Chwilio Deddfwriaeth

Data Protection Act 2018

Statws

Dyma’r fersiwn wreiddiol (fel y’i gwnaed yn wreiddiol).

CHAPTER 4Controller and processor

Overview

101Overview

This Chapter sets out—

(a)the general obligations of controllers and processors (see sections 102 to 106);

(b)specific obligations of controllers and processors with respect to security (see section 107);

(c)specific obligations of controllers and processors with respect to personal data breaches (see section 108).

General obligations

102General obligations of the controller

Each controller must implement appropriate measures—

(a)to ensure, and

(b)to be able to demonstrate, in particular to the Commissioner,

that the processing of personal data complies with the requirements of this Part.

103Data protection by design

(1)Where a controller proposes that a particular type of processing of personal data be carried out by or on behalf of the controller, the controller must, prior to the processing, consider the impact of the proposed processing on the rights and freedoms of data subjects.

(2)A controller must implement appropriate technical and organisational measures which are designed to ensure that—

(a)the data protection principles are implemented, and

(b)risks to the rights and freedoms of data subjects are minimised.

104Joint controllers

(1)Where two or more intelligence services jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.

(2)Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.

(3)The arrangement must designate the controller which is to be the contact point for data subjects.

105Processors

(1)This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.

(2)The controller may use only a processor who undertakes—

(a)to implement appropriate measures that are sufficient to secure that the processing complies with this Part;

(b)to provide to the controller such information as is necessary for demonstrating that the processing complies with this Part.

(3)If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.

106Processing under the authority of the controller or processor

A processor, and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—

(a)on instructions from the controller, or

(b)to comply with a legal obligation.

Obligations relating to security

107Security of processing

(1)Each controller and each processor must implement security measures appropriate to the risks arising from the processing of personal data.

(2)In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to—

(a)prevent unauthorised processing or unauthorised interference with the systems used in connection with it,

(b)ensure that it is possible to establish the precise details of any processing that takes place,

(c)ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and

(d)ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.

Obligations relating to personal data breaches

108Communication of a personal data breach

(1)If a controller becomes aware of a serious personal data breach in relation to personal data for which the controller is responsible, the controller must notify the Commissioner of the breach without undue delay.

(2)Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.

(3)Subject to subsection (4), the notification must include—

(a)a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b)the name and contact details of the contact point from whom more information can be obtained;

(c)a description of the likely consequences of the personal data breach;

(d)a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(4)Where and to the extent that it is not possible to provide all the information mentioned in subsection (3) at the same time, the information may be provided in phases without undue further delay.

(5)If a processor becomes aware of a personal data breach (in relation to data processed by the processor), the processor must notify the controller without undue delay.

(6)Subsection (1) does not apply in relation to a personal data breach if the breach also constitutes a relevant error within the meaning given by section 231(9) of the Investigatory Powers Act 2016.

(7)For the purposes of this section, a personal data breach is serious if the breach seriously interferes with the rights and freedoms of a data subject.

Yn ôl i’r brig

Options/Help

Print Options

You have chosen to open The Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act as a PDF

The Whole Act you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open The Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act without Schedules as a PDF

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open y Ddeddf Gyfan

Y Ddeddf Gyfan you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open y Ddeddf Gyfan heb Atodlenni

Y Ddeddf Gyfan heb Atodlenni you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open Schedules only

Y Rhestrau you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

Close

Mae deddfwriaeth ar gael mewn fersiynau gwahanol:

Y Diweddaraf sydd Ar Gael (diwygiedig):Y fersiwn ddiweddaraf sydd ar gael o’r ddeddfwriaeth yn cynnwys newidiadau a wnaed gan ddeddfwriaeth ddilynol ac wedi eu gweithredu gan ein tîm golygyddol. Gellir gweld y newidiadau nad ydym wedi eu gweithredu i’r testun eto yn yr ardal ‘Newidiadau i Ddeddfwriaeth’.

Gwreiddiol (Fel y’i Deddfwyd neu y’i Gwnaed): Mae'r wreiddiol fersiwn y ddeddfwriaeth fel ag yr oedd pan gafodd ei deddfu neu eu gwneud. Ni wnaed unrhyw newidiadau i’r testun.

Close

Gweler y wybodaeth ychwanegol ochr yn ochr â’r cynnwys

Dangos Nodiadau Eglurhaol ar gyfer Adrannau: Yn arddangos rhannau perthnasol o’r nodiadau esboniadol wedi eu cydblethu â chynnwys y ddeddfwriaeth.

Close

Dewisiadau Agor

Dewisiadau gwahanol i agor deddfwriaeth er mwyn gweld rhagor o gynnwys ar y sgrin ar yr un pryd

Close

Nodiadau Esboniadol

Testun a grëwyd gan yr adran o’r llywodraeth oedd yn gyfrifol am destun y Ddeddf i esbonio beth mae’r Ddeddf yn ceisio ei wneud ac i wneud y Ddeddf yn hygyrch i ddarllenwyr nad oes ganddynt gymhwyster cyfreithiol. Cyflwynwyd Nodiadau Esboniadol ym 1999 ac maent yn cyd-fynd â phob Deddf Gyhoeddus ac eithrio Deddfau Adfeddiannu, Cronfa Gyfunol, Cyllid a Chyfnerthiad.

Close

Rhagor o Adnoddau

Gallwch wneud defnydd o ddogfennau atodol hanfodol a gwybodaeth ar gyfer yr eitem ddeddfwriaeth o’r tab hwn. Yn ddibynnol ar yr eitem ddeddfwriaeth sydd i’w gweld, gallai hyn gynnwys:

  • y PDF print gwreiddiol y fel deddfwyd fersiwn a ddefnyddiwyd am y copi print
  • rhestr o newidiadau a wnaed gan a/neu yn effeithio ar yr eitem hon o ddeddfwriaeth
  • manylion rhoi grym a newid cyffredinol
  • pob fformat o’r holl ddogfennau cysylltiedig
  • slipiau cywiro
  • dolenni i ddeddfwriaeth gysylltiedig ac adnoddau gwybodaeth eraill
Close

Rhagor o Adnoddau

Defnyddiwch y ddewislen hon i agor dogfennau hanfodol sy’n cyd-fynd â’r ddeddfwriaeth a gwybodaeth am yr eitem hon o ddeddfwriaeth. Gan ddibynnu ar yr eitem o ddeddfwriaeth sy’n cael ei gweld gall hyn gynnwys:

  • y PDF print gwreiddiol y fel deddfwyd fersiwn a ddefnyddiwyd am y copi print
  • slipiau cywiro

liciwch ‘Gweld Mwy’ neu ddewis ‘Rhagor o Adnoddau’ am wybodaeth ychwanegol gan gynnwys

  • rhestr o newidiadau a wnaed gan a/neu yn effeithio ar yr eitem hon o ddeddfwriaeth
  • manylion rhoi grym a newid cyffredinol
  • pob fformat o’r holl ddogfennau cysylltiedig
  • dolenni i ddeddfwriaeth gysylltiedig ac adnoddau gwybodaeth eraill