Turkish Law Blog

Data Protection under the Data Protection Act 2018 with General Data Protection Regulations

Nihan Akkaş Nihan Akkaş/ NAZALI Tax and Legal Services
20 February, 2019
20500

The Data Protection Act 2018 (“DPA 2018”) replaced and repealed the previous Data Protection Act 1998 and it became UK law on 23 May 2018.[1] This new Act came into force as the primary piece of data protection legislation in the UK. The goal of the new act is to modernise data protection laws in order to ensure they fit for the increasingly digital society and economy.[2] It provides a modern and comprehensive framework by setting new standards in order to protect personal data strongly.[3] It gives more power and control to individuals such as moving or deleting their personal data than the DPA 1998 while their personal data are processing.

With regard to the General Data Protection Regulations (“GDPR”) which has a direct effect across all European Union members[4] came into effect on 25 May along with the Data Protection Act 2018.[5] The GDPR gives European Union Members States a freedom to apply certain exemptions or rules regarding certain types of personal data protections.[6] It also shapes of the data protection rules in the UK along with the DPA 2018. However, GDPR provides member states with limited opportunities to make provisions for how the rules apply in their country. The provisions of DPA 2018 which covers the GDPR is in more detail. The DPA 2018 has some exemptions from certain rights and obligations set out GDPR.[7] Thus, it is important that GDPR and DPA 2018 should be read and analysed together.

This chapter is going to cover information about the new Data Protection Act 2018 along with GDPR by comparing some provisions with the previous Data Protection Act 1998.

1. Key Definitions

DPA 2018 and GDPR contain some key definitions which are going to be mentioned briefly below. Even though these definitions are quite similar to DPA 1998, they are more broadly covered rather than the previous act.

The terms which are used in the DPA 2018 share the same meaning with the GDPR. Thus, key definitions will be mentioned briefly under the GDPR. [8]

1.1. Personal Data

According to the Article 4 under the GDPR personal data is defined as any information relating to an identified or identifiable natural person (‘data subject’) and it adds that:

“an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”[9]

In other words, individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.[10] It could not be wrong to say that the GDPR has a broader definition of what constitutes personal data than the DPA 1998 by incorporating reference to identifiers such as name, identification numbers, IP address and location.[11] In addition unlike DPA 1998, it includes new types of digital data called online identifiers. Online identifiers contain IP addresses, cookie strings and mobile device ID`s. It is also applicable to automated personal data and to manual filing systems when the personal data is accessible according to certain criteria.

As mentioned in Chapter 3, definition of personal data under the Data Protection Act 1998 created some controversial problems because of being open to interpretation, however at this time under the GDPR personal data is defined in more clear and transparent way comparing with the previous act. It is clear that the definition of personal data under the GDPR is broader than the Data Protection Act 1998’s definition and could include chronologically ordered sets of manual records containing personal data.[12]

1.2. Data Processors and Data Controllers

The GDPR sets out some directly applicable obligations on both data processors and data controllers. Briefly, according to the Article 7 of the GDPR; a data controller (natural or legal person, public authority, agency or other body) determines the purposes and means of processing personal data alone or jointly with others. [13]

According to the Article 8 under the GDPR a data processor who is a natural or legal person, public authority, agency or other body is responsible for processing personal data on behalf of a controller. However, data processors need to obtain a data controller’s consent in various circumstances such as personal data breach notification before using any sub-processors.[14]

1.3. Special Categories of Personal Data

Some of personal data that is being processed by data controllers could be more sensitive in nature and consequently it requires a stronger protection.  Under the GDPR, sensitive personal data is being termed as special categories of personal data. Even though the requirements of special categories of personal data under the GDPR share almost the same concept of sensitive personal data under the DPA 1998, the GDPR adds genetic data[15] and some biometric data[16] in the definition.

To sum up, as defined in Chapter 3 under the Data Protection Act 1998 sensitive data   categories are quite similar to the categories such as race, ethnic origin, political opinions and so on under the GDPR apart from genetic data and biometric data.          

2. Data Protection Principles

Unlike the DPA 1998, the Data Protection Act 2018 and the GDPR contain six data protection principles with some new terms. The six data protection principles which are the cornerstones of the Data Protection Act 2018 and the GDPR regulate obligations for data controllers which collect, store and processes personal data of the data subject. The aim of these principles is to provide a data subject with information about the purpose and the modality of the processing of their personal data. 

2.1. The First Data Protection Principle

As with the 1998 Act, DPA 2018 and the GDPR also set out that the processing of personal data for any of the law enforcement purposes must be lawful, fair and transparency. However, the requirement to be transparent about what a data controller does with data subject’s personal data is now more clearly signposted.[17] Whilst the DPA 1998 requires that the data controller makes available to the data subject certain specific information, the GDPR clearly sets out that the processing of personal data shall be lawfully, fairly and in a transparent manner concerning to the data subject.[18] Even though under the GDPR the term of ‘Transparency’ is not being defined, it could be explained that any information and communication in relation to the processing of personal data have to be understood easily and easily accessible.[19] In other words, data controller should inform a data subject about who process his/her personal data and what the purpose of it. Thus, the data subject has full awareness about the usage of his/her personal data.

2.2. The Second Data Protection Principle

Article 5[20] under the GDPR and the Article 35[21] under the DPA 2018 set out that the reason of why personal data is collected must be explicit, specified and legitimate. Personal data which is obtained must be processed only if it is compatible with the purpose. In addition, accordingly, personal data could be also used for another purpose, however, it must be necessary and compatible with the original purpose and the data controller must authorised by law in order to process the personal data for that  purpose.[22]

The purpose limitation principle of DPA 2018 and the GDPR is almost the same with the principle under the DPA 1998. However, whilst under the DPA 1998, the principle was requiring specify the purpose for processing at the outset through registration with the Information Commissioner`s Office, the GDPR requires specify the purpose by complying with the documentation and transparency obligations.[23]

Moreover, the purpose limitation principle still does not allow a data controller to use a personal data of the data subject if those purposes are not compatible with the original one; however the GDPR includes more detail on it. These principles under the GDPR  also specifically allows the data controller for the further processing  if the purpose  is for scientific or historical research, archiving in the public interest  or statistical.[24]

In practice, there is a fine line in order to understand whether the purpose of the processing is compatibility or not. For example, according to the Bulgarian Personal Data Protection Commission and the competent national courts sending personal information details of the former employees to the customer is not related to the original purpose of the collection of that personal data.[25] Accordingly, this collection of the personal data will be incompatibility and disproportionate with the original purpose of it.

2.3. The Third Data Protection Principle

According to the Article 5[26] under the  GDPR and Article 37[27] under the DPA 2018, the personal data which is processing must fulfil the purpose sufficiently and it must be relevant (it must be compatible with the purpose) and not be excessive; in other words the personal data must not be hold more than the need for the purpose.[28] The information that is collected should be for the reason that is mentioned or otherwise retaining such information in order to use later will be the breach of the third data protection principle.    

2.4. The Fourth Data Protection Principle

This principle under the GDPR and DPA 2018 is very similar to the DPA 1998. Alike DPA 1998, this one also regulates that personal data which is processed for the purpose must be accurate and where necessary it must kept up to date. In addition, when it is recognized that personal data is misleading or incorrect (inaccurate), it must be erased or must take reasonable step to correct it.

Although the GDPR does not define the word “accurate” in a clear way, the DPA 2018 defines the word “inaccurate” which means “incorrect or misleading as to any matter of fact”.[29] Thus, it is generally clear to determine whether the personal data is accurate or not by looking together to the GDPR and DPA 2018 together even though there is no certain definition of the “accurate” under the GDPR.

2.5. The Fifth Data Protection Principle

This principle sets out that a personal data that is obtained must not be held longer than the purpose requires. Even though there is no underlying change between the previous act and the GDPR with the DPA 2018, the GDPR highlights that a data controller can delete or anonymise the personal data of the data subject if the data controller does not longer need it.[30]

2.6. The Sixth Data Protection Principle

This principle sets out the security of the processing of the personal data under the GDPR and DPA 2018. According to this principle, the process of the personal data collected must be appropriate security of the personal data. It must be processed with appropriate technical or organisational measures. Accordingly, appropriate security contains protection against unauthorised or unlawful processing and accidental loss, destruction or damage.[31]

3. Individual Rights

The GDPR and DPA 2018 set out eight rights for individuals (data subject). As mentioned before, in the scope of the legislation, “data subject” refers to the individual protected by the legislation itself.[32] These eight rights are in order to protect all individuals while processing their personal data. The GDPR and DPA provide individuals to give more control on the data controller comparing to the DPA 1998.[33] In addition, even though the GDPR and DPA 2018 share the same rights for individuals, the DPA 2018 provides some specific exemptions to some rights for individuals such as in the provisions of ‘the right to access.’

The eight rights under the GDPR and DPA 2018 are:

(a) The right to be informed

(b) The right of access

(c) The right to rectification

(d) The right to erasure

(e) The right to restrict processing

(f) The right to data portability

(g) The right to object

(h) Rights in relation to automated decision making and profiling.[34]

3.1. The Right to be Informed

The right to be informed is a fundamental element of transparency under the GDPR    and DPA 2018. This right is set out Article 12 and 13 under the GDPR and Article 44 under the DPA 2018.

Accordingly, individuals have a right to request information about the collection. In other words, a data controller must provide a data subject with various information.[35]

These all information above which are given by data controller must be concise, intelligible, easily accessible, transparent and using clear and plain language.[36] In addition these information shall be provided the data subject in writing or other techniques such as visualisation tools and standardised icons.[37] Even though under the 1998 Act ‘readily available’ was enough to be informed a data subject, the GDPR sets out more specifically about the information that a  data controller provides a data subject what to do and how to use his/her personal data. Under the GDPR, a data controller must actively provide a data subject with the information in a way that is easy access for a data subject.[38]

The data controller must provide these information at the time the personal data of the data subject is being collected for him/her.[39] If a data controller collects personal data of the data subject from other sources, then a data controller must provide the data subject with these information no later than one month. However, if a data subject has already the information and if providing information is a disproportionate effort, then it will not be vital to give the information to the data subject.[40]

3.2. The Right of Access

Article 15 under the GDPR and Article 45 under the DPA 2018 regulate the right of access or in other words subject access. Accordingly, individuals have a right to request a copy of their personal data, confirmation about the processing their personal data in addition to the other supplementary information. Thus, individuals could understand why and how their personal data will be processed and check whether the processing is lawful or not.

Because of the fact that the GDPR is not clear how to request validly, individuals can make a request to a data controller either in writing or verbally. After requesting to a data controller about the right of access from a data subject, a data controller must act on the subject access without undue delay and at the latest within one month of receipt. The time limit is calculated from the day after a data controller takes the request from a data subject.[41] If the request makes behalf of others and if the data subject allows someone else to act for him or her, individuals have a right to make a subject access request through third party under the GDPR.[42]

The important point of the right of access, the DPA 2018 has some special provisions comparing to the GDPR. Under the DPA 2018, if a personal data of the data subject is being held by credit reference agencies, a subject access request to credit reference agencies only applies to information about a data subject’s financial standing. In addition under the DPA 2018, a data controller does not have to comply with the request if it would mean disclosing information about another individual who can be identified with that information except if:

(a) the other individual has consented to the disclosure or;

(b) it is reasonable to comply with the request without that individual’s consent.[43]

3.3. The Right to Rectification and Erasure

Article 16 under the GDPR, individuals can request to rectify inaccurate (according to DPA 2018 personal data is inaccurate if it is misleading and incorrect concerning to the any matter of fact[44]) personal data or complete if the personal data is not completed from a data controller in writing or verbally. However, according to the Article 46 under the DPA 2018 adds that if there is a request about rectification from a data subject but the personal data must be maintained for the purpose of evidence, a data controller must restrict its processing instead of rectifying the personal data.[45]

With regards to the right to erasure, it sets out under the Article 17 of the GDPR and under the Article 47 of the DPA 2018. Accordingly individuals have a right to have their personal data deleted under the certain conditions. Firstly, this right could be applied by individuals when there is no necessity to process or collect of their personal data. Secondly, if individuals withdraw their consent to process or collect of their personal data, they have a right to request for deleting their personal data from a data controller. Thirdly, if personal data is processed unlawfully or for the purpose of direct marketing and the data subject objects to this processing, they can also apply for this right.[46]

In addition, according to the GDPR a data subject should inform organisations about the erasure of his/her personal data if the personal information has been disclosed to others or it has been revealed on Internet such as social networks.[47]

3.4. The Right to Data Portability

This right gives individuals the right to receive and reuse their personal data for their own purposes. In addition it provides them to request that a controller transmits this data directly to another controller.[48] In other words, it makes possible for the individuals to move, copy or transfer their personal data from one online environment to another in a secure way. This right only applies when the processing is automatically or when it is consent or contract based.[49]

3.5. The Right to Object

Data subjects have a right to object under the Article 21 of the GDPR. This right provides individuals to ask a data controller to stop the processing of their personal data in certain circumstances. If the personal data of individuals are being used for direct marketing purposes, individuals have an absolute right to object. In other words, there are no exemptions or grounds to be rejected due to the absolute right. However, if the processing of personal data is for a task carried out in the public interest, the exercise of offıcial authority vested in a data controller or a legitimate interests of the data controller, under this circumstances the GDPR does not count the right of object as an absolute. In this case a data controller can continue processing the personal data if the processing is for the establishment, exercise or defence of legal claims.[50]

When the processing is for scientific, historical research, or statistical purposes; the GDPR gives a right for individuals to object to processing of their personal data relating to them if there is no necessity to carry on processing that personal data for public interest.[51]

3.6. The Right in relation Automated Decision and Portability

The GDPR sets new rules in relation to certain kinds of automated decision and profiling. Even though automated decision and profiling are two separate, they are often interlinked concepts.

Broadly, profiling might be defined as any form of automated processing of personal data which could assess certain personal aspects concerning to an individual such as natural person’s performance at work, health, economic situations, behaviour, reliability, personal preferences, location or movements.[52] Organizations classify individuals into different sectors and groups by collecting personal information of data subjects from different sources such as internet researches, behaviour data collected from mobile phones or social networks. Thus, in order to create profiles for individuals, organizations identify correlations between different behaviours and characteristics of individuals.[53] Profiling must be understood in the scope of automated-decision making.

With regards to the automated decision making, it can be defined as the ability to make decisions without humans being involved. These decision includes an online decision to award a loan and an aptitude test used for recruitment which uses pre-programmed algorithms and criteria.[54] Although in practice profiling can often be precursor to automated decision making, it does not have to include profiling.

Both profiling and automated decision have some advantages for organizations and individuals. One hand, they both provide the data controller and the data subject with quicker and more consistent decisions, particularly in cases where a great amount of data needs to be evaluated and decisions made very quickly. On the other hand, these techniques could be risk for individuals. Because of the fact that profiling is often invisible for individuals, they may not recognized their personal information is being used and how the process works or how it can affect them.[55]

The significant change under the GDPR is a data controller can only continue this type of automated decision making when there is a necessity for the entry into or performance for the contract, authorised by Union or Member State law or based on the explicit consent of individuals.[56] However, according to the 1998 Act a data controller could carry out this type of processing unless an objection is received by a data subject.[57]


BIBLIOGRAPHY


[1] Cynthia O`Donoghue, ‘Data Protection Act 2018 Comes Into Force’, (Mondaq Business Briefing, 18 June 2018), http://link.galegroup.com/apps/doc/A543374036/ITOF?u=anglia_itw&sid=ITOF&xid=af2833cf accessed 05 August 2018.

[2] Department for Digital, Culture, Media &Sport, Data Protection Act 2018 Factsheet-Overview (23 May 2018), https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/711162/2018-05-23_Factsheet_1_-_Act_overview.pdf accessed 25 August 2018.

[3] Ibid.

[4] Data Protection Act 2018, https://ico.org.uk/for-organisations/data-protection-act-2018/, accessed 05/08/18

[5] Alex Hern, ‘What is GDPR and how will it affect you?’ (21 May 2018), https://www.theguardian.com/technology/2018/may/21/what-is-gdpr-and-how-will-it-affect-you accessed 26 August 2018.

[6] Cynthia O`Donoghue, ‘Data Protection Act 2018 Comes Into Force’, (Mondaq Business Briefing, 18 June 2018), http://link.galegroup.com/apps/doc/A543374036/ITOF?u=anglia_itw&sid=ITOF&xid=af2833cf accessed 26 August 2018.

[7] Information Commisioner’s Office (ICO), ‘Data Protection Act 2018’, https://ico.org.uk/for-organisations/data-protection-act-2018/ accessed 26 August 2018.

[8] Data Protection Act 2018, Part 2 (General Processing) Chapter 1 (Scope and Definitions) Article (5) (1).

[9] General Data Protection Regulation (GDPR), Art (4) (1), https://gdpr-info.eu/ accessed 10 August 2018.

[10] Information Commission’s Office (ICO), ‘What is personal data?’ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-personal-data/ accessed at 10/08/2018.

[11] Steve Tootill, ‘GDPR Key Definitions and Terminology’ (helpIT, 28 June 2017) https://www.helpit.com/cleandata/key-definitions-gdpr/ accessed 10 August 2018.

[12] Information Commission’s Office (ICO), ‘What is personal data?’, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-personal-data/ accessed at 10 August 2018.

[13] General Data Protection Regulation (GDPR), Art (4) (7) https://gdpr-info.eu/ accessed 10 August 2018.

[14] Tom Torkar, ‘Out with the old, in with the new – the upcoming changes to Data Protection Law’ (Michelmores, 6 Jan 2016), https://www.michelmores.com/news-views/news/data-protection-law-changes accessed 10 August 2018.

[15] General Data Protection Regulation (GDPR), Art (4) (13) https://gdpr-info.eu/ accessed 10 August 2018.

[16] General Data Protection Regulation (GDPR), Art (4) (14) https://gdpr-info.eu/ accessed 10 August 2018.

[17] Information Commissioner`s Office (ICO), ‘Principle (a) : Lawfulness, fairness and transparency’, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/ accessed 11 August 2018.

[18] General Data Protection Regulation (GDPR), Art (5) (1) (a)  https://gdpr-info.eu/, accessed 11 August 2018.

[19] University of Groningen, Six data protection principles, https://www.futurelearn.com/courses/general-data-protection-regulation/0/steps/32412 accessed 24 September 2018.

[20] General Data Protection Regulation (GDPR), Art (5) (1) (b)  https://gdpr-info.eu/, accessed 11 August 2018.

[21] Data Protection Act 2018, The first data protection principle Art (35), http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf accessed 25 September 2018.

[22]Information Commissioner`s Office (ICO), Principle (b): Purpose limitation, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/purpose-limitation/ accessed 24 September 2018.

[23] Ibid.

[24] Ibid.

[25] Stefanov Dragomir, GDPR Basics Part 1: principles of Personal Data Processing, (Mondaq Business Briefing, 28 December 2017) http://link.galegroup.com/apps/doc/A520630557/ITOF?u=anglia_itw&sid=ITOF&xid=0adf9c2e accessed 25 September 2018.

[26] General Data Protection Regulation (GDPR), Art (5) (1) (c)  https://gdpr-info.eu/, accessed 11 August 2018.

[27]  Data Protection Act 2018, The third data protection principle Art (37), http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf accessed 25 September 2018.

[29] Information Commissioner`s Office (ICO), Principle (d): Accuracy, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/accuracy/ accessed 25 September 2018.

[30] Ibid.

[31] General Data Protection Regulation (GDPR), Art (5) (1) (e)  https://gdpr-info.eu/, accessed 11 August 2018.

[32] Peter Carey, Data Protection Handbook (2nd edn, The Law Society 2008), p.7.

[33] Patric McCallum, GDPR-Individuals` Rights, https://www.wrighthassall.co.uk/knowledge/legal-articles/2017/11/21/gdpr-individuals-rights/ accessed 12/08/18

[34] ICO, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ accessed at 12/08/2018

[35] General Data Protection Regulation (GDPR), Art (13) (1) https://gdpr-info.eu/ accessed 26 August 2018.

[36] General Data Protection Regulation (GDPR), Art (12) (1) https://gdpr-info.eu/ accessed 26 August 2018.

[37] Information Commissioner`s Office (ICO), What’s New Under the GDPR?, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-s-new-under-the-gdpr/ accessed 26 August 2018.

[38] Ibid.

[39] Information Commissioner`s Office (ICO), ‘Right to be informed’, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/ accessed 26 August 2018.

[40] Ibid.

[41] Information Commissioner`s Office (ICO), Right of access, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/ accessed 25 September 2018.

[42] Information Commissioner`s Office (ICO), ‘Right of access’, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/ accessed 27 August 2018.

[43] Ibid.

[44] Data Protection Act 2018, General Interpretation Article (205) (1), http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf accessed 25 September 2018.

[45] Data Protection Act 2018, Right to rectification Article (46) (4), http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf accessed 25 September 2018.

[46] Information Commissioner`s Office (ICO), Right to erasure, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ accessed 25 September 2018.

[47] Ibid.

[48] Information Commissioner`s Office (ICO), Right to data portability, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/ accessed 27 August 2018.

[49] Ibid.

[50] Information Commissioner`s Office (ICO), ‘Right to object’, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/ accessed 27 August 2018.

[51] General Data Protection Regulation (GDPR), Art (21) (4) https://gdpr-info.eu/ accessed 27 August 2018.

[52] General Data Protection Regulation (GDPR), Art (4) (4) https://gdpr-info.eu/ accessed 13 September 2018.

[53] Information Commissioner`s Office (ICO), What is automated individual decision-making and profiling?, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/automated-decision-making-and-profiling/what-is-automated-individual-decision-making-and-profiling/ accessed 13 September 2018.

[54] Ibid.

[55] Ibid.

[56] Information Commissioner`s Office (ICO), What’s new under the GDPR?, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/automated-decision-making-and-profiling/whats-new-under-the-gdpr/ accessed 13 September 2018.

[57] Ibid.

 

 

Leave a comment

Please login or register to comment

Comments