|1: What is the GDPR?|
|In short||The GDPR (General Data Protection Regulation) is the legal framework that governs the processing, movement and protection of personal data of individuals located in the EU. Following Brexit, the UK retained the GDPR as domestic law. When you process personal data, you should consider what type of data it is (i.e. if it is particularly sensitive data – known as ‘special categories of personal data’ in the GDPR) as this may impact how and when you are allowed to process such data.|
|Explanation||What is the GDPR?
The European Union (EU) General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) came into force on 25 May 2018. It is a regulation which governs the processing, movement and protection of personal data of individuals located in the EU. Following Brexit, the United Kingdom (UK) retained the GDPR as domestic law as the UK General Data Protection Regulation (UK GDPR), which sits alongside the United Kingdom’s Data Protection Act 2018 (DPA). The UK GDPR is largely similar to the EU GDPR, with some differences incorporated to accommodate domestic areas of law. In this Memo, where we refer to the GDPR, we are referring to both the EU GDPR and the UK GDPR. What is personal data?
Personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. What are special categories of personal data?
Special categories of data are types of personal data which attracts a higher level of protection because it is sensitive. Special categories of data include sensitive information relating to a data subject’s racial or ethnic origin, political opinions, religion, trade union or other professional associations or memberships, philosophical beliefs, sexual orientation or practices, criminal records, health information or biometric information. There is a general prohibition on processing special categories of data unless an exception applies. EU member states and the UK are also able to make their own laws regarding the processing of special categories of personal data. The exceptions you may rely on are:
The GDPR gives extra protection to the personal data of offenders or suspected offenders in the context of criminal activity, allegations, investigations, and proceedings. Such data can only be processed if the processing is either under the control of an official authority, or is authorised by domestic law. In the UK, this means that you need to meet one of the conditions in Schedule 1 of the DPA, one of which is consent. What does it mean to process data?
Processing means any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. What are the key principles underlying the GDPR?
The GDPR sets out seven key principles relating to the processing of personal data. These principles must lie at the heart of your approach to processing personal data. These principles are: 1. Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner. 2. Purpose limitation: personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 3. Data minimisation: personal data must be collected in a way that is adequate, relevant and limited to what is necessary in relation to the purpose for which the personal data is processed. 4. Accuracy: personal data must be kept up to date (and erased or rectified where it is not). 5. Storage limitation: personal data must only be kept for so long as necessary for the purposes for which it was collected. 6. Integrity and confidentiality: personal data must be processed securely in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 7. Accountability: controllers (the party that determines what personal data to collect and how to process that personal data) must be able to demonstrate compliance with points 1-6 above.
|2: What is the difference between a data controller and a data processor?|
|In short||The GDPR includes the concept of a controller and a processor. A controller determines what personal data to collect and how to process that personal data. Controllers may do so alone or jointly with another entity. A processor processes personal data on behalf of another entity. You may be solely a controller or solely a processor, or may be both a controller and processor. You should determine in what situations you act as a controller, and in what situations you act as a processor, because different obligations apply when you are acting as a controller or as a processor.|
|Explanation||What are controllers and processors?
The GDPR includes the concept of a controller and a processor. An entity may be solely a controller or solely a processor, or may be both a controller and processor. The concepts of controller and processor are defined below.
A controller determines what personal data to collect and how to process that personal data. For example, a business would be considered a controller when it collects contact and payment details from a customer so that it can provide goods and/or services. It would also be a controller when it engages employees.
A controller may make the determination of what personal data to collect and how to process that personal data jointly with another entity. If entities determine this jointly, these entities are joint controllers. An example of this is where two companies decide to launch a co-branded product and organise an event together to promote the product. In running the event, they decide to share data from their respective client databases and decide on the list of invitees together. They also agree on how the invitations to the event will be sent, how to collect feedback during the event and how they will follow up the event with marketing materials. The two companies can be considered as joint controllers in this scenario for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.
Where you are a joint controller you must determine with your joint controllers who will be responsible for carrying out each obligation a controller has under the GDPR. As a joint controller, you are not required to have a contract with the other joint controllers, but you must have a transparent arrangement that sets out your agreed roles and responsibilities for complying with the GDPR, in particular, addressing the rights of individuals under the GDPR.
A processor processes personal data on behalf of another entity. A processor does not determine how to process that personal data. A processor only collects and processes the personal data on the instructions of the controller. Many B2B SaaS businesses such as Mailchimp, Stripe, and Xero are considered processors when they are instructed by their clients to process personal data in a particular way. For example, your business might tell Xero who your employees are, what their salary is, when their wages should be paid and request that Xero provides them with a payslip and payment. In this situation, Xero would be the processor because they are only collecting and processing such personal data on your instructions.
The relationship between a controller and processor
A controller will often use one or more processors to process personal data. A controller must only use a processor who provides sufficient guarantees to implement appropriate technical and organisational measures so that the controller can be confident that processing by the processor will meet the requirements of the GDPR and ensure the protection of the data subject rights.
Where a processor engages another entity to also process all or part of the data it processes for the controller, this other entity will be the processor’s subprocessor. In point 6, we look at the obligations of a processor when using a subprocessor. The controller must also satisfy itself that the subprocessors engaged by a processor provide sufficient guarantees to implement appropriate technical and organisational measures, and that processing by the processor will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
|3: What are the key obligations of a data controller?|
|In short||As a data controller, you must:
|Explanation||In addition to the requirement to choose suitable processors, the key obligations of a data controller are as described below. There are also further obligations which apply to a controller and a processor, as set out in point 5.
Choose a legal basis for processing personal data
Where you act as a controller, every time you collect a piece of personal data you need to choose a legal basis which allows you to lawfully collect that personal data and to process it. The legal bases which you can choose from are as follows:
Respond to data subject requests to exercise their privacy rights
The GDPR provides a number of privacy rights to individuals. Where you act as a controller, it is your responsibility to respond to an individual’s requests to exercise their rights.
These rights include:
You must respond to a rights request without undue delay, usually within one month of a request, either by providing the information, taking the action or writing to the data subject with the reasons for not providing the information or taking the action and informing them of their right to complain to a supervisory authority and seek a judicial remedy. If the requests are numerous or complex you may have grounds to extend the response time by two further months.
Unless a request is manifestly unfounded or excessive (e.g. repetitive requests for the same information), you are prohibited from charging a fee to respond to a request.
You should ensure that your staff are aware of the rights of data subjects and that you have processes in place for receiving a request, recording a request, assessing a request and responding to a request within one month. If possible, this should be recorded in your CRM for ease of use and to ensure you have one source of truth regarding each data subject for which you act as a controller.
Processing limitations and data retention
You should only collect personal data which is necessary for each specific purpose, and only process it to the extent necessary for that specific purpose. You should also retain personal data in an identifiable format only for as long as necessary for the purposes for which the personal data was processed. Once the personal data is no longer necessary for the purposes for which it was processed, unless you have another legal obligation to retain the data, you should de-identify, delete or destroy that personal data.
Data breach notification
Where you act as a controller, you have an obligation to notify the relevant supervisory authority and affected data subjects of a notifiable data breach. A data breach occurs where there is unauthorised access to, or unauthorised disclosure of, personal data you hold about an individual, or loss where unauthorised access to, or unauthorised disclosure of, personal data is likely to occur. Examples of data breaches include:
Notify affected individuals: A data breach is notifiable to affected data subjects where it is likely to result in a high risk to the rights and freedoms of individuals. You must inform those data subjects of the breach, without undue delay.
Data breach response plan: You should have an internal data breach response plan to help you respond quickly to a data breach, acknowledging the 72 hour turnaround. You should also ensure your staff are aware of your data breach obligations and receive privacy training to minimise the risk of data breaches (especially those caused by human error).
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. As part of this, you must have a privacy notice which includes the information required to be included under the GDPR. You are required to provide the privacy notice to a data subject at the time that you collect personal data from them. You can do this by displaying the privacy notice anywhere you collect personal data, such as on your ‘contact us’ form, in an email where you are requesting personal data or on a job application form.
If you make any changes to the types of data you process, or the way you process personal data, you must first ensure that you have a legal basis under which to do so (see this point 3 and point 4 below). Once you are satisfied that you may make the change, or introduce new processing, such changes to your privacy practices should also be reflected in your privacy notices as they should be ‘live’ documents.
If you make any material changes to the privacy notice you must take steps to notify those subjects of the changes before you start the change in processing or new processing activities. You may do this by sending an email with notice of the changes. You may also consider in-account pop-ups. Any such communication must be dedicated to the notice. It should not include promotional content.
Data protection impact assessments
Where you act as a controller, you must carry out a data protection impact assessment if data processing is likely to result in a high risk to individuals. Any activity that may lead to discrimination, identity theft or fraud, financial loss, reputational damage, physical harm, loss of confidentiality or re-identification of pseudonymised data are situations that may have a high risk to individuals. Examples of situations when you should carry out a data protection impact assessment include where you:
The aim is to assess what personal data will be processed, how it will be legally processed, to identify risks and put in place a plan to eliminate or mitigate any identified risks. The assessment, including the outcome, should be recorded. If you identify a high risk that you cannot mitigate, you must consult the relevant supervisory authority before starting the processing.
Paying a Data Protection Fee
Where you act as a controller, you are required to register and pay a fee to the ICO, unless you are exempt. The requirement to pay the fee will depend on the practices of the business. You can complete a registration self-assessment to determine the applicability of the fee. If you determine that you are required to pay the data protection fee, you can conduct a fee self-assessment to determine the amount of the fee payable, which is priced according to the size of your business. The fee is payable annually, so you should set a reminder every 12 months to pay the fee, unless your privacy and data practices change so that you are no longer required to pay the fee. The ICO publishes a public list of all fee-payers, so your clients will be aware of your commitment to complying with your data protection obligations.
If you are required to register, but fail to pay the data protection fee, this may result in a penalty being imposed on you by the ICO, with fines ranging from £400 to £4,000.
|4: As a controller, how do you choose a legal basis?|
|In short||Where you are a controller, you must choose a legal basis to rely on every time you collect a piece of personal data. The most common legal bases that controllers rely on are performing a contract, consent and legitimate interests. Once you have chosen a legal basis, you must ensure that you take such steps as are required to implement that legal basis in practice.|
|Explanation||As noted above, where you act as a controller, every time you collect a piece of personal data you need to choose a legal basis which allows you to lawfully collect that personal data and to process it.
You can, and will likely need to, choose a different legal basis for different types of processing of personal data. For example, you may choose a legal basis to rely on for your direct marketing activities but this may be different to the legal basis you choose to rely on when you are collecting data to enter into a contract with a customer. While consent is the most widely talked about legal basis, consent is just one of the legal bases you may rely on.
You must determine your legal basis before starting to process personal data and record what legal bases you are relying on. If you find at a later date that your chosen basis was actually inappropriate, it will be difficult to simply swap to a different one because it is likely to be inherently unfair to the individual and lead to breaches of the accountability and transparency requirements.
If your purposes change over time or you have a new purpose which you did not originally anticipate, you will need to assess whether your new purpose is compatible with the original purpose. However, this does not apply to consent. You will either need to either get fresh consent which specifically covers the new purpose, or find a different basis for the new purpose. If you do get specific consent for the new purpose, you do not need to show it is compatible. To determine compatibility, you should take into account any link between the original and proposed new purposes, the context in which data was collected, the nature of the data particularly if they are special categories of data or data relating to criminal offences, the possible consequences of the proposed processing and the existence of safeguards (including encryption or pseudonymisation). As a general rule, if the new purpose is very different from the original purpose, would be unexpected, or would have an unjustified impact on the individual, it is unlikely to be compatible with your original purpose for collecting the data. You will need to identify and document a new legal basis to process the data for that new purpose.
The most common legal bases that controllers rely on are performing a contract, consent, legitimate interests and legal obligations. When you choose a legal basis, you must make sure you take the required steps to implement that legal basis in practice. Below we look at the required steps for performing a contract, consent and legitimate interests.
Performing a contract
When you choose to rely on performing a contract you must only use this legal basis to:
When you choose to rely on consent you must ensure the consent is:
Note that where you are processing a child’s personal data, and wish to rely on the legal basis of consent, true consent is harder to obtain. The GDPR prohibits processing on the basis of consent where an individual is younger than 16 years old (although individual member states may reduce that age to 13). If you are relying on consent to process a child’s data, you will need to make sure you are truly able to give children (or their guardians) an informed choice and control over how you use their personal data, taking into account any power imbalance in your relationship with the child, and ensure the child has capacity to provide consent (that they understand the implications of the collection and processing of their personal data).
When you choose to rely on legitimate interests you must make an assessment that processing is necessary for the purpose of your legitimate interests and these interests are not overridden by the interests or fundamental rights and freedoms of the individual, taking into consideration the reasonable expectations of the individual based on their relationship with you. For example, you may rely on this during the hiring process for pre-employment checks.
This is an assessment that requires you to weigh your commercial interests against the risk to the individual. The assessment is made internally and should be recorded.
You can rely on this legal basis if you need to process personal data in order to comply with a legal or statutory obligation (under EU member state or UK law, as applicable). A typical situation where you would rely on this basis includes where an employer needs to process personal data to comply with its legal obligation to disclose employee salary details to HM Revenue and Customs (in the UK). We cover this in more detail in point 11. To rely on this legal basis the processing must be necessary. If you can reasonably comply without processing the personal data, this basis does not apply.
|5: What are the obligations that a data controller and data processor share?|
|In short||Some obligations under the GDPR are shared by data controllers and data processors. This means that all businesses need to:
|Explanation||GDPR obligations which apply to both controllers and processors are as set out below.
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
In assessing risk, it is pertinent to consider the likely harm caused by a breach of that personal data. Therefore, greater security measures will be required for processing special categories of data due to its sensitivity and greater potential to cause detriment if unlawfully disclosed.
Appoint an EU representative
Where you are based outside of the EU, you must appoint an EU representative unless your processing is occasional, and does not involve large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences of EU based individuals, and is unlikely to result in a risk to the rights and freedoms of those individuals. Any EU representative must be located in an EU member state where data subjects about whom you process personal data are also located and will be the first point of contact for supervisory authorities and data subjects with questions regarding the GDPR.
Appoint a UK representative
Where you are based outside of the UK, you are required to appoint a UK representative unless your processing is occasional, and does not involve large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences of UK based individuals, and is unlikely to result in a risk to the rights and freedoms of those individuals.
Appoint a data protection officer
You must appoint a data protection officer where you process personal data of individuals and a core activity of your processing requires regular systematic monitoring of data subjects on a large scale, or includes large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences.
You must keep records in a dedicated internal privacy file of:
Records should include details of who is the controller and who is acting as a processor (including data protection officer details where possible), what personal data is being processed, the purposes for processing, how it is being disclosed and the categories of recipients, including the countries to which it is being disclosed and how it is being appropriately safeguarded. Where possible the record should also include the timelines for erasure of that personal data and a general description of the security measures implemented.
|6: What are your obligations as a data processor?|
|In short||As a data processor, you must:
|Explanation||In addition to the above obligations in point 5, the extra obligations of a data processor are as described below. These obligations are best outlined in a data processing agreement. We discuss data processing agreements below at point 7.
Only process on the instructions of the controller
As a processor you must only process the personal data of a controller as instructed by the controller. Often these instructions will be contained within the agreement you have with the controller and any data processing agreement you enter into. For example, the instruction might be to process the personal data to perform the services described in the agreement.
The controller may also provide other instructions from time to time, such as an instruction to provide a copy of the personal data of an individual to an individual or to delete the personal data of an individual.
As a processor you must ensure that anyone you allow to process the personal data of the controller has committed themselves to maintain the confidentiality of that data or has a statutory obligation to do so. This is often achieved through confidentiality commitments in employment agreements and contractor agreements with staff and in passing through this obligation in any contract with subprocessors. However, sometimes a controller may require that separate non disclosure agreements are signed with all individuals who have been provided access to the data.
As a processor you must also comply with the security measures required by the GDPR. The security requirements are as set out in point 5 above.
Obtain consent for subprocessors
A subprocessor is a third party engaged by a processor to assist the processor to process personal data on the controller’s instructions. The GDPR requires that a processor does not engage a subprocessor without specific or general written authorisation of the controller. Where general authorisation is used, it works more like an opt-out system whereby any changes to subprocessors are notified and the controller is given an opportunity to object. An authorisation (whether general or specific) must be given in writing.
Where a processor engages a subprocessor, the GDPR requires that the same data protection obligations the processor agreed to with the controller are imposed on the subprocessor. A processor will always remain fully liable to the controller (including for all subprocessors) for all breaches of data protection obligations in the processing of the controller’s data.
Assist the controller with responding to data subject rights requests
As a processor you must assist the controller with its obligation to respond to data subject requests. Data subject requests are requests by data subjects to exercise their rights, such as: a right to restrict processing of personal data; to object to the processing of personal data; to access personal data; to have personal data rectified; to have personal data erased (the ‘right to be forgotten’); and to have personal data provided to the data subject or to another controller in a structured, commonly used and machine-readable format.
Return or deletion of personal data
Where the services relating to the processing of the controller’s personal data have ended, the controller can choose to either have the personal data you are processing for the controller returned to the controller or deleted.
Assist the controller with compliance
As a processor you are obliged to assist the controller with its security obligations and prior consultation obligations with supervisory authorities as well as allowing for and contributing to audits carried out by the controller or a third party auditor selected by the controller. You must also provide to the controller all information necessary to demonstrate compliance with the obligations described in this point 6.
Data breach notification
As a processor you have an obligation to notify a controller of a personal data breach without undue delay. Often the exact period of time will be specified in the data processing agreement.
|7: What is a data processing agreement?|
|In short||A data processing agreement is a legally binding contract between two parties that states the rights and obligations of each party concerning the protection of personal data. A data processing agreement should be used every time a data processor is appointed to process personal data.|
|Explanation||The GDPR requires that the processing of personal data by a data processor is to be governed by a binding contract or other legal act and that it must set out, in particular, the obligations listed in point 6 above (but excluding data breach notification (although this can be and is often included) and including the security measures listed in point 5 above). Typically a data processing agreement will be used for this purpose.
A data processing agreement must also specify the subject-matter (e.g. to provide the services and any related technical support) and duration of processing (i.e. the term of the contract and 30 days thereafter), the nature and purpose of processing (e.g. collecting, storing, disclosing, erasing for the purpose of the provision of the services and any related technical support) and the type of personal data (e.g. contact data and website visitor data) and categories of data subjects (e.g. platform users).
A data processing agreement is in addition to the terms for your services (although it is acceptable and common to add it as an addendum to your terms for your services).
As a processor it is a commercial advantage to prepare and provide the data processing agreement alongside your terms for your services. This is because it allows you to set the terms on which such obligations are included, rather than accepting the data processing terms that are proposed by the controller.
|8: How can you transfer personal data outside of the United Kingdom (UK) or European Economic Area (EEA)?|
|In short||You must not transfer personal data overseas (to a recipient located outside of the UK or EEA (as applicable), unless an exception applies. The key exceptions you may rely on are:
|Explanation||Generally, where you are complying with the UK GDPR, transferring data outside of the UK is not permitted unless you can rely on an exemption. Similarly, where you are complying with the EU GDPR, transferring data outside of the EU is not permitted unless you can rely on an exemption. An overseas transfer occurs where the personal data is sent or made accessible to a recipient not located in the UK or EEA (as applicable). The main exemptions are set out below.
You may transfer data to an approved jurisdiction, provided you comply with the normal rules of transferring personal data.
The UK has currently approved the following countries as locations which are deemed to provide an adequate level of data protection: Andorra, Argentina, Canada (commercial organisations), the EU member states and European Economic Area Members, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Gibraltar, Switzerland and Uruguay. The UK adopted a UK-U.S. data bridge on 12 October 2023. This means that certain organisations in the United States, who have met the requirements of an opt-in certification scheme managed by the US Department of Commerce, are deemed to provide an adequate level of data protection for protecting personal data. The register of these organisations can be accessed here in a list referred to as the ‘DPF List’. The DPF List sets out for each organisation whether HR data (being personal data about an organisation’s employees, past or present, collected in the context of employment) and/or non-HR personal data of UK data subjects is deemed to be protected. Organisations need to be registered as compliant under the ‘UK Extension to the EU-US Data Privacy Framework’ within the DPF List for the transfer to be considered to be an approved transfer.
The EU has currently approved the following countries as locations which are deemed to provide an adequate level of data protection: Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom and Uruguay. The EU has also established an EU-U.S. data bridge. The DPF List shows which organisations in the United States are deemed to provide EU data subjects with an adequate level of data protection under the EU-U.S. Data Privacy Framework.
Note that neither list includes China, Australia, or the United States of America (unless an organisation is registered under the UK or EU and U.S. data bridge framework).
If the location or organisation is not approved, you can transfer the personal data to such location or organisation if you put in place safeguards which will protect the transfer and receipt of the personal data. For example, if you transfer personal data to a third party processor located outside the UK or EEA (who is not on the approved jurisdictions list) or if you are based outside of the EU or UK (such as in Australia) and you transfer personal data to yourself, you may attach one of the transfer mechanisms (further explained below) to your services agreement. You should also undertake a transfer risk assessment before making the transfer (also explained further below). This is in addition to the transfer mechanisms.
The transfer mechanisms are provisions approved by the UK’s ICO and the European Commission that ensure appropriate data protection safeguards are in place where data is transferred outside of the EU or UK (as applicable). In the EU, the European Commission have published standard contractual clauses as an approved transfer mechanism (EU Standard Contractual Clauses). In the United Kingdom, the ICO has approved transfer mechanisms, the most common of which are:
For transfers outside of the EU and/or UK to an unapproved jurisdiction, the use of one of the appropriate transfer mechanisms listed above is usually the best option for implementing appropriate safeguards. These can be built into your data processing agreement, and sometimes used as a standalone document. We can assist you to determine which transfer mechanism is most appropriate.
In addition to the above, before you rely on an appropriate safeguard to make a restricted transfer, you must be satisfied that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the GDPR, and will have effective and enforceable rights. You should do this by undertaking a transfer risk assessment (referred to as a transfer impact assessment in the EU). The UK’s ICO provides tools, including a template transfer risk assessment tool (available here) to help you do this. Note that there are slight differences between undertaking a UK transfer risk assessment and an EU transfer impact assessment. A transfer risk assessment focuses on the risk to an individual’s privacy and human rights by carrying out the transfer, whereas a transfer impact assessment requires a broader assessment of the laws and practices of the country where personal data will be sent.
|9: Can you use personal data to send direct marketing?|
|In short||You must not send unsolicited marketing materials without consent, unless an exception applies. The key exceptions include where you rely on the ‘soft opt-in’ for existing customers, or where you are sending business-to-business texts and emails.
Every time you send marketing materials, you should identify who you are, and provide individuals with an easy way to unsubscribe (and such request should be actioned). Where you are calling leads, you should make sure you screen them on any telephone register (such as the Telephone Preference Services (TPS)) before calling.
|Explanation||The PECR and ePrivacy Directive
Marketing communications in the UK are primarily governed by the Privacy and Electronic Communications Regulation (PECR), and in the EU by the ePrivacy Directive. We note that in addition to the EU GDPR, there may be laws in EU member states which also regulate the sending of direct marketing.
The GDPR still applies in both instances and you will still need a legal basis to process personal data (in many instances, this will be through consent or legitimate interests). We note that there are ongoing discussions in the EU about updating the current spam, marketing and cookie framework through a new regulation called the ePrivacy Regulation. At the date of this Memo, this is not currently in place.
There is no restriction on sending solicited marketing – that is, marketing material that an individual has specifically requested. This means that if an individual specifically asks you to send them marketing material, you may do so.
Where an individual has not specifically requested to receive marketing materials, it will be considered unsolicited marketing, and the PECR rules and/or the ePrivacy Directive will apply. This is the case even where an individual has opted in to receive marketing materials in the future from you (although in this case, it is very likely to be legal because you have sought consent). Below, we discuss the ways in which you can lawfully send direct marketing.
Every time you send marketing materials, you should identify who you are, and provide individuals with an easy way to unsubscribe (and action such request).
Generally, you will need to rely on consent to send direct marketing (including marketing texts, emails and calls), unless an exception applies (as outlined below). For consent to be valid, it must be knowingly and freely given, clear and specific. This means that:
1. Subscribe me to your weekly newsletter.
2. Yes, please send me emails with updates, news and the latest offers from [insert company name].
☐ I would like to subscribe to receive updates, news and the latest offers from [insert company name] via:
☐ phone call
3. I am happy for [insert third party name] to contact me about offers for their events, products and services, via:
☐ phone call
In all examples, the checkboxes should be unchecked by default and checking the box should not be a mandatory part of signing up to services, making a purchase or downloading content. Using the example above in points 2 and 3, where you are requesting granular consent, you should only contact an individual via the means that they have agreed to.
You should keep clear records of what an individual has consented to, and when and how the consent was obtained, so that you can demonstrate compliance in the event of a complaint.
Exceptions to consent
Soft opt-in: One exception to gaining specific consent to send marketing materials, is an exception for existing customers, known as the ‘soft opt-in’. You can send marketing texts or emails if:
“By submitting this registration form, you indicate your consent to receiving marketing messages from us. If you do not want to receive such messages, tick here: ”
Business-to-business texts and emails: The rules on consent and the soft opt-in do not apply to ‘corporate subscribers’, that is corporate bodies such as a limited company. It is important to note that this exception does not apply to sole traders. The only requirement for this exception is that you must identify yourself and provide your contact details. You should still include an unsubscribe functionality on your emails.
The Telephone Preference Services (TPS)
In the UK, when calling leads, you must not call any number registered with the TPS unless the individual has specifically told you that they do not object to your calls. In effect, TPS registration acts as a general opt-out of receiving any marketing calls. More information about how to subscribe to the TPS list is available at https://www.tpsonline.org.uk/. Individual EEA member states may also have similar regulations in place.
|10: What are the requirements when using cookies?|
|11: What are your privacy obligations as an employer?|
|In short||Employers must comply with the obligations of a data controller when processing the personal data of their employees (or job candidates). There are also further requirements when employers are processing special categories of personal data (such as the health information of an employee) and personal data relating to criminal convictions and offences. Before processing such personal data, you should ensure you are doing so in a lawful way.
An employer should have the following documents put in place in relation to the personal data of its employees and job candidates:
|Explanation||For the most part, an employer will be considered a controller when processing its employees’ personal data, and must ensure it complies with the obligations of a controller under the GDPR. This includes ensuring you have a legal basis to rely on every time you process a piece of personal data (including during the recruitment process), and that you are transparent about how you are using and safeguarding your employees’ (or job candidates’) personal data i.e. through providing privacy notices when you process personal data. You should have separate privacy notices for: (1) employees/contractors/workers; and (2) candidates that apply for a job with you. We note that this point 11 focuses on the GDPR as it sits alongside UK employment law. If you are employing individuals in an EU member state, you should seek legal advice from a lawyer in that particular country.
During the recruitment process, you should ensure your name is stated on any advertisement or application form (including when on a third party job application website), and that the application form explains how an applicant’s personal data will be used. You should not collect any personal data that is unnecessary for the recruitment process or where you do not have a legal basis to rely on. Before collecting any special categories of data, or vetting any applicant through conducting a criminal record check, ensure that the collection is relevant to the recruitment process, that any relevant conditions are satisfied to collect it (as outlined below), and that you do not run reference checks or criminal history checks on job applicants until you have offered them employment. Your offer of employment can be subject to you receiving satisfactory references and checks.
Policy documents and safeguards
Where an appropriate policy document is required to process special categories of personal data or personal data related to criminal convictions or offences (as detailed below), the document should explain your procedures for complying with data protection principles when processing data, and explain your process with regards to the retention and erasure of personal data (i.e. you should give an indication of how long you will retain such information for). You should make sure that you apply appropriate safeguards, including that you: (1) retain the policy document; (2) review and, if appropriate, update the policy document from time to time; (3) make the policy document available on request to supervisory authorities without charge; and (4) you keep a record of processing, including any exception that you are relying on, that you have a legal basis to process on, and whether the personal data is retained and erased in accordance with your policies and, if not, the reason for not following the policies.
Processing Special Categories of Data
There is a general prohibition on the processing of special categories of personal data (such as allergy information, health information or information to someone’s religion or ethnicity) unless an exception applies. The key exceptions employers will rely on to process special categories of personal data are consent, where it is necessary for carrying out their rights and obligations under employment law and where it is necessary for reasons of substantial public interest.
The general prohibition on the processing of special categories of personal data does not apply where an individual has given explicit consent to the processing for one or more specific purposes.
Employment law rights and obligations
You may process special categories of personal data where it is necessary for the purposes of carrying out your employees’ employment law rights and obligations, to the extent that it is authorised by domestic law, providing for adequate safeguards for the fundamental rights and the interests of the employee. Processing of special categories of personal data is authorised for employment purposes in the UK if it meets the conditions set out below:
Necessary for reasons of substantial public interest
Processing of special categories of personal data is permitted where it is necessary for reasons of substantial public interest on the basis of domestic law which must:
In the UK, processing of the special categories of personal data will meet the requirement of substantial public interest for the purposes of UK law if it meets one of the conditions set out in Part 2 of Schedule 1 to the Data Protection Act 2018. The conditions most likely to be relevant to you are: (1) equality of opportunity or treatment; (2) racial and ethnic diversity at senior levels of organisations; (3) provision of confidential counselling; (4) occupational pensions; and (5) preventing or detecting unlawful acts. When relying on any of these conditions, you must have an appropriate policy document in place and observe additional safeguards.
You are permitted to process special categories of data where it is necessary for the assessment of the working capacity of an employee, for example an employer may need a report from a General Practitioner in order to manage long term sickness absence. In order to do so, this must be carried out on the basis of domestic law or pursuant to a contract with a health professional so that the data is processed in conditions of confidentiality. An appropriate policy must be in place, along with appropriate safeguards. The Access to Medical Reports Act 1988 requires employee consent in many situations.
Processing Personal Data Relating to Criminal Convictions and Offences
An employer can process personal data relating to criminal convictions and offences or related security measures in the circumstances set out below:
Monitoring of staff
Surveillance of employees in the workplace can take many forms, this includes CCTV, monitoring work phones, email, internet use and the recording of calls and meetings. The purpose of such monitoring can be to assess performance, ensure quality control and monitor and block employees from using certain sites. When monitoring, you should be mindful of employees’ right to respect for their private and family life and the implied duty of trust and confidence, as your monitoring may breach these if not done in accordance with the necessary laws.
With regards to the employees’ right to private life, monitoring can be justified if it is in the interest of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals or the protection of the rights and freedom of others. To carry out surveillance in the workplace, you should identify the legitimate objective, ensure it is sufficiently important, and be confident that the method of monitoring you choose is no more than what is necessary to achieve your objective.
Electronic forms of workplace monitoring is classed as processing of personal data and is therefore covered by the GDPR. You must consider the data protection principles and comply with all your obligations as a controller when processing personal data that is linked to any monitoring you carry out. Before monitoring, you are required to undertake data protection impact assessments (DPIAs) to review and consider the necessity and proportionality of the planned monitoring as the monitoring is likely to amount to ‘high risk’ processing. When conducting the impact assessment, you should:
Documents for employers You should have the following documents put in place in relation to the personal data of employees, and job candidates:
Retention periods for employment records
As detailed in point 3 above, you may retain personal data in an identifiable format only for as long as necessary for the purposes for which the personal data was processed. This needs to be balanced with any statutory requirements for retaining certain documents. Below we detail the typical retention periods for employment related records in the UK:
|12: What happens if you do not comply with your obligations?|
|In short||Large fines may be imposed by supervisory authorities if you breach your privacy obligations. Data subjects may also have the right to seek compensation from you where they suffer damage as a result of your infringement of the GDPR.|
|Explanation||The UK GDPR is regulated by the Information Commissioner’s Office. The UK GDPR allows for fines of up to 4% of annual global turnover or £17.5 million (whichever is greater).
There are a number of regulators of the EU GDPR. They are referred to as the supervisory authorities and each EU member state has one or more independent public supervisory authority which is responsible for the monitoring and enforcement of the GDPR. The EU GDPR allows for fines of up to 4% of annual global turnover or €20 million (whichever is greater).
Under both the UK GDPR and EU GDPR, data subjects have the right to seek compensation for damage suffered as a result of infringement of the GDPR from either the controller or the processor.
A processor’s liability is limited to the damage caused by processing where the processor has not complied with the processor obligations under the GDPR, or where the processor has acted in a manner contrary to the controller’s lawful instructions. However, if a processor is liable and a controller is also liable for an infringement, then either may be required to pay any compensation in full and will be entitled to claim back any part of the compensation to the extent the other party was responsible for the damage.