The ICO exists to empower you through information.

The infringements of UK GDPR and DPA 2018 for which the Commissioner can impose a fine

Share Download options

Pages

Format

  1. The Commissioner may impose a fine when satisfied that a person has failed to comply with the provisions of the UK GDPR or DPA 2018 referred to in section 149(2) to (5) DPA 2018.
  2. In summary, these are:
    • Where a controller or processor has failed, or is failing, to comply with provisions of UK GDPR or DPA 2018 relating to:
      • the principles of processing;
      • rights conferred on data subjects;
      • obligations placed on controllers and processors, including the requirement to communicate a personal data breach to the Commissioner; or
      • the principles for transfers of personal data outside the UK.10
    • Where a monitoring body has failed, or is failing, to comply with an obligation about the monitoring of approved codes of conduct.11
    • Where a certification provider does not meet the requirements for accreditation or has failed, or is failing, to comply with obligations under UK GDPR about the certification of controllers and processors, or any other provision of the UK GDPR (whether in its capacity as a certification provider or otherwise).12
    • Where a controller has failed, or is failing, to comply with a requirement to pay charges to the Commissioner.13
  3. The Commissioner can also impose a fine on a person for failure to comply with requirements imposed on them under section 142 DPA 2018 (information notices), section 146 DPA 2018 (assessment notices), and section 149 DPA 2018 (enforcement notices).14
  4. This includes failing to:
    • provide information that the Commissioner reasonably requires;
    • allow the Commissioner to inspect or examine documents, information, equipment or material; or
    • comply with a requirement set out in an enforcement notice, such as a requirement to rectify or erase personal data or otherwise comply with the UK GDPR or DPA 2018.
  5. Annex 1 provides a table setting out the provisions of UK GDPR and DPA 2018 in relation to which the Commissioner can impose a fine.

 

10 Section 149(2) DPA 2018.

11 Section 149(3) DPA 2018.

12 Section 149(4) DPA 2018.

13 Section 149(5) DPA 2018. The Commissioner may only impose fixed penalties for a failure to comply with a requirement to pay charges to the Commissioner (see section 158 DPA 2018). The Commissioner’s guidance on fixed penalties is currently set out in the Regulatory Action Policy, page 28.

14 Section 155(1)(b) DPA 2018.