Data Protection Bill (HL Bill 66)

Data Protection BillPage 70

(6) In subsection (5)

(a) references to the client of a professional legal adviser include references
to a person acting on behalf of the client, and

(b) references to a communication include—

(i) 5a copy or other record of the communication, and

(ii) anything enclosed with or referred to in the communication if
made as described in subsection (5)(a)(ii) or in subsection
(5)(b)(ii) and (iii).

Fees

129 10Fees for services

The Commissioner may require a person other than a data subject or a data
protection officer to pay a reasonable fee for a service provided to the person,
or at the person’s request, which the Commissioner is required or authorised
to provide under the data protection legislation.

130 15Manifestly unfounded or excessive requests by data subjects etc

(1) Where a request to the Commissioner from a data subject or a data protection
officer is manifestly unfounded or excessive, the Commissioner may—

(a) charge a reasonable fee for dealing with the request, or

(b) refuse to act on the request.

(2) 20An example of a request that may be excessive is one that merely repeats the
substance of previous requests.

(3) In any proceedings where there is an issue as to whether a request described in
subsection (1) is manifestly unfounded or excessive, it is for the Commissioner
to show that it is.

(4) 25Subsections (1) and (3) apply only in cases in which the Commissioner does not
already have such powers and obligations under Article 57(4) of the GDPR.

131 Guidance about fees

(1) The Commissioner must produce and publish guidance about the fees the
Commissioner proposes to charge in accordance with—

(a) 30section 129 or 130, or

(b) Article 57(4) of the GDPR.

(2) Before publishing the guidance, the Commissioner must consult the Secretary
of State.

Charges

132 35Charges payable to the Commissioner by controllers

(1) The Secretary of State may by regulations require controllers to pay charges of
an amount specified in the regulations to the Commissioner.

Data Protection BillPage 71

(2) Regulations under subsection (1) may require a controller to pay a charge
regardless of whether the Commissioner has provided, or proposes to provide,
a service to the controller.

(3) Regulations under subsection (1) may—

(a) 5make provision about the time or times at which, or period or periods
within which, a charge must be paid;

(b) make provision for cases in which a discounted charge is payable;

(c) make provision for cases in which no charge is payable;

(d) make provision for cases in which a charge which has been paid is to be
10refunded.

(4) In making regulations under subsection (1), the Secretary of State must have
regard to the desirability of securing that the charges payable to the
Commissioner under such regulations are sufficient to offset—

(a) expenses incurred by the Commissioner in discharging the
15Commissioner’s functions—

(i) under the data protection legislation,

(ii) under the Data Protection Act 1998,

(iii) under or by virtue of sections 108 and 109 of the Digital
Economy Act 2017, and

(iv) 20under or by virtue of the Privacy and Electronic
Communications (EC Directive) Regulations 2003 (S.I. 2003/
2426),

(b) any expenses of the Secretary of State in respect of the Commissioner so
far as attributable to those functions,

(c) 25to the extent that the Secretary of State considers appropriate, any
deficit previously incurred (whether before or after the passing of this
Act) in respect of the expenses mentioned in paragraph (a), and

(d) to the extent that the Secretary of State considers appropriate, expenses
incurred by the Secretary of State in respect of the inclusion of any
30officers or staff of the Commissioner in any scheme under section 1 of
the Superannuation Act 1972 or section 1 of the Public Service Pensions
Act 2013.

(5) The Secretary of State may from time to time require the Commissioner to
provide information about the expenses referred to in subsection (4)(a).

(6) 35The Secretary of State may by regulations make provision—

(a) requiring a controller to provide information to the Commissioner, or

(b) enabling the Commissioner to require a controller to provide
information to the Commissioner,

for either or both of the purposes mentioned in subsection (7).

(7) 40Those purposes are—

(a) determining whether a charge is payable by the controller under
regulations under subsection (1);

(b) determining the amount of a charge payable by the controller.

(8) The provision that may be made under subsection (6)(a) includes provision
45requiring a controller to notify the Commissioner of a change in the controller’s
circumstances of a kind specified in the regulations.

Data Protection BillPage 72

133 Regulations under section 132: supplementary

(1) Before making regulations under section 132(1) or (6), the Secretary of State
must consult—

(a) such representatives of persons likely to be affected by the regulations
5as the Secretary of State thinks appropriate, and

(b) such other persons as the Secretary of State thinks appropriate,

(and see also section 169).

(2) The Commissioner—

(a) must keep under review the working of regulations under section
10132(1) or (6), and

(b) may from time to time submit proposals to the Secretary of State for
amendments to be made to the regulations.

(3) The Secretary of State must review the working of regulations under section
132(1) or (6)

(a) 15at the end of the period of 5 years beginning with the making of the first
set of regulations under section 108 of the Digital Economy Act 2017,
and

(b) at the end of each subsequent 5 year period.

(4) Regulations under section 132(1) are subject to the negative resolution
20procedure if—

(a) they only make provision increasing a charge for which provision is
made by previous regulations under section 132(1) or section 108(1) of
the Digital Economy Act 2017, and

(b) they do so to take account of an increase in the retail prices index since
25the previous regulations were made.

(5) Subject to subsection (4), regulations under section 132(1) or (6) are subject to
the affirmative resolution procedure.

(6) In subsection (4), “the retail prices index” means—

(a) the general index of retail prices (for all items) published by the
30Statistics Board, or

(b) where that index is not published for a month, any substitute index or
figures published by the Board.

(7) Regulations made under section 132(1) or (6) may bind the Crown.

(8) But regulations under section 132(1) or (6) may not apply to—

(a) 35Her Majesty in her private capacity,

(b) Her Majesty in right of the Duchy of Lancaster, or

(c) the Duke of Cornwall.

Reports etc

134 Reporting to Parliament

(1) 40The Commissioner must—

(a) produce a general report on the carrying out of the Commissioner’s
functions annually,

(b) arrange for it to be laid before Parliament, and

Data Protection BillPage 73

(c) publish it.

(2) The report must include the annual report required under Article 59 of the
GDPR.

(3) The Commissioner may produce other reports relating to the carrying out of
5the Commissioner’s functions and arrange for them to be laid before
Parliament.

135 Publication by the Commissioner

A duty under this Act for the Commissioner to publish a document is a duty
for the Commissioner to publish it, or to arrange for it to be published, in such
10form and manner as the Commissioner considers appropriate.

136 Notices from the Commissioner

(1) This section applies in relation to a notice authorised or required by this Act to
be given to a person by the Commissioner.

(2) The notice may be given to an individual—

(a) 15by delivering it to the individual,

(b) by sending it to the individual by post addressed to the individual at
his or her usual or last-known place of residence or business, or

(c) by leaving it for the individual at that place.

(3) The notice may be given to a body corporate or unincorporate—

(a) 20by sending it by post to the proper officer of the body at its principal
office, or

(b) by addressing it to the proper officer of the body and leaving it at that
office.

(4) The notice may be given to a partnership in Scotland—

(a) 25by sending it by post to the principal office of the partnership, or

(b) by addressing it to that partnership and leaving it at that office.

(5) The notice may be given to the person by other means, including by electronic
means, with the person’s consent.

(6) In this section—

  • 30“principal office”, in relation to a registered company, means its
    registered office;

  • “proper officer”, in relation to any body, means the secretary or other
    executive officer charged with the conduct of its general affairs;

  • “registered company” means a company registered under the enactments
    35relating to companies for the time being in force in the United
    Kingdom.

(7) This section is without prejudice to any other lawful method of giving a notice.

Data Protection BillPage 74

Part 6 Enforcement

Information notices

137 Information notices

(1) 5The Commissioner may, by written notice (an “information notice”), require a
controller or processor to provide the Commissioner with information that the
Commissioner reasonably requires for the purposes of carrying out the
Commissioner’s functions under the data protection legislation.

(2) An information notice must state why the Commissioner requires the
10information.

(3) An information notice—

(a) may specify or describe particular information or a category of
information;

(b) may specify the form in which the information must be provided;

(c) 15may specify the time at which, or the period within which, the
information must be provided;

(d) may specify the place where the information must be provided;

(but see the restrictions in subsections (5) to (7)).

(4) An information notice must provide information about the rights of appeal
20under section 154.

(5) An information notice may not require a person to provide information before
the end of the period within which an appeal can be brought against the notice.

(6) If an appeal is brought against an information notice, the information need not
be provided pending the determination or withdrawal of the appeal.

(7) 25If an information notice—

(a) states that, in the Commissioner’s opinion, the information is required
urgently, and

(b) gives the Commissioner’s reasons for reaching that opinion,

subsections (5) and (6) do not apply but the notice must not require the
30information to be provided before the end of the period of 7 days beginning
with the day on which the notice is given.

(8) The Commissioner may cancel an information notice by written notice to the
person to whom it was given.

(9) In subsection (1), in relation to a person who is a controller or processor for the
35purposes of the GDPR, the reference to a controller or processor includes a
representative of a controller or processor designated under Article 27 of the
GDPR (representatives of controllers or processors not established in the
European Union).

138 Information notices: restrictions

(1) 40The Commissioner may not give an information notice with respect to the
processing of personal data for the special purposes unless—

Data Protection BillPage 75

(a) a determination under section 164 with respect to the data or the
processing has taken effect, or

(b) the Commissioner—

(i) has reasonable grounds for suspecting that such a
5determination could be made, and

(ii) the information is required for the purposes of making such a
determination.

(2) An information notice does not require a person to give the Commissioner
information in respect of a communication which is made—

(a) 10between a professional legal adviser and the adviser’s client, and

(b) in connection with the giving of legal advice to the client with respect
to obligations, liabilities or rights under the data protection legislation.

(3) An information notice does not require a person to give the Commissioner
information in respect of a communication which is made—

(a) 15between a professional legal adviser and the adviser’s client or between
such an adviser or client and another person,

(b) in connection with or in contemplation of proceedings under or arising
out of the data protection legislation, and

(c) for the purposes of such proceedings.

(4) 20In subsections (2) and (3), references to the client of a professional legal adviser
include references to a person acting on behalf of the client.

(5) An information notice does not require a person to provide the Commissioner
with information if doing so would, by revealing evidence of the commission
of an offence expose the person to proceedings for that offence.

(6) 25The reference to an offence in subsection (5) does not include an offence
under—

(a) this Act;

(b) section 5 of the Perjury Act 1911 (false statements made otherwise than
on oath);

(c) 30section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995
(false statements made otherwise than on oath);

(d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714
(N.I. 19)) (false statutory declarations and other false unsworn
statements).

(7) 35An oral or written statement provided by a person in response to an
information notice may not be used in evidence against that person on a
prosecution for an offence under this Act (other than an offence under section
139) unless in the proceedings—

(a) in giving evidence the person provides information inconsistent with
40the statement, and

(b) evidence relating to the statement is adduced, or a question relating to
it is asked, by that person or on that person’s behalf.

(8) In subsection (5), in relation to an information notice given to a representative
of a controller or processor designated under Article 27 of the GDPR, the
45reference to the person providing the information being exposed to
proceedings for an offence includes a reference to the controller or processor
being exposed to such proceedings.

Data Protection BillPage 76

139 Failure to comply with an information notice

(1) It is an offence for a person to fail to comply with an information notice.

(2) It is a defence for a person charged with an offence under subsection (1) to
prove that the person exercised all due diligence to comply with the notice.

(3) 5It is an offence for a person, in response to an information notice—

(a) to make a statement which the person knows to be false in a material
respect, or

(b) recklessly to make a statement which is false in a material respect.

Assessment notices

140 10Assessment notices

(1) The Commissioner may by written notice (an “assessment notice”) require a
controller or processor to permit the Commissioner to carry out an assessment
of whether the controller or processor has complied or is complying with the
data protection legislation.

(2) 15An assessment notice may require the controller or processor to do any of the
following—

(a) permit the Commissioner to enter specified premises;

(b) direct the Commissioner to documents on the premises that are of a
specified description;

(c) 20assist the Commissioner to view information of a specified description
that is capable of being viewed using equipment on the premises;

(d) comply with a request from the Commissioner for—

(i) a copy of the documents to which the Commissioner is directed;

(ii) a copy (in such form as may be requested) of the information
25which the Commissioner is assisted to view;

(e) direct the Commissioner to equipment or other material on the
premises which is of a specified description;

(f) permit the Commissioner to inspect or examine the documents,
information, equipment or material to which the Commissioner is
30directed or which the Commissioner is assisted to view;

(g) permit the Commissioner to observe the processing of personal data
that takes place on the premises;

(h) make available for interview by the Commissioner a specified number
of people of a specified description who process personal data on
35behalf of the controller, not exceeding the number who are willing to be
interviewed.

(3) In subsection (2), references to the Commissioner include references to the
Commissioner’s officers and staff.

(4) An assessment notice must, in relation to each requirement imposed by the
40notice, specify the time or times at which, or period or periods within which,
the requirement must be complied with (but see the restrictions in subsections
(6) to (8)).

(5) An assessment notice must provide information about the rights of appeal
under section 154.

Data Protection BillPage 77

(6) An assessment notice may not require a person to do anything before the end
of the period within which an appeal can be brought against the notice.

(7) If an appeal is brought against an assessment notice, the controller or processor
need not comply with a requirement in the notice pending the determination
5or withdrawal of the appeal.

(8) If an assessment notice—

(a) states that, in the Commissioner’s opinion, it is necessary for the
controller or processor to comply with a requirement in the notice
urgently, and

(b) 10gives the Commissioner’s reasons for reaching that opinion,

subsections (6) and (7) do not apply but the notice must not require the
controller or processor to comply with the requirement before the end of the
period of 7 days beginning with the day on which the notice is given.

(9) The Commissioner may cancel an assessment notice by written notice to the
15controller or processor to whom it was given.

(10) Where the Commissioner gives an assessment notice to a processor, the
Commissioner must, so far as reasonably practicable, give a copy of the notice
to each controller for whom the processor processes personal data.

(11) In this section, “specified” means specified in an assessment notice.

141 20Assessment notices: restrictions

(1) An assessment notice does not have effect so far as compliance would result in
the disclosure of a communication which is made—

(a) between a professional legal adviser and the adviser’s client, and

(b) in connection with the giving of legal advice to the client with respect
25to obligations, liabilities or rights under the data protection legislation.

(2) An assessment notice does not have effect so far as compliance would result in
the disclosure of a communication which is made—

(a) between a professional legal adviser and the adviser’s client or between
such an adviser or client and another person,

(b) 30in connection with or in contemplation of proceedings under or arising
out of the data protection legislation, and

(c) for the purposes of such proceedings.

(3) In subsections (1) and (2)

(a) references to the client of a professional legal adviser include references
35to a person acting on behalf of such a client, and

(b) references to a communication include—

(i) a copy or other record of the communication, and

(ii) anything enclosed with or referred to in the communication if
made as described in subsection (1)(b) or in subsection (2)(b)
40and (c).

(4) The Commissioner may not give a controller or processor an assessment notice
with respect to the processing of personal data for the special purposes.

(5) The Commissioner may not give an assessment notice to—

(a) a body specified in section 23(3) of the Freedom of Information Act 2000
45(bodies dealing with security matters), or

Data Protection BillPage 78

(b) the Office for Standards in Education, Children’s Services and Skills in
so far as it is a controller or processor in respect of information
processed for the purposes of functions exercisable by Her Majesty’s
Chief Inspector of Education, Children’s Services and Skills by virtue of
5section 5(1)(a) of the Care Standards Act 2000.

Enforcement notices

142 Enforcement notices

(1) Where the Commissioner is satisfied that a person has failed, or is failing, as
described in subsection (2), (3), (4) or (5), the Commissioner may give the
10person a written notice (an “enforcement notice”) which requires the person—

(a) to take steps specified in the notice, or

(b) to refrain from taking steps specified in the notice,

or both (and see also sections 143 and 144).

(2) The first type of failure is where a controller or processor has failed, or is
15failing, to comply with any of the following—

(a) a provision of Chapter II of the GDPR or Chapter 2 of Part 3 or Chapter
2 of Part 4 of this Act (principles of processing);

(b) a provision of Articles 12 to 22 of the GDPR or Part 3 or 4 of this Act
conferring rights on a data subject;

(c) 20a provision of Articles 25 to 39 of the GDPR (obligations of controllers
and processors);

(d) a requirement to communicate a personal data breach to the
Commissioner or a data subject under section 65, 66 or 106 of this Act;

(e) the principles for transfers of personal data to third countries, non-
25Convention countries and international organisations in Articles 44 to
49 of the GDPR or in sections 71 to 76 or 107 of this Act.

(3) The second type of failure is where a monitoring body has failed, or is failing,
to comply with an obligation under Article 41 of the GDPR (monitoring of
approved codes of conduct).

(4) 30The third type of failure is where a person who is a certification provider—

(a) does not meet the requirements for accreditation,

(b) has failed, or is failing, to comply with an obligation under Article 42 or
43 of the GDPR (certification of controllers and processors), or

(c) has failed, or is failing, to comply with any other provision of the GDPR
35(whether in the person’s capacity as a certification provider or
otherwise).

(5) The fourth type of failure is where a controller has failed, or is failing, to
comply with regulations under section 132.

(6) An enforcement notice given in reliance on subsection (2), (3) or (5) may only
40impose requirements which the Commissioner considers appropriate for the
purpose of remedying the failure.

(7) An enforcement notice given in reliance on subsection (4) may only impose
requirements which the Commissioner considers appropriate having regard to
the failure (whether or not for the purpose of remedying the failure).

Data Protection BillPage 79

(8) The Secretary of State may by regulations confer power on the Commissioner
to give an enforcement notice in respect of other failures.

(9) Before making regulations under this section, the Secretary of State must
consult such persons as the Secretary of State considers appropriate.

(10) 5Regulations under this section—

(a) may make provision about the giving of enforcement notices in respect
of the failure,

(b) may amend this section and sections 143 to 146, and

(c) are subject to the affirmative resolution procedure.

143 10Enforcement notices: supplementary

(1) An enforcement notice must—

(a) state what the person has failed or is failing to do, and

(b) give the Commissioner’s reasons for reaching that opinion.

(2) In deciding whether to give an enforcement notice in reliance on section 142(2),
15the Commissioner must consider whether the failure has caused or is likely to
cause any person damage or distress.

(3) In relation to an enforcement notice given in reliance on section 142(2), the
Commissioner’s power under section 142(1)(b) to require a person to refrain
from taking specified steps includes power—

(a) 20to impose a ban relating to all processing of personal data, or

(b) to impose a ban relating only to a specified description of processing of
personal data, including by specifying one or more of the following—

(i) a description of personal data;

(ii) the purpose or manner of the processing;

(iii) 25the time when the processing takes place.

(4) An enforcement notice may specify the time or times at which, or period or
periods within which, a requirement imposed by the notice must be complied
with (but see the restrictions in subsections (6) to (8)).

(5) An enforcement notice must provide information about the rights of appeal
30under section 154.

(6) An enforcement notice must not specify a time for compliance with a
requirement in the notice which falls before the end of the period within which
an appeal can be brought against the notice.

(7) If an appeal is brought against an enforcement notice, a requirement in the
35notice need not be complied with pending the determination or withdrawal of
the appeal.

(8) If an enforcement notice—

(a) states that, in the Commissioner’s opinion, it is necessary for a
requirement to be complied with urgently, and

(b) 40gives the Commissioner’s reasons for reaching that opinion,

subsections (6) and (7) do not apply but the notice must not require the
requirement to be complied with before the end of the period of 7 days
beginning with the day on which the notice is given.

(9) In this section, “specified” means specified in an enforcement notice.