Data Protection Act 2018

General obligationsU.K.

56General obligations of the controllerU.K.

(1)Each controller must implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that the processing of personal data complies with the requirements of this Part.

(2)Where proportionate in relation to the processing, the measures implemented to comply with the duty under subsection (1) must include appropriate data protection policies.

(3)The technical and organisational measures implemented under subsection (1) must be reviewed and updated where necessary.

57Data protection by design and defaultU.K.

(1)Each controller must implement appropriate technical and organisational measures which are designed—

(a)to implement the data protection principles in an effective manner, and

(b)to integrate into the processing itself the safeguards necessary for that purpose.

(2)The duty under subsection (1) applies both at the time of the determination of the means of processing the data and at the time of the processing itself.

(3)Each controller must implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed.

(4)The duty under subsection (3) applies to—

(a)the amount of personal data collected,

(b)the extent of its processing,

(c)the period of its storage, and

(d)its accessibility.

(5)In particular, the measures implemented to comply with the duty under subsection (3) must ensure that, by default, personal data is not made accessible to an indefinite number of people without an individual's intervention.

58Joint controllersU.K.

(1)Where two or more competent authorities jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.

(2)Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.

(3)The arrangement must designate the controller which is to be the contact point for data subjects.

59ProcessorsU.K.

(1)This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.

(2)The controller may use only a processor who provides guarantees to implement appropriate technical and organisational measures that are sufficient to secure that the processing will—

(a)meet the requirements of this Part, and

(b)ensure the protection of the rights of the data subject.

(3)The processor used by the controller may not engage another processor (“a sub-processor”) without the prior written authorisation of the controller, which may be specific or general.

(4)Where the controller gives a general written authorisation to a processor, the processor must inform the controller if the processor proposes to add to the number of sub-processors engaged by it or to replace any of them (so that the controller has the opportunity to object to the proposal).

(5)The processing by the processor must be governed by a contract in writing between the controller and the processor setting out the following—

(a)the subject-matter and duration of the processing;

(b)the nature and purpose of the processing;

(c)the type of personal data and categories of data subjects involved;

(d)the obligations and rights of the controller and processor.

(6)The contract must, in particular, provide that the processor must—

(a)act only on instructions from the controller,

(b)ensure that the persons authorised to process personal data are subject to an appropriate duty of confidentiality,

(c)assist the controller by any appropriate means to ensure compliance with the rights of the data subject under this Part,

(d)at the end of the provision of services by the processor to the controller—

(i)either delete or return to the controller (at the choice of the controller) the personal data to which the services relate, and

(ii)delete copies of the personal data unless subject to a legal obligation to store the copies,

(e)make available to the controller all information necessary to demonstrate compliance with this section, and

(f)comply with the requirements of this section for engaging sub-processors.

(7)The terms included in the contract in accordance with subsection (6)(a) must provide that the processor may transfer personal data to a third country or international organisation only if instructed by the controller to make the particular transfer.

(8)If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.

60Processing under the authority of the controller or processorU.K.

A processor, and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—

(a)on instructions from the controller, or

(b)to comply with a legal obligation.

61Records of processing activitiesU.K.

(1)Each controller must maintain a record of all categories of processing activities for which the controller is responsible.

(2)The controller's record must contain the following information—

(a)the name and contact details of the controller;

(b)where applicable, the name and contact details of the joint controller;

(c)where applicable, the name and contact details of the data protection officer;

(d)the purposes of the processing;

(e)the categories of recipients to whom personal data has been or will be disclosed (including recipients in third countries or international organisations);

(f)a description of the categories of—

(i)data subject, and

(ii)personal data;

(g)where applicable, details of the use of profiling;

(h)where applicable, the categories of transfers of personal data to a third country or an international organisation;

(i)an indication of the legal basis for the processing operations, including transfers, for which the personal data is intended;

(j)where possible, the envisaged time limits for erasure of the different categories of personal data;

(k)where possible, a general description of the technical and organisational security measures referred to in section 66.

(3)Each processor must maintain a record of all categories of processing activities carried out on behalf of a controller.

(4)The processor's record must contain the following information—

(a)the name and contact details of the processor and of any other processors engaged by the processor in accordance with section 59(3);

(b)the name and contact details of the controller on behalf of which the processor is acting;

(c)where applicable, the name and contact details of the data protection officer;

(d)the categories of processing carried out on behalf of the controller;

(e)where applicable, details of transfers of personal data to a third country or an international organisation where explicitly instructed to do so by the controller, including the identification of that third country or international organisation;

(f)where possible, a general description of the technical and organisational security measures referred to in section 66.

(5)The controller and the processor must make the records kept under this section available to the Commissioner on request.

62LoggingU.K.

(1)A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—

(a)collection;

(b)alteration;

(c)consultation;

(d)disclosure (including transfers);

(e)combination;

(f)erasure.

(2)The logs of consultation must make it possible to establish—

(a)the justification for, and date and time of, the consultation, and

(b)so far as possible, the identity of the person who consulted the data.

(3)The logs of disclosure must make it possible to establish—

(a)the justification for, and date and time of, the disclosure, and

(b)so far as possible—

(i)the identity of the person who disclosed the data, and

(ii)the identity of the recipients of the data.

(4)The logs kept under subsection (1) may be used only for one or more of the following purposes—

(a)to verify the lawfulness of processing;

(b)to assist with self-monitoring by the controller or (as the case may be) the processor, including the conduct of internal disciplinary proceedings;

(c)to ensure the integrity and security of personal data;

(d)the purposes of criminal proceedings.

(5)The controller or (as the case may be) the processor must make the logs available to the Commissioner on request.

63Co-operation with the CommissionerU.K.

Each controller and each processor must co-operate, on request, with the Commissioner in the performance of the Commissioner's tasks.

64Data protection impact assessmentU.K.

(1)Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out a data protection impact assessment.

(2)A data protection impact assessment is an assessment of the impact of the envisaged processing operations on the protection of personal data.

(3)A data protection impact assessment must include the following—

(a)a general description of the envisaged processing operations;

(b)an assessment of the risks to the rights and freedoms of data subjects;

(c)the measures envisaged to address those risks;

(d)safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Part, taking into account the rights and legitimate interests of the data subjects and other persons concerned.

(4)In deciding whether a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must take into account the nature, scope, context and purposes of the processing.

65Prior consultation with the CommissionerU.K.

(1)This section applies where a controller intends to create a filing system and process personal data forming part of it.

(2)The controller must consult the Commissioner prior to the processing if a data protection impact assessment prepared under section 64 indicates that the processing of the data would result in a high risk to the rights and freedoms of individuals (in the absence of measures to mitigate the risk).

(3)Where the controller is required to consult the Commissioner under subsection (2), the controller must give the Commissioner—

(a)the data protection impact assessment prepared under section 64, and

(b)any other information requested by the Commissioner to enable the Commissioner to make an assessment of the compliance of the processing with the requirements of this Part.

(4)Where the Commissioner is of the opinion that the intended processing referred to in subsection (1) would infringe any provision of this Part, the Commissioner must provide written advice to the controller and, where the controller is using a processor, to the processor.

(5)The written advice must be provided before the end of the period of 6 weeks beginning with receipt of the request for consultation by the controller or the processor.

(6)The Commissioner may extend the period of 6 weeks by a further period of 1 month, taking into account the complexity of the intended processing.

(7)If the Commissioner extends the period of 6 weeks, the Commissioner must—

(a)inform the controller and, where applicable, the processor of any such extension before the end of the period of 1 month beginning with receipt of the request for consultation, and

(b)provide reasons for the delay.