SponsoredBuild your website with Vincony

Aviso legal: Esto no constituye asesoramiento jurídico. La legislación y la jurisprudencia cambian. Consulte siempre con un abogado cualificado para su situación específica.

UK Law Reference
Todos los temas

Protección de datos y privacidad

UK GDPR, Ley de Protección de Datos 2018, aplicación del ICO y derechos.

Technology & Data
UK-wide

Introducción

La legislación de protección de datos regula cómo las organizaciones recopilan, almacenan y procesan información personal.

In Brief

UK GDPR and the Data Protection Act 2018 require organisations to have a lawful basis before processing your personal data, and give you important rights including the right to access your data (DSAR), the right to erasure, and the right to object to direct marketing. A Subject Access Request must be answered within one calendar month, free of charge.

Principios fundamentales

1

Lawfulness, Fairness and Transparency — Personal data must be processed lawfully, fairly, and in a transparent manner. There must be a lawful basis for processing (consent, contract, legal obligation, vital interests, public task, or legitimate interests).

2

Purpose Limitation — Data must be collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.

3

Data Minimisation — Only personal data that is adequate, relevant, and limited to what is necessary for the stated purpose should be collected.

4

Accuracy — Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.

5

Storage Limitation — Personal data must not be kept for longer than is necessary for the purposes for which it is processed.

6

Integrity and Confidentiality — Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.

7

Accountability — The data controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.

8

Data Subject Rights — Individuals have rights including access (Subject Access Request), rectification, erasure ('right to be forgotten'), restriction of processing, data portability, and objection to processing.

Leyes clave

Data Protection Act 2018

2018
Ver →

Privacy and Electronic Communications Regulations 2003

2003

Freedom of Information Act 2000

2000

Casos principales

Google LLC v Lloyd

[2021] UKSC 50

Leer caso →

Vidal-Hall v Google

[2015] EWCA Civ 311

R (Bridges) v Chief Constable of South Wales Police

[2020] EWCA Civ 1058

Escenarios comunes

Making a Subject Access Request (SAR)

Under Article 15 UK GDPR, you have the right to obtain confirmation of whether your personal data is being processed and a copy of that data. The organisation must respond within one calendar month. The request is free. If the organisation fails to comply, you can complain to the ICO.

Company suffers a data breach

Under Article 33 UK GDPR, a personal data breach must be reported to the ICO within 72 hours if it is likely to result in a risk to individuals' rights and freedoms. Affected individuals must also be notified without undue delay if the risk is high. Failure to report can result in significant fines.

Receiving unwanted marketing emails

Direct marketing by email requires consent under the Privacy and Electronic Communications Regulations 2003 (PECR), unless the 'soft opt-in' exception applies. You have the right to object to direct marketing at any time. Complaints can be made to the ICO.

Related Careers

Frequently Asked Questions

What is a Subject Access Request (DSAR)?

A DSAR is a request to an organisation for a copy of all personal data they hold about you. Under UK GDPR, they must respond within one calendar month. The request is free to make.

Can I ask a company to delete my data?

Yes, under the 'right to erasure' (right to be forgotten) in UK GDPR. However, this right is not absolute — organisations can refuse if they have a legal obligation to keep the data.

What happens if a company has a data breach involving my information?

Under UK GDPR Article 33, the controller must notify the ICO within 72 hours of becoming aware of a breach likely to risk individuals' rights. Where the breach is likely to result in a HIGH risk to rights and freedoms, affected individuals must also be notified directly under Article 34 without undue delay. You can complain to the ICO and may have a private claim for material or non-material distress damages under Article 82 (see Lloyd v Google LLC [2021] UKSC 50 for the limits of mass-claim aggregation).

Important Deadlines

Respond to a Subject Access Request (DSAR)1 calendar month from receipt (extendable by 2 months for complex/numerous requests)
Notify the ICO of a personal data breachWithin 72 hours of becoming aware of the breach (if likely to risk individuals' rights)
Notify affected individuals of a high-risk data breachWithout undue delay once the controller is aware

Typical Costs

Typical Costs & Fees
ICO registration fee (small organisation/charity)£40–£60 per year
ICO registration fee (medium/large organisation)£60–£2,900 per year depending on turnover and staff numbers
ICO maximum fine for serious UK GDPR breachUp to £17.5 million or 4% of global annual turnover (whichever is higher)

Related Content

Related Legislation