in relation to a company, is determined in accordance with section 390 of the Companies Act 2006(2),

(b)

in relation to a limited liability partnership, is determined in accordance with section 390 of the Companies Act 2006 as applied by regulation 7 of the Limited Liability Partnerships (Accounts and Audit) (Application of Companies Act 2006) Regulations 2008(3), and

(c)

in relation to any other case, means the period, covering 12 consecutive months, over which a data controller determines income and expenditure;

“member of staff” means any—

(a)

employee,

(b)

worker within the meaning given in section 296 of the Trade Union and Labour Relations (Consolidation) Act 1992(4),

(c)

office holder, or

(d)

partner;

“number of members of staff” means the number calculated by—

(a)

ascertaining for each completed month of the data controller’s financial year the total number of persons who have been members of staff of the data controller in that month,

(b)

adding together the monthly totals, and

(c)

dividing by the number of months in the data controller’s financial year;

“processing”, in relation to personal data, means an operation or set of operations which is performed on personal data;

“public authority” means a public authority as defined by the Freedom of Information Act 2000(5) or a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002(6);

“turnover”—

(a)

in relation to a company, has the meaning given in section 474 of the Companies Act 2006,

(b)

in relation to a limited liability partnership, has the meaning given in section 474 of the Companies Act 2006 as applied by regulation 32 of the Limited Liability Partnerships (Accounts and Audit) (Application of Companies Act 2006) Regulations 2008, and

(c)

in relation to any other case, means the amounts derived by the data controller from the provision of goods and services falling within the data controller’s ordinary activities, after deduction of—

(i)

trade discounts,

(ii)

value added tax, and

(iii)

any other taxes based on the amounts so derived.

Requirements on data controllers

2.—(1) A data controller must comply with the requirements of this regulation unless all of the processing of personal data they undertake is exempt processing.

(2) Within the first 21 days of each charge period a data controller must pay a charge to the Information Commissioner, determined in accordance with regulation 3.

(3) Within the first 21 days of each charge period a data controller must provide to the Information Commissioner the following information, as of the first day of each charge period—

(a)the name and address of the data controller;

(b)whether the number of members of staff of the data controller is—

(i)less than or equal to 10,

(ii)greater than 10 but less than or equal to 250, or

(iii)greater than 250;

(c)whether the turnover for the data controller’s financial year is—

(i)less than or equal to £632,000,

(ii)greater than £632,000 but less than or equal to £36 million, or

(iii)greater than £36 million; and

(d)whether the data controller is a public authority.

(4) Paragraph (3)(c) does not apply to a data controller that is a public authority.

(5) For the purposes of paragraph (3)(a)—

(a)the address of a registered company is that of its registered office, and

(b)the address of a person (other than a registered company) carrying on a business is that of the person’s principal place of business in the UK.

(6) In this regulation—

“charge period” means—

(a)

for a person who is a data controller immediately before 25th May 2018 and has paid a fee pursuant to section 18(5) or 19(4) of the Data Protection Act 1998(7)—

(i)

the period of 12 months beginning on the date which is 12 months after the date on which that fee was most recently received by the Information Commissioner, and

(ii)

each subsequent period of 12 months;

(b)

for a person who is a data controller immediately before 25th May 2018 but has not paid a fee pursuant to section 18(5) or 19(4) of the Data Protection Act 1998—

(i)

the period of 12 months beginning on 25th May 2018, and

(ii)

each subsequent period of 12 months; or

(c)

for a person who becomes a data controller on or after 25th May 2018—

(i)

the period of 12 months beginning on the date on which the person becomes a data controller, and

(ii)

each subsequent period of 12 months;

“registered company” means a company registered under the Companies Acts as defined by section 2(1) of the Companies Act 2006.

Amount of charge payable under regulation 2

3.—(1) For the purposes of regulation 2(2), the charge payable by a data controller in—

(a)tier 1 (micro organisations), is £40;

(b)tier 2 (small and medium organisations), is £60;

(c)tier 3 (large organisations), is £2,900.

(2) For the purposes of this regulation, a data controller is, subject to paragraph (3)—

(a)in tier 1 if—

(i)it has a turnover of less than or equal to £632,000 for the data controller’s financial year,

(ii)the number of members of staff of the data controller is less than or equal to 10,

(iii)it is a charity, or

(iv)it is a small occupational pension scheme;

(b)in tier 2 if it is not in tier 1 and—

(i)it has a turnover of less than or equal to £36 million for the data controller’s financial year, or

(ii)the number of members of staff of the data controller is less than or equal to 250;

(c)in tier 3 if it is not in tier 1 or tier 2.

(3) Paragraphs (2)(a)(i) and (2)(b)(i) are to be disregarded in relation to a public authority.

(4) For the purposes of regulation 3(2), the turnover and number of members of staff is determined on the first day of the charge period to which the charge relates.

(5) The applicable charge in paragraph (1) is reduced by £5.00 for a data controller that makes payment of the charge by direct debit.

(6) In this regulation—

“charity”—

(i)

in relation to England and Wales, has the meaning given in section 1 of the Charities Act 2011(8),

(ii)

in relation to Scotland, means a body entered in the Scottish Charity Register maintained under section 3 of the Charity and Trustee Investment (Scotland) Act 2005(9), and

(iii)

in relation to Northern Ireland, has the meaning given in section 1 of the Charities Act (Northern Ireland) 2008(10);

“small occupational pension scheme” has the meaning given in regulation 4 of the Occupational and Personal Pension Schemes (Consultation by Employers and Miscellaneous Amendment) Regulations 2006(11).

Requirements in respect of partnerships

4.—(1) In any case in which two or more persons carrying on a business in partnership are the data controllers in respect of personal data for the purposes of that business, the requirements of regulation 2 may be satisfied in respect of those persons in the name of the firm.

(2) Where the requirements of regulation 2 are satisfied in the name of a firm under paragraph (1) above—

(a)the name to be specified for the purposes of regulation 2(3)(a) is the name of that firm, and

(b)the address to be specified for the purposes of regulation 2(3)(a) is the address of that firm’s principal place of business.

(3) For the purposes of regulations 2 and 3, references to the turnover and number of members of staff of a data controller which is a partnership are references to the turnover and number of members of staff of the firm as a whole.

Requirements in respect of the governing body of, and head teacher at, any school

5.—(1) In any case in which a governing body of a school and a head teacher at a school are both data controllers for the purposes of that school, the requirements of regulation 2 may be satisfied in respect of that governing body and head teacher in the name of the school.

(2) Where the requirements of regulation 2 are satisfied in the name of a school under paragraph (1) above, the name and address to be specified for the purposes of regulation 2(3)(a) are those of the school.

(3) For the purposes of this regulation, in the definition of “number of members of staff” in regulation 1(2) any reference to a data controller is to be treated as a reference to the school.

(4) In this regulation—

“head teacher” includes, in Northern Ireland, the principal of a school;

“school”—

(a)

in relation to England and Wales, has the same meaning as in the Education Act 1996(12),

(b)

in relation to Scotland, has the same meaning as in the Education (Scotland) Act 1980(13), and

(c)

in relation to Northern Ireland, has the same meaning as in the Education and Libraries (Northern Ireland) Order 1986(14).

Crown application

6.  These Regulations bind the Crown but do not apply to—

(a)Her Majesty in Her private capacity,

(b)Her Majesty in right of the Duchy of Lancaster, or

(c)the Duke of Cornwall.

Margot James

Minister of State

Department for Digital, Culture, Media and Sport

11th April 2018

Back to top

Options/Help

Print Options

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made):The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Memorandum

Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as made version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources