Data Protection Bill (HL Bill 66)

144 Enforcement notices: rectification and erasure of personal data etc

(1) Subsections (2) and (3) apply where an enforcement notice is given in respect
of a failure by a controller or processor—

(a) to comply with a data protection principle relating to accuracy, or

(b) 5to comply with a data subject’s request to exercise rights under Article
16, 17 or 18 of the GDPR (right to rectification, erasure or restriction on
processing) or section 44, 45 or 98 of this Act.

(2) If the enforcement notice requires the controller or processor to rectify or erase
inaccurate personal data, it may also require the controller or processor to
10rectify or erase any other data which—

(a) is held by the controller or processor, and

(b) contains an expression of opinion which appears to the Commissioner
to be based on the inaccurate personal data.

(3) Where a controller or processor has accurately recorded personal data
15provided by the data subject or a third party but the data is inaccurate, the
enforcement notice may require the controller or processor—

(a) to take steps specified in the notice to ensure the accuracy of the data,

(b) if relevant, to secure that the data indicates the data subject’s view that
the data is inaccurate, and

(c) 20to supplement the data with a statement of the true facts relating to the
matters dealt with by the data that is approved by the Commissioner,

(as well as imposing requirements under subsection (2)).

(4) When deciding what steps it is reasonable to specify under subsection (3)(a),
the Commissioner must have regard to the purpose for which the data was
25obtained and further processed.

(5) Subsections (6) and (7) apply where—

(a) an enforcement notice requires a controller or processor to rectify or
erase personal data, or

(b) the Commissioner is satisfied that the processing of personal data
30which has been rectified or erased by the controller or processor
involved a failure described in subsection (1).

(6) An enforcement notice may, if reasonably practicable, require the controller or
processor to notify third parties to whom the data has been disclosed of the
rectification or erasure.

(7) 35In determining whether it is reasonably practicable to require such notification,
the Commissioner must have regard, in particular, to the number of people
who would have to be notified.

(8) In this section, “data protection principle relating to accuracy” means the
principle in—

(a) 40Article 5(1)(d) of the GDPR,

(b) section 36(1) of this Act, or

(c) section 87 of this Act.

145 Enforcement notices: restrictions

(1) The Commissioner may not give a controller or processor an enforcement
notice in reliance on section 142(2) with respect to the processing of personal
data for the special purposes unless—

(a) 5a determination under section 164 with respect to the data or the
processing has taken effect, and

(b) the court has granted leave for the notice to be given.

(2) A court must not grant leave for the purposes of subsection (1)(b) unless it is
satisfied that—

(a) 10the Commissioner has reason to suspect a failure described in section
142(2) which is of substantial public importance, and

(b) the controller or processor has been given notice of the application for
leave in accordance with rules of court or the case is urgent.

(3) In the case of a joint controller in respect of the processing of personal data to
15which Part 3 or 4 applies whose responsibilities for compliance with that Part
are determined in an arrangement under section 56 or 102, the Commissioner
may only give the controller an enforcement notice in reliance on section 142(2)
if the controller is responsible for compliance with the provision, requirement
or principle in question.

146 20Enforcement notices: cancellation and variation

(1) The Commissioner may cancel or vary an enforcement notice by giving written
notice to the person to whom it was given.

(2) A person to whom an enforcement notice is given may apply in writing to the
Commissioner for the cancellation or variation of the notice.

(3) 25An application under subsection (2) may be made only—

(a) after the end of the period within which an appeal can be brought
against the notice, and

(b) on the ground that, by reason of a change of circumstances, one or more
of the provisions of that notice need not be complied with in order to
30remedy the failure identified in the notice.

Powers of entry and inspection

147 Powers of entry and inspection

Schedule 15 makes provision about powers of entry and inspection.

Penalties

148 35Penalty notices

(1) If the Commissioner is satisfied that a person—

(a) has failed or is failing as described in section 142(2), (3), (4) or (5),

(b) has failed to comply with an assessment notice given in exercise of the
Commissioner’s powers under Article 58(1) of the GDPR, or

(c) 40has failed to comply with an enforcement notice,

the Commissioner may, by written notice (a “penalty notice”), require the
person to pay to the Commissioner an amount in sterling specified in the
notice.

(2) In the case of a failure described in section 142(2), (3) or (4), when deciding
5whether to give a penalty notice to a person and determining the amount of the
penalty, the Commissioner must have regard to the following, so far as
relevant—

(a) to the extent that the notice concerns a matter to which the GDPR
applies, the matters listed in Article 83(1) and (2) of the GDPR;

(b) 10to the extent that the notice concerns another matter, the matters listed
in subsection (3).

(3) Those matters are—

(a) the nature, gravity and duration of the failure;

(b) the intentional or negligent character of the failure;

(c) 15any action taken by the controller or processor to mitigate the damage
suffered by data subjects;

(d) the degree of responsibility of the controller or processor, taking into
account technical and organisational measures implemented by the
controller or processor in accordance with section 55, 64, 101 or 105;

(e) 20any relevant previous failures by the controller or processor;

(f) the degree of co-operation with the Commissioner, in order to remedy
the failure and mitigate the possible adverse effects of the failure;

(g) the categories of personal data affected by the failure;

(h) the manner in which the infringement became known to the
25Commissioner, including whether, and if so to what extent, the
controller or processor notified the Commissioner of the failure;

(i) the extent to which the controller or processor has complied with
previous enforcement notices or penalty notices;

(j) adherence to approved codes of conduct or certification mechanisms;

(k) 30any other aggravating or mitigating factor applicable to the case,
including financial benefits gained, or losses avoided, as a result of the
failure (whether directly or indirectly);

(l) whether the penalty would be effective, proportionate and dissuasive.

(4) Schedule 16 makes further provision about penalty notices, including
35provision requiring the Commissioner to give a notice of intent to impose a
penalty and provision about payment, variation, cancellation and
enforcement.

(5) The Secretary of State may by regulations—

(a) confer power on the Commissioner to give a penalty notice in respect
40of other failures, and

(b) make provision about the amount of the penalty that may be imposed.

(6) Before making regulations under this section, the Secretary of State must
consult such persons as the Secretary of State considers appropriate.

(7) Regulations under this section—

(a) 45may make provision about the giving of penalty notices in respect of
the failure,

(b) may amend this section and sections 149 to 151, and

(c) are subject to the affirmative resolution procedure.

149 Penalty notices: restrictions

(1) The Commissioner may not give a controller or processor a penalty notice in
reliance on section 142(2) with respect to the processing of personal data for the
special purposes unless—

(a) 5a determination under section 164 with respect to the data or the
processing has taken effect, and

(b) a court has granted leave for the notice to be given.

(2) A court must not grant leave for the purposes of subsection (1)(b) unless it is
satisfied that—

(a) 10the Commissioner has reason to suspect a failure described in section
142(2) which is of substantial public importance, and

(b) the controller or processor has been given notice of the application for
leave in accordance with rules of court or the case is urgent.

(3) The Commissioner may not give a penalty notice to—

(a) 15the Crown Estate Commissioners, or

(b) a person who is a controller under section 188(3) (controller for the
Royal Household etc).

(4) In the case of a joint controller in respect of the processing of personal data to
which Part 3 or 4 applies whose responsibilities for compliance with that Part
20are determined in an arrangement under section 56 or 102, the Commissioner
may only give the controller a penalty notice in reliance on section 142(2) if the
controller is responsible for compliance with the provision, requirement or
principle in question.

150 Maximum amount of penalty

(1) 25In relation to an infringement of a provision of the GDPR, the maximum
amount of the penalty that may be imposed by a penalty notice is—

(a) the amount specified in Article 83 of the GDPR, or

(b) if an amount is not specified there, the standard maximum amount.

(2) In relation to an infringement of a provision of Part 3 of this Act, the maximum
30amount of the penalty that may be imposed by a penalty notice is—

(a) in relation to a failure to comply with section 33, 34, 35, 36(1), 37(1), 38,
42, 43, 44, 45, 46, 47, 50, 51, 71, 72, 73, 74, 75 or 76, the higher maximum
amount, and

(b) otherwise, the standard maximum amount.

(3) 35In relation to an infringement of a provision of Part 4 of this Act, the maximum
amount of the penalty that may be imposed by a penalty notice is—

(a) in relation to a failure to comply with section 84, 85, 86, 87, 88, 89, 91, 92,
98 or 107, the higher maximum amount, and

(b) otherwise, the standard maximum amount.

(4) 40In relation to a failure to comply with an enforcement notice, the maximum
amount of the penalty that may be imposed by a penalty notice is the higher
maximum amount.

(5) The “higher maximum amount” is—

(a) in the case of an undertaking, 20 million Euros or 4% of the
undertaking’s total annual worldwide turnover in the preceding
financial year, whichever is higher, or

(b) in any other case, 20 million Euros.

(6) 5The “standard maximum amount” is—

(a) in the case of an undertaking, 10 million Euros or 2% of the
undertaking’s total annual worldwide turnover in the preceding
financial year, whichever is higher, or

(b) in any other case, 10 million Euros.

(7) 10The maximum amount of a penalty in sterling must be determined by applying
the spot rate of exchange set by the Bank of England on the day on which the
penalty notice is given.

151 Fixed penalties for non-compliance with charges regulations

(1) The Commissioner must produce and publish a document specifying the
15amount of the penalty for a failure to comply with regulations made under
section 132.

(2) The Commissioner may specify different amounts for different types of failure.

(3) The maximum amount that may be specified is 150% of the highest charge
payable by a controller in respect of a financial year in accordance with the
20regulations, disregarding any discount available under the regulations.

(4) The Commissioner—

(a) may alter or replace the document, and

(b) must publish any altered or replacement document.

(5) Before publishing a document under this section (including any altered or
25replacement document), the Commissioner must consult—

(a) the Secretary of State,

(b) such other persons as the Secretary of State considers appropriate.

(6) The Commissioner must arrange for a document published under this section
(including any altered or replacement document) to be laid before Parliament.

152 30Amount of penalties: supplementary

(1) For the purposes of Article 83 of the GDPR and section 150, the Secretary of
State may by regulations—

(a) provide that a person of a description specified in the regulations is or
is not an undertaking, and

(b) 35make provision about how an undertaking’s turnover is to be
determined.

(2) For the purposes of Article 83 of the GDPR, section 150 and section 151, the
Secretary of State may by regulations provide that a period is or is not a
financial year.

(3) 40Before making regulations under this section, the Secretary of State must
consult such persons as the Secretary of State considers appropriate.

(4) Regulations under this section are subject to the affirmative resolution
procedure.

Guidance

153 Guidance about regulatory action

(1) The Commissioner must produce and publish guidance about how the
Commissioner proposes to exercise the Commissioner’s functions in
5connection with—

(a) assessment notices,

(b) enforcement notices, and

(c) penalty notices.

(2) The Commissioner may produce and publish guidance about how the
10Commissioner proposes to exercise the Commissioner’s other functions under
this Part.

(3) In relation to assessment notices, the guidance must include—

(a) provision specifying factors to be considered in determining whether to
give an assessment notice to a person;

(b) 15provision specifying descriptions of documents or information that—

(i) are not to be examined or inspected in accordance with an
assessment notice, or

(ii) are to be so examined or inspected only by a person of a
description specified in the guidance;

(c) 20provision about the nature of inspections and examinations carried out
in accordance with an assessment notice;

(d) provision about the nature of interviews carried out in accordance with
an assessment notice;

(e) provision about the preparation, issuing and publication by the
25Commissioner of assessment reports in respect of controllers and
processors that have been given assessment notices.

(4) The guidance prepared in accordance with subsection (3)(b) must include
provisions that relate to—

(a) documents and information concerning an individual’s physical or
30mental health;

(b) documents and information concerning the provision of social care for
an individual.

(5) In relation to penalty notices, the guidance must include—

(a) provision about the circumstances in which the Commissioner would
35consider it appropriate to issue a penalty notice;

(b) provision about the circumstances in which the Commissioner would
consider it appropriate to allow a controller or processor make oral
representations about a notice of intent;

(c) provision explaining how the Commissioner will determine the
40amount of penalties.

(6) The Commissioner—

(a) may alter or replace the guidance, and

(b) must publish any altered or replacement guidance.

(7) Before publishing guidance under this section (including any altered or
45replacement guidance), the Commissioner must consult—

(a) the Secretary of State, and

(b) such other persons as the Secretary of State considers appropriate.

(8) The Commissioner must arrange for guidance under this section (including
any altered or replacement guidance) to be laid before Parliament.

(9) In this section, “social care” has the same meaning as in Part 1 of the Health and
5Social Care Act 2008 (see section 9(3) of that Act).

Appeals

154 Rights of appeal

(1) A person who is given any of the following notices may appeal to the
Tribunal—

(a) 10an information notice;

(b) an assessment notice;

(c) an enforcement notice;

(d) a penalty notice;

(e) a penalty variation notice.

(2) 15Where a notice listed in subsection (1) contains a statement under section
137(7)(a), 140(8)(a) or 143(8) (urgency), the person given the notice may appeal
against—

(a) the Commissioner’s decision to include the statement in the notice, or

(b) the effect of its inclusion as respects any part of the notice,

20whether or not the person appeals against the notice.

(3) A person who is given an enforcement notice may appeal to the Tribunal
against the refusal of an application under section 146 for the cancellation or
variation of the notice.

(4) A person who is given a penalty notice or a penalty variation notice may
25appeal against the amount of the penalty specified in the notice, whether or not
the person appeals against the notice.

(5) Where a determination is made under section 164 in respect of the processing
of personal data, the controller or processor may appeal to the Tribunal against
the determination.

155 30Determination of appeals

(1) Subsections (2) to (4) apply where a person appeals to the Tribunal under
section 154(1) or (4).

(2) The Tribunal may review any determination of fact on which the notice or
decision against which the appeal is brought was based.

(3) 35If the Tribunal considers—

(a) that the notice or decision against which the appeal is brought is not in
accordance with the law, or

(b) to the extent that the notice or decision involved an exercise of
discretion by the Commissioner, that the Commissioner ought to have
40exercised the discretion differently,

the Tribunal must allow the appeal or substitute another notice or decision
which the Commissioner could have given or made.

(4) Otherwise, the Tribunal must dismiss the appeal.

(5) On an appeal under section 154(2), the Tribunal may direct—

(a) that the notice against which the appeal is brought is to have effect as if
it did not contain the statement under section 137(7)(a), 140(8)(a) or
5143(8) (urgency), or

(b) that the inclusion of that statement is not to have effect in relation to any
part of the notice,

and may make such modifications to the notice as are required to give effect to
the direction.

(6) 10On an appeal under section 154(3), if the Tribunal considers that the
enforcement notice ought to be cancelled or varied by reason of a change in
circumstances, the Tribunal must cancel or vary the notice.

(7) On an appeal under section 154(5), the Tribunal may cancel the
Commissioner’s determination.

15Complaints

156 Complaints by data subjects

(1) Articles 57(1)(f) and (2) and 77 of the GDPR (data subject’s right to lodge a
complaint) confer rights on data subjects to complain to the Commissioner if
the data subject considers that, in connection with personal data relating to him
20or her, there is an infringement of the GDPR.

(2) A data subject may make a complaint to the Commissioner if the data subject
considers that, in connection with personal data relating to him or her, there is
an infringement of Part 3 or 4 of this Act.

(3) The Commissioner must facilitate the making of complaints under subsection
25(2) by taking steps such as providing a complaint form which can be completed
electronically and by other means.

(4) If the Commissioner receives a complaint under subsection (2), the
Commissioner must—

(a) take appropriate steps to respond to the complaint,

(b) 30inform the complainant of the outcome of the complaint,

(c) inform the complainant of the rights under section 157, and

(d) if asked to do so by the complainant, provide the complainant with
further information about how to pursue the complaint.

(5) The reference in subsection (4)(a) to taking appropriate steps in response to a
35complaint includes—

(a) investigating the subject matter of the complaint, to the extent
appropriate, and

(b) informing the complainant about progress on the complaint, including
about whether further investigation or co-ordination with another
40supervisory authority or foreign designated authority is necessary.

(6) If the Commissioner receives a complaint relating to the infringement of a data
subject’s rights under provisions adopted by a member State other than the
United Kingdom pursuant to the Law Enforcement Directive, the
Commissioner must—

(a) send the complaint to the relevant supervisory authority for the
purposes of that Directive,

(b) inform the complainant that the Commissioner has done so, and

(c) if asked to do so by the complainant, provide the complainant with
5further information about how to pursue the complaint.

(7) In this section—

• “foreign designated authority” means an authority designated for the
  purposes of Article 13 of the Data Protection Convention by a party,
  other than the United Kingdom, which is bound by that Convention;

• 10“supervisory authority” means a supervisory authority for the purposes
  of Article 51 of the GDPR or Article 41 of the Law Enforcement
  Directive in a member State other than the United Kingdom.

157 Orders to progress complaints

(1) This section applies where, after a data subject makes a complaint under
15section 156 or Article 77 of the GDPR, the Commissioner—

(a) fails to take appropriate steps to respond to the complaint,

(b) fails to provide the complainant with information about progress on
the complaint, or of the outcome of the complaint, before the end of the
period of 3 months beginning with the day on which the Commissioner
20received the complaint, or

(c) if the Commissioner’s consideration of the complaint is not concluded
during that period, fails to provide the complainant with such
information during a subsequent period of 3 months.

(2) The Tribunal may, on an application by the data subject, make an order
25requiring the Commissioner—

(a) to take appropriate steps to respond to the complaint, or

(b) to inform the complainant of progress on the complaint, or of the
outcome of the complaint, within a period specified in the order.

(3) An order under subsection (2)(a) may require the Commissioner—

(a) 30to take steps specified in the order;

(b) to conclude the investigation, or take a specified step, within a period
specified in the order.

(4) Section 156(5) applies for the purposes of subsections (1)(a) and (2)(a) as it
applies for the purposes of section 156(4)(a).

35Remedies in the court

158 Compliance orders

(1) This section applies if, on an application by a data subject, a court is satisfied
that there has been an infringement of the data subject’s rights under the data
protection legislation in contravention of that legislation.

(2) 40A court may make an order for the purposes of securing compliance with the
data protection legislation which requires the controller in respect of the
processing, or a processor acting on behalf of that controller—

(a) to take steps specified in the order, or

(b) to refrain from taking steps specified in the order.

(3) The order may, in relation to each step, specify the time at which, or the period
within which, it must be taken.

(4) In subsection (1)—

(a) the reference to an application by a data subject includes an application
5made in exercise of the right under Article 79(1) of the GDPR (right to
an effective remedy against a controller or processor);

(b) the reference to the data protection legislation does not include Part 4
of this Act or regulations made under that Part.

(5) In relation to a joint controller in respect of the processing of personal data to
10which Part 3 applies whose responsibilities are determined in an arrangement
under section 56, a court may only make an order under this section if the
controller is responsible for compliance with the provision of the data
protection legislation that is contravened.

159 Compensation for contravention of the GDPR

(1) 15In Article 82 of the GDPR (right to compensation) “damage” includes financial
loss, distress and other adverse effects.

(2) Subsection (3) applies where—

(a) in accordance with rules of court, proceedings under Article 82 of the
GDPR are brought by a representative body on behalf of a person, and

(b) 20a court orders the payment of compensation.

(3) The court may make an order providing for the compensation to be paid on
behalf of the person to—

(a) the representative body, or

(b) such other person as the court thinks fit.

160 25Compensation for contravention of other data protection legislation

(1) A person who suffers damage by reason of a contravention of a requirement of
the data protection legislation, other than the GDPR, is entitled to
compensation for that damage from the controller or the processor, subject to
subsections (2) and (3).

(2) 30Under subsection (1)—

(a) a controller involved in processing of personal data is liable for any
damage caused by the processing, and

(b) a processor involved in processing of personal data is liable for damage
caused by the processing only if the processor—

(i) 35has not complied with an obligation under the data protection
legislation specifically directed at processors, or

(ii) has acted outside, or contrary to, the controller’s lawful
instructions.

(3) A controller or processor is not liable as described in subsection (2) if the
40controller or processor proves that the controller or processor is not in any way
responsible for the event giving rise to the damage.

(4) A joint controller in respect of the processing of personal data to which Part 3
or 4 applies whose responsibilities are determined in an arrangement under
section 56 or 102 is only liable as described in subsection (2) if the controller is