The ICO exists to empower you through information.

Purpose and lawful basis for processing

Our purpose for processing this information is so we can assess a Data Protection Impact Assessment (DPIA) submitted for consultation and respond to you.

The lawful basis we rely on to process your personal data is article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regul




What we need

Controllers must submit DPIAs to us if the risks of the proposed processing cannot be successfully mitigated. This information will include the controller’s representative’s name and contact details.

Why we need it

We use the data collected by the form to record the DPIA and make decisions about the processing. We may contact you for more information and to inform you of the outcome of the consultation.

How long we keep it

For information about how long we hold personal data, see our retention schedule.

What are your rights?

We process personal data in the DPIA consultation form in our capacity as regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

For more information on your rights, please see ‘Your rights as an individual’.

Do we use any data processors?