United Kingdom
4.2.1.9. conduct legitimate interests assessments where applicable; and 4.2.1.10. embed privacy by design and by default. 4.2.2. Processors must follow documented instructions, ensure security, assist controllers with rights requests and DPIAs, maintain records, notify breaches to controllers without undue delay, and control sub ‑ processing. 4.2.3. The DPO advises the controller’s management, monitors compliance, is accessible to data subjects and the ICO, and must be resourced and independent. Requirements for Data Processing The core data protection principles shape every stage of the data lifecycle and should be reflected in policies, system design, and day ‑ to ‑ day decision ‑ making. 5.1. Grounds for collection and processing 5.1.1. Processing must be based on one of the lawful bases set out in Art 6 UK GDPR: 5.1.1.1. consent; 5.1.1.2. performance of a contract with the data subject; 5.1.1.3. compliance with a legal obligation; 5.1.1.4. protection of the data subject’s vital interests;
5.1.1.5. performance of a public task; or 5.1.1.6. legitimate interests (subject to balancing and transparency). 5.1.2. Special category and criminal offence data require additional conditions (e.g., explicit consent or substantial public interest grounds). 5.1.3. Consent: Under Art 7 UK GDPR, consent must be freely given, specific, informed and unambiguous, and explicit where required (for special category data). Controllers must be able to demonstrate consent and provide mechanisms to withdraw it as easily as it was given. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, but controllers must cease processing that relies on consent and update systems and downstream processors accordingly. 5.2. Transparency obligations 5.2.1. The controller must provide the data subject with clear privacy information. Where the information is collected directly from the data subject, this must be provided at the time of collection (Art 13 UK GDPR). Where the personal data is collected indirectly, then the obligation is to provide the information within one month or when contacting the data subject, whichever is earlier (Art 14 UK GDPR).
https://www.fladgate.com/
Made with FlippingBook - PDF hosting