`

Legal Aspects of Flight Data

Monitoring
Data Protection

k:\alister\fdm\bsxxx180221 - legal aspects of fdm data protection notes.docx

(27.08.21)
Legal Aspects of FDM Data Protection (27.08.21)

2
 Contents

Page No.

Introduction 5

Basics of data protection law 7

General conditions for processing personal data lawfully 12

Data protection principles 14

Data protection by design and by default 16

Rights of Data Subjects under UK GDPR 18

Security 22

International transfers of personal data 23

Personal Data Breach 25

Data Protection Officer 26

Enforcement and Liability 27

Some exemptions 28

Legal Aspects of FDM Data Protection (27.08.21)

3
Context:
These notes are based on the law (including United Kingdom (UK) law) applicable
from 1 January 2021. These notes aim to provide accurate, authoritative information
and comment on the subject they cover. They are offered to delegates on the
understanding that Bond Solon Training is not in business as legal advisors.

Legal Aspects of FDM Data Protection (27.08.21)

4
 Introduction

1. The United Kingdom General Data Protection Regulation (UK

GDPR)

The United Kingdom General Data Protection Regulation (UK GDPR) is the key
legislation governing data processing within the UK. The European Union GDPR
(EU GDPR) (the original GDPR) is a piece of European legislation. Both pieces of
legislation are divided into Articles. (Unless otherwise stated, references to
Articles in this manual are to the UK GDPR).

The EU GDPR will apply to UK data controllers who have an establishment in the
European Economic Area (EEA), or have customers in the EEA, or monitor
individuals in the EEA. It will apply to data transfers from the EEA to the UK.

The UK GDPR sits alongside the Data Protection Act 2018, which fills in some
gaps created by the UK GDPR. This manual refers to this law collectively as ‘data
protection law’. In the United Kingdom data protection law is overseen and
enforced by the Information Commissioner’s Office (ICO).

2. Data Protection Act 2018 (DPA 2018)

The Data Protection Act 2018 (DPA 2018) addresses the lawful processing of
criminal convictions and processing personal data for the purposes of the
prevention or detection of crime, the apprehension or prosecution of offenders or
the assessment or collection of tax or duty. DPA 2018 is divided into Sections (s.).

The Data Protection Act 1998 is repealed.

3. Freedom of Information Act 2000 (FOIA)

Creates a general right to access to all recorded information held by public

authorities. It is not limited to information relating to living individuals nor to
information recorded in a particular format. Public authorities are required to have
a publication scheme covering the types of information published, its form and its
charges.

However, there are substantial exemptions under FOIA by which public authorities
will not be required to release information. There are class-based exemptions,
including investigations and proceedings conducted by public authorities, court
records, and trade secrets. Additionally, a ‘prejudice exemption’, which includes
the interests of the UK abroad and the prevention and detection of crime.

Legal Aspects of FDM Data Protection (27.08.21)

5
The public authority must still consider whether the information must be released
in the public interest, unless an absolute exemption applies (e.g. information
supplied by or relating to bodies dealing with security matters).

It will be a data protection matter where a living person makes a request regarding
personal information about them whether the request is brought under the FOIA or
data protection law (s.40 FOIA).

Requests under FOIA for personal data that relates to a third party will be treated
as a FOIA matter. However, in determining the response to the request FOIA
requires consideration of data protection law.

Legal Aspects of FDM Data Protection (27.08.21)

6
 Basics of data protection law

1. Application in general

Data protection law applies to the processing of any information relating to an

identified or identifiable (living) natural person (‘data subject’). It does not apply
to the processing of personal data by an individual in the course of a purely
personal or household activity (Article 2(2)(a)).

Unless data protection law is complied with the processing of personal data
shall be unlawful (Articles 6 and 9).

1.1 UK GDPR

UK GDPR applies to processing carried out by organisations established within

the UK regardless of whether the processing takes place in the UK or not (UK
GDPR Article 3.1). Establishment implies the effective and real exercise of
activity through stable arrangements. The legal form of such arrangements,
whether through a branch or a subsidiary with a legal personality, is not the
determining factor in that respect (EU GDPR Recital, paragraph 22).

UK GDPR applies to organisations not established in the UK, where the

processing activities are related to:

• offering goods or services to individuals in the UK; or

• monitoring their behaviour as far as their behaviour takes place within
the UK

Whereas, EU GDPR applies to processing carried out by organisations

established within the EEA regardless of whether the processing takes place in
the Union or not (EU GDPR Article 3.1). Establishment implies the effective and
real exercise of activity through stable arrangements. The legal form of such
arrangements, whether through a branch or a subsidiary with a legal
personality, is not the determining factor in that respect (EU GDPR Recital,
paragraph 22).

EU GDPR applies to organisations not established in the EEA, where the

processing activities are related to:

• offering goods or services to individuals in the EEA; or

• monitoring their behaviour as far as their behaviour takes place within
the EEA

Legal Aspects of FDM Data Protection (27.08.21)

7
1.2 DPA 2018

UK GDPR does not apply to the processing of personal data by a competent

authority for any of the law enforcement purposes (see Part 3 of the [DPA]
2018) (Article 2(2)(b)). Consequently, the UK GDPR does not apply to much of
the personal data processing activities carried out by police forces, prisons and
others. This is covered by DPA 2018.

2. Personal Data

‘Personal data’ means any information relating to an identified or identifiable

natural person (‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as
a name, an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person (Article 4).

When considering data about objects [such as machinery], if the data is

processed to provide information about an individual (for example, productivity)
then the data is personal data. If the data about objects is not currently
processed to provide information about an individual, but could be, then the
data is likely to be personal data. It depends on whether the processing of the
information has or could have a resulting impact upon the individual.

An opinion relating to an individual is also capable of constituting personal data,

irrespective of the accuracy of that opinion.

See ICO: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-

the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-the-
meaning-of-relates-to/ [accessed 270821]

2.1 Definition very broad

The definition of personal data is very broad, and includes any information from
which a living individual (known in this context as a data subject) can be
identified. It is not limited to a name or identification number, or a photograph or
an address.

The legal definition is wide enough to cover identification through combining

and/or cross-referencing data. For example, where a member of staff is known
to have particularly large feet, a simple reference to size 14 shoe could be that
person’s personal data.

Only personal data that has been completely anonymised falls outside the
definition: that is data from which it is impossible to identify any person.

Legal Aspects of FDM Data Protection (27.08.21)

8
 Personal data that has been pseudonymised – eg key-coded – can fall within
the scope of data protection law depending on how difficult it is to attribute the
pseudonym to a particular individual.

‘‘Pseudonymisation’ means the processing of personal data in such a manner

that the personal data can no longer be attributed to a specific data subject
without the use of additional information, provided that such additional
information is kept separately and is subject to technical and organisational
measures to ensure that the personal data are not attributed to an identified or
identifiable natural person.’

To determine whether a natural person is identifiable, account should be taken

of all the means reasonably likely to be used, such as singling out, either by the
controller or by another person to identify the natural person directly or
indirectly. To ascertain whether means are reasonably likely to be used to
identify the natural person, account should be taken of all objective factors,
such as the costs of and the amount of time required for identification, taking
into consideration the available technology at the time of the processing and
technological developments. See Article 4 and Recital, paragraph 26 EU
GDPR.

Therefore, the fact that there is a very slight hypothetical possibility that
someone might be able to reconstruct the data in such a way that the individual
is identified is not necessarily sufficient to make the individual identifiable. You
must consider all the factors at stake. See https://ico.org.uk/for-
organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/what-is-personal-data/can-we-identify-an-individual-
indirectly/#pd5 [accessed 270821]

3. What does processing mean?

‘Processing’ means any operation or set of operations which is performed on

personal data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, restriction, erasure or
destruction (Article 4).

The data protection law applies to the processing of personal data wholly or
partly by automated means and to the processing other than by automated
means of personal data which form part of a filing system or are intended to
form part of a filing system (Article 2).

Legal Aspects of FDM Data Protection (27.08.21)

9
3.1 ‘Filing system’

Under UK GDPR ‘Filing system’ means any structured set of personal data which
are accessible according to specific criteria, whether centralised, decentralised
or dispersed on a functional or geographical basis (Article 4).

Under DPA 2018 “Filing system” means any structured set of personal data which
is accessible according to specific criteria, whether held by automated means or
manually and whether centralised, decentralised or dispersed on a functional or
geographical basis (s.3(7)).

3.2 Manual unstructured processing

Under Article 2(1A) UK GDPR also applies to the manual unstructured

processing of personal data held by an FOI public authority. FOI public
authority means (a) a public authority as defined in the Freedom of Information
Act 2000, or (b) a Scottish public authority as defined in the Freedom of
Information (Scotland) Act 2002 (s.21(5)).
Note. There are a number of exemptions from the requirements of data
protection law in relation to personal data processed by public authorities in this
way. There is no need for a legitimate legal basis for processing either personal
or special category data. There is no requirement that the processing comply
with the data protection principles, save for the accuracy principle, and the
accountability principle in so far as it applies to accuracy. Nor is there any
requirement to provide data subjects with information about personal data held
in this way. For details see s.24 DPA 2018.

4. Data Controller and Data Processor

Those who process personal data are either a data controller, a data processor
or both.

4.1 Data Controller

Data Controller means the natural or legal person, public authority, agency or
other body which, alone or jointly with others, determines the purposes and
means of the processing of personal data (Article 4).

Under Article 26, where two or more controllers jointly determine the purposes
and means of processing, they shall be joint controllers. They shall in a
transparent manner determine their respective responsibilities and make an
arrangement for compliance with the obligations under the UK GDPR. In
particular this is as regards the exercising of the rights of the data subject and
their respective duties to provide information to data subjects under Articles 13
and 14. There are parallel provisions in DPA 2018 (see Sections 58 and 104).

Legal Aspects of FDM Data Protection (27.08.21)

10
 According to ICO, all joint controllers remain responsible for compliance with
the controller obligations under the UK GDPR. Both the ICO and individuals
may take action against any controller regarding a breach of those obligations.

4.2 Data Processor

Data Processor means a natural or legal person, public authority, agency or

other body which processes personal data on behalf of the controller (Article 4).

Examples of data processors include:

• Call centres
• Mailing houses
• Outsourced payroll services
• Photocopying providers
• Website hosting
• Cloud storage

4.3 Basic obligations

Under Article 32, data processors have the same obligation as the data
controller to ensure personal data is processed with a level of security
appropriate to the risks.

Furthermore, Article 28 requires a written contract be in place between

controllers and processors. The contract must contain specified clauses,
including requirements that the processor:

• processes personal data only on documented instructions from the data

controller
• ensures that those authorised to process the personal data are under a
duty of confidentiality
• takes all measures pursuant to Article 32
• does not subcontract any aspect of the work without the controller’s written
authority
• assists the controller with responding to data subject requests
• assists the controller with responding to data breaches and conducting
DPIAs
• at the choice of the controller deletes or returns all personal data to the
controller at the end of the contract
• makes available to the controller all information necessary to demonstrate
compliance with Article 28 and allow for and contribute to audits conducted
by the controller or on its behalf.

Legal Aspects of FDM Data Protection (27.08.21)

11
 General conditions for processing personal data lawfully

1. Introduction

Processing shall be lawful only if and to the extent that at least one of the
following applies (Article 6):

1.1 Consent of the data subject

Consent should be avoided where an alternative legitimising condition is

available.

‘Consent’ of the data subject means any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the processing
of personal data relating to him or her (Article 4(11)). It must be obtained before
the processing activity it is concerned with.

It must be as easy to withdraw the consent as it was to give it and the data
subject must be reminded of its rights to withdraw before it gives any consent.

In giving consent, the data subject must know the various purposes for which
the data will be processed, and the types of processing activity covered. It
should be given the option to consent to each purpose individually, or not as the
case may be.

It should also be informed of any third parties its personal data will be shared
with as a result of its consent. These parties must be identified. Again, the data
subject should be given the option of sharing its information with some and not
others.

There is no such thing as implied consent.

Consent cannot be inferred from silence of inactivity. Pre-ticked opt in boxes

are unlawful.

Consent must be unbundled or kept distinct from any other terms in a written
document, so that the data subject’s attention is drawn to it and it is aware of
giving consent when agreeing the document.

Consent should not be a pre-condition for signing up to a service unless the

consent is necessary for that service. Where the performance of a contract is
conditional on consent given for a purpose (such as marketing) which is not
necessary for the performance of the contract, then the consent is unlikely to be
valid.

Legal Aspects of FDM Data Protection (27.08.21)

12
 It can be very difficult for a public authority or for an employer to obtain valid
consent. This is because of inequalities in the bargaining position between the
parties which are likely to mean that any consent is not freely given.

The onus is on the controller to prove valid consent has been given. It needs to
document the consent.

1.2 Necessary for the performance of a contract with the data subject

Personal data may be processed where this is necessary for the performance
of a contract with the data subject, or to take steps to enter into a contract with
the data subject, at the data subject’s request.

1.3 Necessary for compliance with a legal obligation to which the controller is
subject

Where there is a statutory requirement to process personal data, that

requirement is the legitimising condition for doing so.

1.4 Necessary in order to protect the vital interests of the data subject or of
another natural person

1.5 Necessary for the performance of a task carried out in the public interest
or in the exercise of official authority vested in the controller

Section 8 of the Data Protection Act 2018 clarifies the meaning of this
legitimising condition as including:

(a) the administration of justice;

(b) the exercise of a function of either House of Parliament;
(c) the exercise of a function conferred on a person by an enactment or rule
of law;
(d) the exercise of a function of the Crown, a Minister of the Crown or a
government department, or
(e) an activity that supports or promotes democratic engagement.

1.6 Necessary for legitimate interests pursued by the controller or by a third

party

Notes. For the legitimate interests condition to apply the processing must not be
out of proportion to the interests of the data subject. This condition is not
available to processing carried out by public authorities in the performance of
their tasks (Article 6(1)).

Legal Aspects of FDM Data Protection (27.08.21)

13
 Data protection principles

1. Introduction

The existence of a valid legitimising condition is not sufficient to guarantee the

lawfulness of the personal data processing. The controller must also ensure that
the processing is carried out in accordance with the principles set out at Article
5 of the UK GDPR. However, there are six data protection principles in Part 3
DPA 2018, that apply to law enforcement processing by competent authorities
(see s.29 DPA 2018).

1.1 Article 5 UK GDPR data protection principles

• Lawfulness, fairness and transparency (consider informing data subjects

about how their personal data is processed and allowing them access to
their personal data under Articles 13 – 23). A controller need not comply
with this principle regarding personal data covered by legal professional
privilege; processed for the purposes of management forecasting or
planning in relation to a business or other activity to the extent that
disclosure would be likely to prejudice the business; processed for the
purpose of conducting negotiations with the data subject to the extent that
disclosure might prejudice those negotiations; personal data provided in a
reference given in confidence.

• Purpose limitation (processing personal data for specific, identified and

legitimate purposes and ensuring that processing is not carried out for
other purposes i.e. no function creep)

• Data minimisation (restricting processing to what is strictly necessary to

achieve the purposes for which the data was collected)

• Accuracy (ensuring the personal data processed are accurate and kept up
to date; every reasonable step must be taken to ensure that personal data
that are inaccurate, having regard to the purposes for which they are
processed, are erased or rectified without delay)

• Storage limitation (keeping personal data in a form that allows the

identification of data subjects for no longer than is necessary to achieve
the purposes for which it was collected. Consider anonymisation and
pseudonymisation)

• Integrity and confidentiality (ensuring appropriate security procedures are

in place; see also Article 32).

• Accountability

Legal Aspects of FDM Data Protection (27.08.21)

14
1.2 Confidentiality

A duty of confidentiality (to keep something secret) can arise explicitly (e.g. a
term in a contract), or impliedly from the circumstances (e.g. a patient and
doctor). The duty can be overridden by agreement, or where there is a public
interest in disclosure which overrides the competing public interest in
maintaining the duty of confidence. In cases of doubt it is normal to wait for a
court to decide if the duty is overridden.

1.3 Accountability

The accountability principle (Article 5(2)) is designed to ensure that data

protection becomes part of the shared practices and values of an organisation,
and the requirements of the UK GDPR are taken into account at every level:
from big strategic decision making in the boardroom to the arrangement of
computer screens in a small office.

It is not sufficient to comply with the principles set out in Article 5. A controller
must be able to demonstrate compliance. In order to do so, it is advisable to
have written policies in place, including:

• Data protection policy

• Security policy
• Data subject request policy
• Data breach policy
• Privacy notice

In order to draw up effective policies, a controller should first carry out an audit
and establish the personal data it holds, why it holds it, whom it shares it with
and how long it keeps the personal data for. It is important to remember that
sharing includes sharing between departments within an organisation, as well
as sharing with third parties externally.

The controller must also be able to demonstrate compliance with these policies.
In other words, it must be able to show that they have been implemented. It is
important that staff are properly trained in data protection.

Furthermore, Article 30 requires that both controllers and a processors maintain

a record of personal data processing activities under their responsibilities. The
records a controller must maintain broadly reflect the information that must be
provided to data subjects in a Privacy Notice.

Legal Aspects of FDM Data Protection (27.08.21)

15
 Data protection by design and by default
1. Introduction

Article 25 UK GDPR is concerned with putting in place technical and

organisational measures in order to implement the data protection principles
effectively and protect the rights of data subjects.

1.1 Data protection by design

Data protection by design is about putting in place measures to safeguard the

right to privacy of data subjects at the earliest possible stage. It is about privacy
proofing at the planning stage when designing a new system, process or other
project. The controller must not only consider the nature and purpose of the
personal data processing activities, together with their associated risks, but also
the state of the art and the cost of implementation when deciding on technical
and organisational measures to eradicate or reduce risk and ensure compliance
with the data protection principles.

Data protection risk assessments (DPIAs) are concerned with assessing and
mitigating risks before embarking upon new or changed personal data
processing activities. They are mandatory in cases involving a high risk to data
subjects and also where:-

• there is automated processing or profiling of personal data on which

decisions are based that significantly effect the data subject. An example
might be psychometric testing
• there is processing on a large scale of special categories of personal data
under Article 9, or data relating to criminal convictions or offences under
Article 10.
• there is systematic monitoring of a publicly accessible area on a large
scale. An example might be CCTV camera surveillance of public areas.

When carrying out a DPIA, it is envisaged that the controller will consult with
representatives of data subjects affected where appropriate (see Article 35).

It is advisable that the controller’s data protection policy set out in clear terms
the circumstances which trigger a DPIA. It may be advisable to carry one out
when considering the appointment of a new service provider, for example.

Article 25 UK GDPR makes specific reference to pseudonymisation as a

possible way of reducing risk by minimising the amount of personal data

Legal Aspects of FDM Data Protection (27.08.21)

16
 processed. The most effective way of eradicating risk is by anonymising
personal data. In doing so, the data is no longer personal and so falls outside
the ambit of the legislation.

1.2 Data protection by default

Article 25 UK GDPR also requires the controller to implement appropriate

technical and organisational measures for ensuring that, by default, only
personal data that are necessary for each specific purpose of the
processing are processed.

This minimisation of personal data applies to:-

• the amount of data collected

• the extent of the processing
• the period of storage
• its accessibility.

There is a specific requirement that there be measures in place to ensure that,

by default, personal data is not made accessible to an indefinite number of
individuals.

It is best practice regularly to review online and offline data and have a process
in place for the systematic deletion of personal data when it is no longer
necessary to keep it.

Personal data must be kept under review at a granular level. For example,
when deleting emails that are no longer needed, they should also be weeded
from the server. When archiving files for storage, the file should be weeded first
so that any data that does not need to be stored is extracted and destroyed.

Legal Aspects of FDM Data Protection (27.08.21)

17
 Rights of Data Subjects under UK GDPR
1. Introduction

The rights of a data subject under the UK GDPR include:

• The right to be informed (typically by way of a privacy notice)

• The right of access (following a subject access request)
• The right to rectification
• The right to erasure (right to be forgotten)
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automatic decision making and profiling.

(Under Part 1 of Schedule 2, of the DPA 2018 there is no requirement to comply

with these rights (part of the ‘listed GDPR provisions’) when processing
personal data for the purposes of the prevention or detection of crime, the
apprehension or prosecution of offenders or the assessment or collection of tax
or duty to the extent that the application of those provisions would be likely to
prejudice any of these matters.)

1.1 Privacy Notice

Articles 13 and 14 set out the information which a controller must provide to
data subjects.

Article 13 concerns the information that must be provided before a data subject
provides personal data to a controller. Article 14 concerns the information that
must be provided to data subjects where their personal data is collected from a
third party. This information must be provided within one month of collection.

In order to comply with the transparency principle, it is important that privacy

notices are written in easily understood language.

Briefly, a privacy notice must set out the categories of personal data processed
and the purpose of the processing activities, together with retention periods.
The lawful basis for the processing must also be identified. If the controller is
relying on the legitimate interests of its business, these should be described.
Any recipients or categories of recipients with whom the data is shared should
be set out and any transfers abroad identified. The data subject needs to be
reminded of its rights, including the right to withdraw consent at any time and to
lodge a complaint with the Information Commissioner. Where data is obtained
from a third party, this source should be identified. Any automated decision

Legal Aspects of FDM Data Protection (27.08.21)

18
 making or profiling should be described, together with details of how decisions
are made based on this information.

1.2 Subject Access

Under Article 15, a data subject has a right of access to its personal data, which
means the controller must provide the data subject with a copy of the personal
data it is processing free of charge. If the request is made electronically, the
data shall be provided in commonly used electronic form unless the data
subject requests otherwise.

The data must be provided in one month. The period may be extended by two
further months where necessary, taking into account the complexity and
number of requests. The controller shall inform the data subject of any such
extension within one month of receipt of the request, together with the reasons
for the delay (Article 12(3)).

The data subject is also entitled to the same information as is required to be

provided under Articles 13 and 14 (see under Privacy Notice).

Article 15(4) stipulates that the right to obtain a copy of the personal data shall
not affect the rights and freedoms of others. This means that the personal data
of others should not be disclosed without good reason.

Paragraph 16, Part 3, Schedule 2 of the DPA 2018 clarifies the situation by
confirming there is no obligation for a controller to disclose information to the
data subject to the extent that the disclosure would involve disclosing
information relating to another individual who could be identified from it.
However, if the other individual consents, or it is reasonable to disclose the
information to the data subject without the consent of the other individual then it
should be disclosed. Reasonableness is defined in paragraph 16(3) and
reference should be made to paragraph 16 generally.

Where a person mistakenly makes a request for personal data under the
Freedom of Information Act, it should be treated as if it were a subject access
request under the UK GDPR.

Legal Aspects of FDM Data Protection (27.08.21)

19
1.3 Rectification

A data subject has a right to rectification of inaccurate data, including the right to
have incomplete data completed (Article 16). The time limits for compliance are
the same as for subject access requests above.

The controller is obliged to communicate any rectification to each person or

organisation to whom it has disclosed the personal data. It must inform the data
subject of the recipients if it requests it (Article 19).

1.4 Erasure

A data subject also has the right to be forgotten (erasure) in certain

circumstances (Article 17). These include:

• the personal data are no longer necessary for the purposes for which
they were originally collected
• the data subject withdraws consent and there is no other legal ground for
processing
• the personal data have been unlawfully processed

Where the controller has made the personal data public and is obliged to erase
it, it should take reasonable steps to inform other controllers that are processing
the data that the data subject has requested erasure. The obvious application
of this express requirement is the internet.

Again, the time limit for compliance is one month extended by two months were
necessary.

1.5 Information management systems

In order to comply with the one month deadline, it is essential that the data
controller have efficient information management systems in place, which
support a written policy setting out the procedure for responding to data subject
requests.

1.6 When else is there no requirement to comply with these rights (part of the
‘listed GDPR provisions’)

(1) to personal data consisting of information that the controller is obliged by an

enactment to make available to the public, to the extent that the application of

Legal Aspects of FDM Data Protection (27.08.21)

20
those provisions would prevent the controller from complying with that
obligation.

(2) to personal data where disclosure of the data is required by an enactment, a

rule of law or an order of a court or tribunal, to the extent that the application of
those provisions would prevent the controller from making the disclosure.

(3) to personal data where disclosure of the data—

(a) is necessary for the purpose of, or in connection with, legal proceedings
(including prospective legal proceedings),

(b) is necessary for the purpose of obtaining legal advice, or

(c) is otherwise necessary for the purposes of establishing, exercising or

defending legal rights, to the extent that the application of those provisions
would prevent the controller from making the disclosure (see paragraph 5 of
Part 1, of Schedule 2, DPA 2018).

Legal Aspects of FDM Data Protection (27.08.21)

21
 Security
1. Introduction

There is an express requirement on data controllers and processors to

implement appropriate technical and organisational measures to ensure a level
of security appropriate to the risks to the data subjects. The state of the art and
the costs of the various measures should be taken into account, and balanced
against the nature and extent of the processing activities and the risk to data
subjects arising out of them.

1.1 Article 32 UK GDPR

As part of this exercise, Article 32 makes it clear that consideration should be

given to pseudonymisation and encryption of personal data, in order to
eradicate or reduce risk.

Measures include the ability to ensure the ongoing confidentiality, integrity,

availability and resilience of processing systems and services.

There should be in place a system for regularly testing, assessing and

evaluating the effectiveness of technical and organisational measures for
ensuring the security of processing.

The Article allows for the adoption of approved codes of conduct and approved
certification measures as ways of demonstrating compliance with the security
requirement.

It is clearly advisable that controllers and processors have in place, and

implement, security policies.

Legal Aspects of FDM Data Protection (27.08.21)

22
 International transfers of personal data
1. Introduction

The UK GDPR imposes restrictions on the transfer of personal data outside of

the UK. Where there is a need to transfer personal data outside of the UK, you
must consider the requirements set out in Articles 44 to 47, and 49 to 50 of the
UK GDPR:

• Whether the transfer is caught by the data protection regime on

international transfer. Transfer does not mean the same as transit. If
personal data is just electronically routed through another country it is not
a transfer
• Whether there is a lawful ground for processing (see conditions for
processing personal data lawfully)
• Whether there is a lawful mechanism for the international transfer

This chapter focuses on the UK GDPR.

The EU GDPR applies to data controllers who have an establishment in the

European Economic Area (EEA), or have customers in the EEA, or monitor
individuals in the EEA. It has a similar legal regime to the UK GDPR for
international transfers of personal data.

1.1 Adequacy decision as a lawful mechanism

The UK has recognised, the EEA, Gibraltar, and third countries that have the
benefit of an EU Commission adequacy decision as having an adequate level
of protection.

1.2 Standard contractual clauses as a lawful mechanism

This refers to a standard set of model clauses which cannot be modified. It is

necessary to conduct a transfer impact assessment to ensure the protections,
enforceable rights and legal remedies provided to individuals in the recipient
country are near enough the same as to those guaranteed under the UK
GDPR.

1.3 Binding Corporate Rules as a lawful mechanism

Binding Corporate Rules allow multinational companies to transfer personal

data internationally within the same corporate group to countries that do not
provide an adequate level of protection for personal data as required under the
UK GDPR.

Legal Aspects of FDM Data Protection (27.08.21)

23
1.4 Derogation as a lawful mechanism

You may rely on one of the derogations (exceptions) in Article 49 of the UK

GDPR [summarised as]:

• the data subject has explicitly consented

• necessary for the performance of a contract between the data subject and
controller
• necessary for important reasons of public interest
• necessary to establish, exercise or defend legal claims
• necessary to protect the vital interests of the data subject or other persons
• legitimate reasons not overridden by the interests or rights and freedoms
of data subjects

1.5 Transfer impact assessment

This came about due to the Schrems II decision which now provides on a case
by case basis the assessment of the laws of the third country, as well as
whether any supervisory authority exists. This is a risk assessment undertaken
by the exporting controller, taking into consideration the protections in the
appropriate safeguards and any legal or data protection framework in the
recipient country, before any restricted transfer takes place.

1.6 Transfer of personal data to the USA

The case of Schrems II recently invalidated the EU-US Privacy Shield as the
USA does not ensure an essentially equivalent level of protection for data
subjects. This is due to the extent to which USA public authorities may access
personal data for national security purposes, and the absence of appropriate
rights and remedies for data subjects before the courts against a USA authority.

If transfer to the USA is necessary then you will need to assess whether you
can do so on the basis of standard contractual clauses and your transfer impact
assessment.

Legal Aspects of FDM Data Protection (27.08.21)

24
 Personal Data Breach
1. Introduction

‘Personal data breach’ means a breach of security leading to the accidental or

unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed (Article 4 UK GDPR).

1.1 Articles 33 and 34 UK GDPR

Where there has been a personal data breach, the ICO must be informed if it
carries any risks to data subjects. These might include damage to reputation or
financial loss. If the notification is not made within 72 hours, reasons must be
given for the delay (Article 33).

At this early stage the ICO must be told; the nature of the breach, including the
personal data concerned and the data subjects affected; the likely
consequences of the breach; measures taken or proposed to address the
breach, including measures to mitigate possible adverse effects. A contact
point, such as the data protection officer, if there is one, should be provided.

All personal data breaches must be documented.

Where there is a high risk to data subjects arising out of the breach the
controller shall communicate the personal data breach to the data subject
without undue delay (Article 34). The data subject should be given the same
information as is required to be given to the ICO, save perhaps for the
categories and numbers of data subjects concerned and the categories and
amount of personal data records concerned.

Article 34(3) provides there is no requirement to report a breach to the data

subjects where the personal data has been rendered unintelligible to any
person, such as by encryption. Similarly, there is no need to report the breach
to data subjects where the controller has taken subsequent measures to ensure
the high risk is no longer likely to materialise. If notifying each individual would
involve disproportionate effort a general public announcement may be made.

Clearly it is advisable to have an effective data breach policy which is

implemented. Any significant breach might give rise to significant reputational
issues. Once trust is lost, it is hard to regain.

Legal Aspects of FDM Data Protection (27.08.21)

25
 Data Protection Officer
1. Article 39 UK GDPR

The data protection officer shall have at least the following tasks:
a) to inform and advise the controller or the processor and the employees
who carry out processing of their obligations pursuant to this Regulation
and to other domestic law relating to data protection;
b) to monitor compliance with this Regulation, with other domestic law
relating to data protection and with the policies of the controller or
processor in relation to the protection of personal data, including the
assignment of responsibilities, awareness-raising and training of staff
involved in processing operations, and the related audits;
c) to provide advice where requested as regards the data protection impact
assessment and monitor its performance pursuant to Article 35;
d) to cooperate with the [ICO];
e) to act as the contact point for the [ICO] on issues relating to processing,
including the prior consultation referred to in Article 36, and to consult,
where appropriate, with regard to any other matter.

The data protection officer shall in the performance of his or her tasks have due
regard to the risk associated with processing operations, taking into account the
nature, scope, context and purposes of processing.

1.1 When is a data protection officer needed (Article 37 UK GDPR)

Public authorities are required to appoint a data protection officer.

Other organisation must have one where:

• the core activities of the controller or processor involve regular and

systematic monitoring of data subjects on a large scale, or
• the core activities involve processing of on a large scale of special
categories of personal data and/or personal data relating to criminal
offences and convictions.

Otherwise it is advisable to have a designated data protection lead within an

organisation. He or she will be responsible for data protection audits and
DPIA’s, staff training, drafting and implementing policies and procedures and
responding to data subject requests and to personal data breaches.

Legal Aspects of FDM Data Protection (27.08.21)

26
 Enforcement and liability
1. Introduction

The DPA 2018 sets out the enforcement regime in detail at Part 6.

1.1 Powers of ICO

• Information notices (requiring the controller or processor to provide the

ICO with information)
• Assessment notices (requiring the controller or processor to allow the ICO
to carry out an assessment of whether it is complying with data protection
legislation)
• Enforcement notices (where the controller or processor is failing to comply
with specified provisions, specifying the steps which must be taken to
rectify the situation)
• Powers of entry and inspection (the ICO may obtain search warrants and
seize material where there are reasonable grounds for believing there has
been a failure to comply with one or more of a number of requirements or
that a criminal offence has been committed)

1.2 Criminal offences

There is a range of criminal offences.

Penalties or fines (the maximum is 4% of annual turnover or £17.5 million

whichever is the greater).

1.3 Civil liability

Any person who has suffered damage, including simple distress, as a result of
any infringement of the UK GDPR has a right of action for damages in either
the County Court or the High Court (Article 82 UK GDPR and section 168 and
169 Part 6 DPA 2018).

Legal Aspects of FDM Data Protection (27.08.21)

27
 Some exemptions
1. Introduction

Under Part 1 of Schedule 2, of the DPA 2018 there is no requirement to comply

with any of ‘the listed GDPR provisions’ [note, these provisions actually all
appear to be UK GDPR provisions – see para 1(a) in the schedule] when
processing personal data for the purposes of the prevention or detection of
crime, the apprehension or prosecution of offenders or the assessment or
collection of tax or duty to the extent that the application of those provisions
would be likely to prejudice any of these matters.

1.1 ‘the listed GDPR provisions’ [actually UK GDPR provisions] that are
exempted

(i) Article 13(1) to (3) (personal data collected from data subject: information
to be provided);
(ii) Article 14(1) to (4) (personal data collected other than from data subject:
information to be provided);
(iii) Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers);
(iv) Article 16 (right to rectification);
(v) Article 17(1) and (2) (right to erasure);
(vi) Article 18(1) (restriction of processing);
(vii) Article 19 (notification obligation regarding rectification or erasure of
personal data or restriction of processing);
(viii) Article 20(1) and (2) (right to data portability);
(ix) Article 21(1) (objections to processing);
(x) Article 5 (general principles) so far as its provisions correspond to the
rights and obligations provided for in the provisions mentioned in sub-
paragraphs (i) to (ix);

Legal Aspects of FDM Data Protection (27.08.21)

28
 Additionally, the following provisions of the UK GDPR (the application of which
may be adapted by virtue of Article 6(3) of the UK GDPR)—
(i) Article 5(1)(a) (lawful, fair and transparent processing), other than the
lawfulness requirements set out in Article 6;
(ii) Article 5(1)(b) (purpose limitation).

1.2 Some exemptions extended to data sharing for statutory functions

Where—
(a) personal data is processed by a person ("Controller 1") for (a) the
prevention or detection of crime, (b) the apprehension or prosecution of
offenders, or (c) the assessment or collection of a tax or duty or an
imposition of a similar nature,

And

(b) another person ("Controller 2") obtains the data from Controller 1 for the
purpose of discharging statutory functions and processes it for the
purpose of discharging statutory functions.

(3) Controller 2 is exempt from the obligations in the following provisions of

the UK GDPR—

(a) Article 13(1) to (3) (personal data collected from data subject:
information to be provided),
(b) Article 14(1) to (4) (personal data collected other than from data
subject: information to be provided),
(c) Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers), and
(d) Article 5 (general principles) so far as its provisions correspond to
the rights and obligations provided for in the provisions mentioned
in paragraphs (a) to (c).

Legal Aspects of FDM Data Protection (27.08.21)

29
1.3 Some other circumstances - beyond the law enforcement context - in
which ‘the listed GDPR provisions’ [actually UK GDPR provisions] are
exempted

(1) The listed GDPR provisions do not apply to personal data consisting of
information that the controller is obliged by an enactment to make
available to the public, to the extent that the application of those
provisions would prevent the controller from complying with that
obligation.

(2) The listed GDPR provisions do not apply to personal data where
disclosure of the data is required by an enactment, a rule of law or an
order of a court or tribunal, to the extent that the application of those
provisions would prevent the controller from making the disclosure.

(3) The listed GDPR provisions do not apply to personal data where
disclosure of the data—

(a) is necessary for the purpose of, or in connection with, legal

proceedings (including prospective legal proceedings),

(b) is necessary for the purpose of obtaining legal advice, or

(c) is otherwise necessary for the purposes of establishing,

exercising or defending legal rights, to the extent that the
application of those provisions would prevent the controller from
making the disclosure (see paragraph 5 of Part 1, of Schedule 2,
DPA 2018).

1.4 Some Chapter 3, Part 3, DPA 2018 rights that may be restricted

1. Under s.45(4) DPA 2018 the controller may restrict, wholly or partly, the
right of access by the data subject to the extent that and for so long as
the restriction is, having regard to the fundamental rights and legitimate

Legal Aspects of FDM Data Protection (27.08.21)

30
interests of the data subject, a necessary and proportionate measure
to—

(a) avoid obstructing an official or legal inquiry, investigation or

procedure;
(b) avoid prejudicing the prevention, detection, investigation or
prosecution of criminal offences or the execution of criminal
penalties;
(c) protect public security;
(d) protect national security;
(e) protect the rights and freedoms of others.

Legal Aspects of FDM Data Protection (27.08.21)

31
 Notes

Legal Aspects of FDM Data Protection (27.08.21)

32