개인정보보호법
영국 GDPR, 2018년 데이터보호법, ICO 집행 및 정보주체 권리.
소개
Data protection law in the UK is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), which together form a comprehensive framework for the processing of personal data. The Information Commissioner's Office (ICO) is the independent supervisory authority responsible for enforcement. The law gives individuals ('data subjects') significant rights over their personal data, including the right of access, rectification, erasure, and objection to processing. Organisations ('data controllers' and 'data processors') must comply with data protection principles and can face substantial fines for non-compliance.
핵심 원칙
Lawfulness, Fairness and Transparency — Personal data must be processed lawfully, fairly, and in a transparent manner. There must be a lawful basis for processing (consent, contract, legal obligation, vital interests, public task, or legitimate interests).
Purpose Limitation — Data must be collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.
Data Minimisation — Only personal data that is adequate, relevant, and limited to what is necessary for the stated purpose should be collected.
Accuracy — Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.
Storage Limitation — Personal data must not be kept for longer than is necessary for the purposes for which it is processed.
Integrity and Confidentiality — Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Accountability — The data controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.
Data Subject Rights — Individuals have rights including access (Subject Access Request), rectification, erasure ('right to be forgotten'), restriction of processing, data portability, and objection to processing.
핵심 법령
Data Protection Act 2018
Privacy and Electronic Communications Regulations 2003
Freedom of Information Act 2000
주요 판례
Vidal-Hall v Google
[2015] EWCA Civ 311
R (Bridges) v Chief Constable of South Wales Police
[2020] EWCA Civ 1058
일반적인 시나리오
Making a Subject Access Request (SAR)
Under Article 15 UK GDPR, you have the right to obtain confirmation of whether your personal data is being processed and a copy of that data. The organisation must respond within one calendar month. The request is free. If the organisation fails to comply, you can complain to the ICO.
Company suffers a data breach
Under Article 33 UK GDPR, a personal data breach must be reported to the ICO within 72 hours if it is likely to result in a risk to individuals' rights and freedoms. Affected individuals must also be notified without undue delay if the risk is high. Failure to report can result in significant fines.
Receiving unwanted marketing emails
Direct marketing by email requires consent under the Privacy and Electronic Communications Regulations 2003 (PECR), unless the 'soft opt-in' exception applies. You have the right to object to direct marketing at any time. Complaints can be made to the ICO.