Skip to main content

Paying a data protection fee – activities of extraterritorial organisations and bodies sector

If you do need to pay, the online form will ask for your sector. You can choose, but are not limited, to:

  • Finance, Insurance and Credit, Financial services and advice, Independent financial advisor
  • Finance, Insurance and Credit, Financial services and advice, Investment management company
  • General Business, Business Advice and Consultancy, Consultant
  • General Business, Supplier of services, Other
  • Land and Property Services, Property Management, Property Management
  • Membership Association, Club, Club/Society (Charitable)
  • Membership Association, Club, Membership Club (Commercial)
  • Online Technology & Telecoms, Service Provider, Internet Service Provider
  • Online Technology & Telecoms, Service Provider, IT Support/Helpdesk
  • Online Technology & Telecoms, Service Provider, Telecommunications Company
  • Online Technology & Telecoms, Software Developer, Software Development
  • Online Technology & Telecoms, Software Developer, Web Designer
  • Online Technology & Telecoms, Infrastructure & Hardware provider, Web Hosting
  • Retail and Manufacture, Supplier of goods, Mail Order Trader
  • Retail and Manufacture, Supplier of goods, E-Commerce

Frequently asked questions

I have CCTV on my business premises for crime prevention reasons – do I need to pay a fee?

Yes. Images of people caught on camera is their personal data. If you record these images to prevent crime, and crime prevention is not the purpose of your business, then you need to pay.

I have a dashcam on my business vehicle – do I need to pay a fee?

If you have a dashcam that you use for work purposes on a vehicle that you use for work – even if you own the vehicle - then you will need to pay a data protection fee. Again, images of people recorded on camera – even when in their cars - will be their personal data.

What are the core business exemptions?

The core business exemptions are:

Staff Administration

This is processing for the purposes of appointments or removals, pay. Discipline, superannuation, work management or other personnel matters concerning staff.

  • The individuals you hold information about will be restricted to any person whose personal information has to be processed for staff administration.

The term ‘staff’ includes all past, existing or prospective members of staff who are employees, office holders, temporary and casual workers, and also agents and volunteers. The personal information held about them includes all personnel and work management matters – for example their qualifications, work experience, pay and performance.

Advertising, marketing, and public relations

This is the processing for the purpose of advertising or marketing your business activity, goods or services and promoting public relations only in connection with that business activity, or those goods and services. For this exemption to apply, they must meet all the following criteria:

  • The individuals you hold information about are restricted to any person whose personal information you need to process for your own advertising, marketing, or public relations – for example past, existing or present customers or suppliers.
  • Your information is restricted to information that is necessary for your advertising, marketing, and public relations – for example, names, addresses and other identifiers.
  • You advertise and market your own goods and services.
  • If you obtain personal information from a third party, it is for the purpose of marketing your own goods and services.

However if you sell or trade a list of your customers, you must pay the fee.

Accounts and records

This is the processing for the purpose of keeping accounts relating to any business or other activity you carry out; deciding whether to accept anyone as a customer or supplier; keeping records of purchases, sales, or other transactions to ensure the relevant payments, deliveries or services take place; or making financial or management forecasts to help you carry out your business or activity.

  • The individuals you hold information about are restricted to anyone whose personal information needs to be processed for your accounts and records – for example past, existing or present customers or suppliers.

The information you hold is restricted to personal information that is necessary for your accounts and records – for example, name, address, and credit card details. However, the exemption specifically excludes information processed by or obtained from credit reference agencies.

My company is dormant – do I need to pay?

It depends. If your business is dormant and you are not processing personal data electronically, then you’re not required to pay the fee.

However, some businesses and professionals are required to retain some personal data after they cease trading or practicing, as required by industry guidelines. If this applies to you then you probably will need to pay.

We are a holding/s company – do we need to pay?

Typically, a holding company may not always hold and process personal information. This may be carried out by another company within your group. You will need to determine who is the data controller and if any organisations within your group of companies is required to pay the fee.

My organisation is a registered charity – do I need to pay?

This would depend on what personal data you were processing and why. A registered charity would only pay the lowest fee tier of £40. Our self-assessment tool will help you determine if you are required to pay a fee.

How do I know if my company can claim the not-for-profit exemption – we don’t make a profit?

To meet the criteria for the not-for-profit exemption the organisation must:

  • be established as a not-for-profit organisation, which may be stated in your constitution/articles
  • only process information necessary to establish or maintain membership or support
  • only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it
  • only hold information about individuals whose data you need to process for this exempt purpose
  • the personal data you process is restricted to personal information that is necessary for this exempt purpose
  • only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration

The organisation would not be exempt:

  • if you are responsible for CCTV
  • if you provide additional services outside of the organisations aims/objectives that can’t be covered by the other exemptions
  • if you trade and share in personal data

We are a community interest company – do we need to pay?

Community interest companies are unlikely to be able rely on the not-for-profit exemption and you must determine which level of fee you are required to pay.

You can complete the self-assessment tool to determine this.

I have received a letter for one of my companies, however, I have a group of companies. Can I do a group registration?

It isn’t possible to have a group entry on the public register of data protection fee payers. Each individual company, if it is a data controller and a separate legal entity e.g. has a separate companies house number, would be required to pay a data protection fee unless an exemption applies.

We are a company that provide digital asset management services - do we need to pay a fee.

If you are providing this service and processing personal information about individuals, it is unlikely you would be able to rely on a core business exemption and therefore a data protection fee is required. Please check the core business exemptions above to determine if a payment is required.

I offer consultancy services – do I need to pay?

Yes, providing consultancy and advisory services to individuals or partnerships, such as branding and graphic design, is not an exempt purpose of processing personal data and you would be required to pay a fee.

My company/club holds information about our members – do we need to pay?

The administration of membership records is not an exempt purpose for processing personal data and would require a fee to be paid. If you are set up as a not-for-profit organisation, please take our self-assessment tool to see of you are required to pay the fee.

If you have CCTV for the purpose of crime prevention on or in the premises this would require your company to pay the fee.

I am already registered – why have I received a letter?

If you are registered as a sole trader or your registration does not include your companies house number this could be the reason why you have received our letter. Please let us know.

I have a limited company but I’m a sole trader – who needs to be registered?

This depends on who the data controller is, and which entity has the relationship with the client. You will need to determine who is the legal person responsible for the personal data held.

If your limited company is set up for the sole purpose of processing your own accounts through, then this would not require a fee.

I’m unsure if I am data controller or a data processor – how do I determine this?

It is essential for organisations involved in the processing of personal data to be able to determine whether they are acting as a data controller or as a data processor in respect of the processing. This is particularly important in situations such as a data breach where it will be necessary to determine which organisation has data protection responsibility.

You may find the following guidance useful:

To determine whether you are a data controller you need to ascertain which organisation decides:

  • to collect the personal data in the first place and the legal basis for doing so;
  • which items of personal data to collect, i.e. the content of the data;
  • the purpose or purposes the data are to be used for;
  • which individuals to collect data about;
  • whether to disclose the data, and if so, who to;
  • whether subject access and other individuals’ rights apply i.e. the application of exemptions; and
  • how long to retain the data or whether to make non-routine amendments to the data.

We can only provide guidance and advice, ultimately it is the Data Controllers decision as to whether a registration is needed.

I only hold names, addresses, and contact details of my customers – do I need to pay?

If the information you are holding about people is only for the purposes of keeping your own accounts and records, such as keeping records of purchases, sales, or other transactions to ensure the relevant payments, deliveries or services happen, then you are likely to be exempt from the requirement to pay.

However, this specifically excludes information processed by or obtained from credit reference agencies.

I do credit checks on my clients – do I need to pay?

Yes. When performing a credit check via a credit reference agency you will need to pay the fee.

Do I have to pay if I have a website?

It depends on what’s on your website and what other personal data you hold.

If you use your website to promote another person's business activity, goods, or services, you will need to pay because you are advertising and marketing for others.

If you just have a website that advertises your own products or services, then you won’t need to pay because of your website. But you will need to use our self-assessment tool to see if there are any other activities you undertake that mean you do need to pay.

More information

There is more information about the data protection fee on our website.

There is also lots of information for sole traders and smaller businesses on our SME web hub, to help you understand data protection and how it can help you safely make the most out of the personal data you hold.

Have we missed something?

Have we missed something? Is there some information that you would like to know, which hasn't been covered in our FAQs? (optional)