Wm Morrison Supermarkets plc

Data Breach Claims – Wm Morrison Supermarkets plc

In Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the Supreme Court has overturned judgments of the High Court and Court of Appeal and decided that a supermarket was not vicariously liable for unauthorised breaches of the Data Protection Act 1998 committed by an employee.

Wm Morrison Supermarkets plc v Various Claimants - the facts

In 2013, Mr Skelton, who was then employed by Wm Morrison Supermarkets plc (Morrisons) as an internal IT auditor, was provided with a verbal warning for minor misconduct. Subsequently, he developed an irrational grudge against his employer. After being asked by Morrisons to provide payroll data for the entire workforce to external auditors, Mr Skelton copied the data onto a USB stick. He took the USB stick home and posted the data on the internet, using another employee's details in an attempt to conceal his actions. He also sent this data to three national newspapers, purporting to be a concerned member of the public.

The newspapers did not publish the data, but one newspaper alerted Morrisons, who immediately took steps to remove the data from the internet, contact the police and begin an internal investigation. Morrisons spent £2.26 million dealing with the aftermath of the disclosure, a large proportion of which was spent on security measures for its employees. Mr Skelton was arrested and ultimately convicted of criminal offences under the Computer Misuse Act 1990 and section 55 of the DPA 1998, which was in force at the time.

The claimants in this case were 9,263 of Morrisons' employees or former employees. They claimed damages from Morrisons in the High Court for misuse of private information and breach of confidence, and for breach of its statutory duty under section 4(4) of the DPA 1998. The claimants alleged that Morrisons was either primarily liable under those heads of claim or vicariously liable for Mr Skelton's wrongful conduct.

Data Protection Act 1998

This case was decided under the Data Protection Act 1998 (DPA 1998) which was applicable at the time. The DPA 1998 implemented the Data Protection Directive (95/46/EEC) and imposed broad obligations on those who collect personal data (data controllers), as well as conferring broad rights on individuals about whom data is collected (data subjects). Section 4(4) of the DPA 1998 provided that a data controller must comply with eight data protection principles in relation to all personal data with respect to which they are a controller.

Under section 13(1), any breach of the DPA 1998 which caused damage entitled the victim to compensation for that damage. Section 13(2) provided as follows:

"An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if the individual also suffers damage by reason of the contravention."

Under section 13(3), it was a defence to any proceedings under section 13 for a person, or in this case Morrisons, to prove that they had taken such care as was reasonably required in all the circumstances to comply with the relevant requirement.

Vicarious liability

It was also crucial to consider whether Morrisons could be vicariously liable for their employee’s action in this instance. Employers will be liable for torts committed by an employee under the doctrine of vicarious liability where there is a sufficient connection between the employment and the wrongdoing. There is a two-stage test:

  • Is there a relationship between the primary wrongdoer and the person alleged to be liable which is capable of giving rise to vicarious liability?
  • Is the connection between the employment and the wrongful act or omission so close that it would be just and reasonable to impose liability?

In Lister v Hesley Hall Ltd [2001] UKHL 22, the House of Lords characterised the second stage as a "sufficient connection" test. The question was whether the torts were "so closely connected with [the] employment that it would be fair and just to hold the employers vicariously liable".

In Mohamud v Wm Morrison Supermarkets plc [2016] UKSC 11 (Mohamud), the Supreme Court held that the supermarket was vicariously liable for an employee's unprovoked violent assault on a customer. It found that there was a sufficiently close connection between the assault and the employee's job of attending to customers, such that the employer should be held vicariously liable

Wm Morrison Supermarkets plc - Decision

Morrisons was not vicariously liable for Mr Skelton's actions. It found that the Court of Appeal had misunderstood the principles governing vicarious liability in the following respects:

  • The disclosure of the data on the internet did not form part of Mr Skelton's functions or field of activities. This was not an act which he was authorised to do.
  • Although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Mr Skelton for the purpose of transmitting it to the auditors and his disclosing it on the internet, a temporal or causal connection did not in itself satisfy the close connection test.
  • The reason why Mr Skelton acted wrongfully was not irrelevant. Whether he was acting on his employer's business or for purely personal reasons was highly material.

The mere fact that Mr Skelton's employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability. It was clear that Mr Skelton was not engaged in furthering his employer's business when he committed the wrongdoing. On the contrary, he was pursuing a personal vendetta. His wrongful conduct was not so closely connected with acts which he was authorised to do that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment.


This decision will provide welcome confirmation for employers that they will not always be liable for data breaches committed by rogue employees. It similarly provides helpful clarification for practitioners on the way in which the judgment in Mohamud should be applied in future cases concerning vicarious liability.

The facts in this case were extreme. It seems that Morrisons were wholly unaware of the grudge held by Mr Skelton. Mr Skelton also took extraordinary actions to cover up what he had done and even to frame another employee.

Unanswered questions

Had Morrisons been found vicariously liable for Mr Skelton’s actions, the employees who made the claims would have had to prove that they suffered ‘distress, anxiety, upset and damage’ by the mishandling of their personal information. A supreme court ruling on the issue would have provided a helpful benchmark to those wanting to understand more about how our courts quantify compensation for data breaches.

Moving forward

Employers should take away from the judgment that although this case was decided under the previous data protection regime, the DPA 1998 and the GDPR are based on broadly similar principles. Therefore the GDPR and Data Protection Act 2018 (DPA 2018) will not be a barrier to vicarious liability actions in data privacy proceedings commenced under the current regime.

Additionally, the GDPR makes compliance far more onerous for controllers and risks exposure to the huge revenue-based fines and data subject compensation claims for breaches of the GDPR and DPA 2018. This includes failing to safeguard data to statutory standards and neglect to have governance in place to curb the malicious acts of rogue employees.

The success of Morrisons in bringing to an end the threat under this case of being subject to a group action for compensation follows Google LLC being granted freedom to appeal against the Court of Appeal's order in Lloyd v Google LLC [2019] EWCA Civ 1599 and is another significant development in the progress of representative class actions in the UK legal system.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.

COVID-19 Contact Tracing Apps - Privacy Concerns

Contact Tracing Apps – Privacy Concerns

Contact tracing apps are being developed by governments and private enterprises to fight COVID-19. Their design and use however raise serious privacy concerns.

How do contact tracing apps work?

Contact tracing apps are mobile software applications designed to help identify individuals who may have been in contact with another person.

In the context of COVID-19 this means that anyone with the app who has been diagnosed with the virus or has self-diagnosed can enter that information into the app. Then, via the use of Bluetooth, anyone who has come, or comes, into contact with that diagnosed or self-diagnosed person will be notified by the app. If you are notified of such contact then you can take steps to self-quarantine or otherwise manage your exposure. This all relies upon individuals carrying their mobile phones at all times with Bluetooth activated which has cast doubt on their potential effectiveness.

Why adopt contact tracing apps?

By tracing the contacts of infected individuals, testing them for infection, treating the infected and tracing their contacts in turn, public health authorities aim to reduce infections in the population. Diseases for which contact tracing is commonly performed include tuberculosis, vaccine-preventable infections like measles, sexually transmitted infections (including HIV), blood-borne infections, some serious bacterial infections, and novel infections (e.g. coronavirus).

Privacy issues with contact tracing apps

Numerous applications are in development, with official government support in some territories and jurisdictions. Several frameworks for building contact tracing apps have been developed. Privacy concerns have been raised, especially about systems that are based on tracking the geographical location of app users.

Less intrusive alternatives include the use of Bluetooth signals to log a user's proximity to other mobile phones. On 10 April 2020, Google and Apple jointly announced that they would integrate functionality to support such Bluetooth-based apps directly into their Android and iOS operating systems.

These Bluetooth signals offer greater privacy protection because they operate on an anonymous basis. Therefore someone who comes into contact with an infected person will not have any information besides the fact that they have come into contact with an infected person. Rather than receiving any unnecessary information such as a unique identifying code or the name of the infected person.

ICO’s blog

The Information Commissioner (IC), Elizabeth Denham, has published a blog setting out data protection considerations for organisations using contact tracing and location data technologies in connection with the COVID-19 pandemic.

While the IC is maintaining a pragmatic and flexible approach to data protection compliance during the pandemic, the IC reminds organisations that the public must remain assured that their data will be processed lawfully in connection with the use of technology to track the spread of COVID-19 by individuals.

To help achieve the IC's twin goals of maintaining public trust and promoting compliance, the blog includes a series of questions for organisations to bear in mind when using new technologies to combat the pandemic. It focusses on compliance with data protection requirements under Article 25 of the General Data Protection Regulation ((EU) 2016/679) (GDPR), the data minimisation and storage limitation principles under Article 5(1)and data subject rights generally under the GDPR.

The IC asks organisations to consider the following questions:

  • Have you demonstrated how privacy is built into the processor technology?
  • Is the planned collection and use of personal data necessary and proportionate?
  • What control do users have over their data?
  • How much data needs to be gathered and processed centrally?
  • When in operation, what are the governance and accountability processes in your organisation for ongoing monitoring and evaluation of data processing, that is to ensure it remains necessary and effective, and to ensure that the safeguards in place are still suitable?
  • What happens when the processing is no longer necessary?

The IC extends an offer to assist organisations with these processes, by providing guidance and tools to consider data protection requirements in the planning and development phase for projects adopting new technology, and by performing an audit of the measures and processes implemented by an organisation when the project has become operational.

In practice

The Information Commissioner's Office (ICO) has published a discussion document setting out its expectations and recommended best practice for the development and deployment of COVID-19 contact tracing apps.

The document was published in advance of Information Commissioner Elizabeth Denham's and Executive Director of Technology and Innovation Simon McDougall's appearance before the Human Rights Joint Committee on 4 May 2020 and is intended to help NHSX and other developers of contact tracing apps comply with information provision and data protection by default and design requirements under the GDPR.

Key principles and recommendations for developers to consider include

  • Performing a Data Protection Impact Assessment (DPIA) prior to implementation of the app and refreshing the DPIA whenever the app is updated during its life cycle.
  • Being transparent with users and providing them with clear information about the purpose and design choices for the app and the benefits the app seeks to deliver for both users and the NHS. Users must also be fully informed about the data to be processed by the app before the processing takes place.
  • Complying with data minimisation, retention and security principles under Articles 5(1) and 32 of the GDPR.
  • Ensuring participation is voluntary and users can opt in and out of participation and exercise their data subject rights (including rights of access, erasure, restriction and rectification) with ease. This could involve the developer providing users with a dedicated privacy control panel or dashboard.
  • Relying on valid user consent or an alternative lawful basis under Article 6(1) of the GDPR for the processing of personal data where this is necessary and more appropriate, such as performance of a task in the public interest (particularly where an app is developed by or on behalf of a public health authority).
  • The collection of personal data relating to health shall be allowed only where the processing is either based on explicit consent, is necessary for reasons of public interest in the area of public health, is for health care purposes, or is necessary for scientific research or statistical purposes.

The ICO will keep these recommendations under review and remains open to feedback.

What does this mean for businesses?

If contact tracing apps are designed in line with ICO guidance, businesses looking to monitor employees can have confidence in asking employees to use such apps. In all likelihood the NHSX app will be used in the UK and therefore businesses should be aware of how that app is being developed.

NHSX development

On 12 April 2020, Matthew Hancock, the Minister for Health and Social Care and the politician directly responsible for the NHS, announced that the NHS was developing a mobile app that will allow for contact tracing. The app is being developed by NHSX, a specialist unit responsible for digital transformation in the NHS.

In response to the Information Commissioner’s approach, NHSX has stated that they are prioritising security and privacy in all stages of the app’s design. They are planning to publish their security designs and the source code of the app to demonstrate this. Furthermore, they have confirmed that all data gathered by the app will only be used for NHS care, management, evaluation and research, and that individuals will be able to delete the app and their data at any point.


Two key constraints for contact tracing apps to be effective:

  • 80 per cent or more of the UK population who own a smartphone need to download it; and
  • the UK needs to test more than 100,000 people a day.

This is because contact tracing relies on large numbers of citizens being involved in the effort.

Encouraged technology

The UK Information Commissioner, Elizabeth Denham, has been supportive of the development of contact tracing apps. On 17 April she stated that “data protection laws [should] not get in the way of innovative use of data in a public health emergency – as long as the principles of the law (transparency, fairness and proportionality) are applied. The same approach applies to the use of contact tracing applications.”

Even though they are encouraged, organisations developing contact tracing apps and using them need to be conscious of the privacy issues.

If you have any questions on technology law, data protection law or on any of the issues raised in this article please get in touch with one of our data protection and technology lawyers.

European Representative GDPR

European Representative – GDPR After Brexit

What is a “European Representative” and do you need to appoint one? We have received lots of marketing from businesses in France, Germany and other members of the EU encouraging us to sign up to their European Representative Office service so that we can be compliant with GDPR. This article covers the role of the European Representative and addresses the question about whether you need to appoint one now or later.

Do organisations need to appoint a European Representative right now?


Do organisations need to appoint a European Representative in the future?


If you are a UK business offering goods or services to individuals in the European Economic Area (EEA) then, after the Brexit transition period ends (31 December 2020), you may need to appoint a European Representative in the EEA because the UK will no longer be within the EEA. This representative would act as the point of contact for your data subjects within the EEA as required by Article 27 of the General Data Protection Regulation (GDPR).

See below for the specific circumstances in which this requirement exists.

Transition period

The UK left the EU on 31 January 2020. From then until the 31 December 2020 the UK will be in a “transition period”. During the transition period EU law will continue to apply in the UK which includes data protection law and no UK organisation will need to appoint a European Representative until after the transition period ends.

European Representatives after the Brexit transition period

Once the transition period ends UK-based data controllers or processors who:

  • are without any offices, branches or other establishments in the EEA


  • who are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals located in the EEA

will be required to have a European Representative in the EEA.


There are exceptions to the above requirement where:

  • you are a public authority or body.
  • your data processing is only occasional, presents a low risk to data protection rights of individuals and does not involve the large-scale use of special category or criminal offence data.

Who can be your European Representative?

A European Representative may be an individual or a company or other organisation established in the EEA where a significant portion of the individuals whose personal data you are processing are located. So if a significant portion of your customers are in Greece, your representative should be located in Greece.

One representative can act on behalf of several non-EU controllers and processors. A representative should not, however, be a data protection officer; the draft European Data Protection Board (EDPB) guidance suggests that the roles are incompatible and combining them would be a conflict of interest.

Appointing a European Representative

You will need to authorise the representative, in writing, to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.

In practice you should appoint a representative through a service contract.

The appointment of a representative must be in writing and should set out the terms of the relationship. Having a representative does not affect your own responsibility or liability under the EU GDPR.

Although the representative should be located in the Member State in which a significant proportion of your data subjects are located, the representative must remain easily accessible to data subjects located in all relevant Member States.

When the function of being a representative is assumed by a company or any other type of organisation, a single individual should be assigned as a lead contact and person in charge for each controller or processor represented.

The role of the European Representative

  • Perform its tasks according to the written agreement.
  • Facilitate communication between data subjects and the controller or processor.
  • Maintain a record of processing activities under the responsibility of the controller or processor.

Notification of the appointment

You should provide EEA-based individuals, whose personal data you are processing, the contact details of your representative. This may be done by including the details in your privacy notice or in upfront information provided to individuals when you collect their data. You must also make the information easily accessible to supervisory authorities – for example by publishing it on your website.

Liability of European Representatives

In November 2018 the EDPB issued draft guidance that said that supervisory authorities were able to initiate enforcement action (including fines) against a European Representative in the same way as they could against the controller or processor which appointed them:

“To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable.”

Given that fines under GDPR can hit €20 million or 4% of global annual turnover (whichever is higher) the EDPB guidance sent shockwaves through the industry with many representatives deciding it wasn’t such a good idea to be a representative after all.

However, in an about-turn in November 2019, the EDPB issued draft guidance which says the intention was:

“To this end, it was the intention to enable supervisory authorities to initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union. This includes the possibility for supervisory authorities to address corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative……The possibility to hold a representative directly liable is however limited  to its direct obligations referred to in articles 30 and article 58(1)(a) of the GDPR.”

Articles 30 and 58.1 simply concern keeping a record of processing activities and providing information to supervisory authorities when ordered to do so.


Right now, you can ignore those marketing emails about appointing a European Representative but 31 December 2020 will come around soon enough. If you have customers in the EEA but no office, branch or other establishment in the EEA then, as things currently stand, you should be appointing a European Representative before the year ends.

If you have any questions on appointing a European Representative or on data protection generally contact one of our data protection lawyers.

cloud services legal issues

Cloud Services Legal Issues

Cloud services are on the rise – they are highly relevant now and they are the future. In this article we provide a brief overview of some of the legal and commercial issues to consider when using cloud services and dealing with cloud services contracts.

What are cloud services?

Cloud services describe the delivery of technology services via the internet. Cloud users either do not need to purchase or install software at all or, if they do, then only on a small scale using software that is standardised. Cloud users do not have to run their own applications and provide the computing power from their own data centres, benefitting from massive economics of scale and dramatically lowering the cost of IT service provision.

Cloud services on the rise

The UK has seen a rapid adoption of cloud computing in business with Software as a Service the preferred deployment model. Cutting costs and providing mobile working solutions for staff is the main impetus for such innovation. The flexibility and scalability of cloud computing means organisations are happy to trade-off some of the control that exists in traditional services.

The rapid take up of cloud services is not limited to the private sector. The fourth iteration of the pan-government G-Cloud Framework has just been awarded to a wide array of large and small cloud operators.

The nature of cloud service provision means that a number of well-established IT concepts need to be reconsidered and will continue to need consideration as technology is refined. Furthermore, there is increasing regulation of cloud services through a wide variety of legislative provisions that do not specifically relate to cloud service provision but have a considerable impact on cloud service provision.

How cloud service providers operate

Cloud service arrangement are generally paid for on a service basis, which means that the upfront charges for customers and regular upgrade fees associated with more traditional software licensing are avoided.

Some cloud service providers may seek to levy start-up fees or upfront subscription charges to mitigate their own commercial exposure, for example, for any third-party software licensing charges. The most common approach now is a committed term of 1 to 3 years when signing up to an enterprise SaaS service – as suppliers want to be able to recognise revenue in their accounts.

Intellectual property issues


Although cloud services contracts relate to the provision of services rather than to the supply of software to customers, particularly in SaaS arrangements, appropriate software licences still need to be granted to the customer. Where users have online use of software, without a licence this would amount to copyright infringement. The licences are usually very narrowly defined and limited to use of the online application for their own business purposes. Customers have no right to make copies of or modifications or enhancements to the software and they cannot sub-licence to third parties.

The cloud services provider will not always own the intellectual property rights in the software that is the subject of the cloud provision service. Where this is the case the cloud services provider will need to arrange for the right to sub-licence the software to its customers, or for a direct licence to be entered into between the customers and the relevant third-party licensors. For purposes of contractual simplicity, it is preferable (and most common) for the cloud service provider to sub-licence the customer’s use of the third-party software.

Content and Data licensing:

The extent to which cloud services providers can make use of the data that is stored within their systems by their customers has become an important issue as a result of the significant marketplace developments in data analytics, including the use of artificial intelligence. Until data analytics became a mainstream business activity, cloud providers tended to regard their customers’ data storage requirements as being a necessary business overhead as part of the overall cloud arrangement. With data analytics, customer data has become a valuable resource which can be used to provide the basis for value added data analytics derived services.

In the early days of cloud services provision, many standard terms and conditions offered by cloud service providers in the consumer market included a broad licence from the customer to the service provider allowing them to use any content stored on its servers. These licences are often expressed as being perpetual and irrevocable. The uses to which the service provider could make of the content were usually limited but there were often rights to pass the content to third parties and to use it for marketing purposes. Even in the consumer marketplace, there is now considerably more general awareness of data issues, particularly following the Facebook/Cambridge Analytica scandal. In July 2019, the US Federal Trade Commission voted to approve fining Facebook around $5 billion to finally settle the investigation of these issues.

As a result, customers receiving cloud services should carefully consider the licensing provisions that relate to the suppliers’ use of the data that they store as a result of providing the services, particularly in relation to use of personal data, treatment of intellectual property rights and confidentiality. Customers should take particular care in identifying any rights they are agreeing to provide to the service provider. Licences may be implied by necessity or business efficacy, however a better and more certain approach is to have an express licence in place that is broad in scope and covers the full range of likely activities.

Jurisdiction and governing law

It is common for cloud services providers and their customers to be located in different jurisdictions. Where this is the case, two separate issues need to be considered: applicable law and jurisdiction. In each case, the cloud contract may stipulate choice of law and jurisdiction. However, there may also be separate and different rules on applicable law and jurisdiction that apply irrespective of provisions in the contract: data protection is a good example of this, where the GDPR has its own free standing rules.

Which law governs the contract

Usually the contract will state the laws that apply. If it doesn’t then this can be problematic, especially when cloud services are involved. Why? If, for example, the parties to the contract are based within the EU then in a B2B context it will generally be the laws of the place where the cloud services provider bases its servers that will apply. The position is more complex where service data is stored on multiple servers in different jurisdictions.

It is important therefore to ensure that cloud services contracts include a choice of law (and jurisdiction) clause.

Data Protection

When organisations process personal data they do so either as a “data controller” or a “data processor”. Each have different legal obligations when protecting personal data.

The data controller is the organisation that determines the purposes and means of the processing of personal data and is responsible for compliance with data protection law. In cloud services, the UK’s data protection regulator, the ICO, usually views the customer as the data controller, although when the supplier has a large amount of control over the processing of personal data they may be considered a joint data controller.

The data processor is the entity who processes data on behalf of a data controller. The ICO will regard the cloud services provider as a data processor in most cloud services arrangements.

Most obligations around data protection law fall on the data controller therefore, usually, the customer of a cloud services provider. A customer should therefore only allow a cloud services provider to process data on its behalf if it has appropriate organisational and technical measures in place. Special care must also be taken if international data transfers take place in connection with the processing of the customer’s data.

Checklist for cloud services contracts (buyer perspective)

Before signing on the dotted line you should consider:

  • Data storage: where will your data be stored, how is it stored, who has access to it and what security measures are in place.
  • Warranties and indemnities: consider what disclaimers are contained in the agreement and have appropriate indemnities been given for loss of data?
  • Check for hidden costs: monthly service costs may be low for a reason.
  • How will disputes be dealt with: what law applies and where will disputes be heard?
  • Data recovery: what will happen to your data at the end of the contract?

Checklist for cloud services contracts (supplier perspective)

Make sure that you have considered the following:

  • Intellectual Property Rights: although supplying software as a service is more protective of IPRs you should still make sure that your IP rights are covered.
  • Limitations and exclusions of liability: it’s standard practice to exclude liability for certain losses and to have an overall cap on liability.
  • Will you provide support commitments / service availability guarantees? Your business customers may well insist on these.
  • If you offer a subscription per person what happens if unauthorised individuals access the service? Consider including audit rights.
  • What should happen with the customer’s data at the end of the contract – you probably want the right to delete it after a certain time.
  • Choice of law and jurisdiction.

Cloud services – a multifaceted and evolving area of law

Contracts for the provision of cloud services and the legal issues being thrown up by the uptake in could services technology are evolving all the time. If you need help with cloud services contracts or any technology legal issues then please get in touch with us.

COVID-19 Data Protection Issues

COVID-19 Data Protection Issues

COVID-19 data protection issues have left many businesses scrambling to keep on top of their compliance functions. Other businesses are largely ignoring data protection rules – which are you?!

Although not always at the front of minds in a crisis, data protection laws are there to be followed. As a result of COVID-19 data protection rules are being put to the test as a result of new information about individuals being collected in response to the pandemic. This often includes whether individual members of staff are displaying symptoms of the virus, the health status of staff and related individuals within the same household, the results of COVID-19 testing and the various locations individuals have visited since the start of the outbreak.

This new information collected constitutes “personal data” and sometimes falls within “special categories of personal data”, as provided for under Article 9 of the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable data protection laws.

Regulators Response

Data protection regulators across the EU have issued statements and guidance referring to the effect of COVID-19 on data protection.

The European Data Protection Board (EDPB) has stated that data protection laws in the EU do not, and should not, hinder the response to COVID-19. Therefore organisations subject to such regulation should remain compliant with their obligations under GDPR. The EDPB has commented that the COVID-19 emergency is a “legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period”. Whether this means governments have the right to police data protection compliance more or less strictly is unclear.

In the UK the Information Commissioner’s Office (ICO) has published guidance in the context of COVID-19 data protection. The ICO’s approach is sympathetic to the challenges faced by organisations:

“We understand that resources, whether they are finance or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”.

The ICO then goes on to mention that this does not extend as far as allowing infringement of statutory timescales but that they will endeavour to communicate to individuals bringing information rights requests that understandable delays may ensue.

The guidance should not be interpreted as a blank cheque by organisations to bend the rules relating to data protection compliance. It is only guidance and may not stand up in court. Additionally, the ICO does not grant any express relaxation of the rules. It has also stated, in line with the EDPB, that data protection should not stop organisations from being able to respond effectively to the crisis.

“Personal Data” and/or “Special Categories of Personal Data”

Information such as whether personnel have self-isolated, body temperature of personnel, visitors to premises and device location data will all be considered personal data. Where information also relates to the individual’s health, it would also fall within the sub-category of “special categories of personal data” – more on this below.

Legal Basis for Processing Personal Data

When processing COVID-19 personal data (that isn’t “special category data”) organisations may rely on the following legal bases:

Legitimate interests: for the purpose of the organisation’s legitimate interests in managing business continuity and the well-being of its staff.

Contractual necessity: necessary for an organisation’s performance of its obligations to its staff e.g. employees under their employment contract. Relevant obligations include ensuring the health, safety and well-being of employees.

Legal obligation: organisations have legal obligations relating to health and safety.

Legal Basis for Processing Special Categories of Personal Data

It is likely that when responding to the COVID-19 crisis organisations will collect special category data. This is because special category data, within the context of health, is defined as:

“personal data related to the physical or mental health of a natural person, including the provision of health care services which reveal information about his or her health status”.

This includes information on injury, disease, diagnosis, medical history, medical examination data, registration details with health service, appointment details and/or a number, symbol or other identifier assigned to an individual to uniquely identify them for health purposes.

Organisations can only process special category data on one or more of the following grounds:

Employment, social security and social protection obligations: certain obligations under employment, social security and social protection law may allow the processing of special category data. You need to be able to identify the legal obligation or right in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. You can refer to a government website or to industry guidance that explains generally applicable employment obligations or rights. In this instance it would be sufficient to refer to the Health and Safety at Work (UK) etc. Act 1974 which states:

it shall be the duty of every employer to ensure, so far as is reasonably practicable, the health, safety and welfare at work of all his/her employees”.

For example, an employer will want to know whether, in light of COVID-19, an individual member of staff is a health risk in order to ensure the health, safety and welfare of that staff member and the other employees. This is likely to include collecting special category health data from a number of individuals. The employer can rely on employment, social security and social protection obligations to do this processing.

On the other hand, if the employer were to collect unnecessary data such as medical information beyond the scope of that required to diagnose COVID-19 within government guidance, or if the employer disclosed the names of people diagnosed when it was unnecessary to disclose such information then these actions would amount to infringements of data protection law.

Preventative or occupational medicine: occupational medicine is a specialist branch of medicine that focuses on the physical and mental wellbeing of employees in the workplace. Under GDPR the processing of special category data is permitted for the purposes of preventative or occupational medicine, the assessment of an employee’s working capacity, medical diagnosis and/or the provision of health care or treatment.

Section 11 of the Data Protection Act (UK) 2018 states that in the UK organisations can only rely on this condition if the information is being processed by a health professional or a social worker professional or another person who in the circumstances owes of a duty of confidentiality under an enactment or rule of law. Therefore, this condition only applies where an organisation has appointed medical or social advisors who are professionals.

So, an organisation can be justified in processing special category data relating to COVID-19 on the advice of its medical advisors but only when able to show that the processing of this specific data is necessary. It must be a reasonable and proportionate way of achieving one of these purposes, and the organisation must not collect more data than it needs.

Public interest in the area of public health: on the advice of public medical advisors it may be possible to process special category data. This condition is only applicable where the processing is by, or under the responsibility of, a health professional or by someone else who in the circumstances owes a legal duty of confidentiality. For example, an organisation is contacted by health professionals who are trying to collect special category data in relation to the COVID-19 crisis to enable statistical analysis of the disease. On the advice of such public medical advisors, an organisation may rely upon the public interest in the area of public health condition when processing special category data for this purpose.

Consent is another legal bases for processing personal data. When collecting data as an organisation about individuals it is better not to rely upon consent because there is a risk of it not being freely given. This is based upon the general view that an inherent imbalance of power exists between individuals and organisations, in favour of organisations. Consent can also be withdrawn at any time.

Proportionate Collection/Processing of Personal Data for Purpose

An important aspect of GDPR compliance is that organisations only collect as much personal data as is strictly necessary for the purposes being pursued.

Within the context of COVID-19 this includes not naming an individual who is a health risk to other individuals or any other sensitive information about that individual in an organisation when it is not strictly necessary. Another example may be when enquiring about those experiencing symptoms within an individual’s household. In this instance it is unlikely that any more information than a simple ‘yes’ or ‘no’ answer would be required.

In addition, organisations should ensure that the personal data that they collect is stored only for as long as necessary.

COVID-19 Data Protection Q&A

Can you tell staff that a colleague may have potentially contracted COVID-19?

Yes. You should keep staff informed about cases in your organisation. But don’t provide any more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection rules do not prevent you doing this.

Can you collect health data in relation to COVID-19 about employees or from visitors to my organisation? What about health information ahead of a conference, or an event?

You have an obligation to protect your employees’ health and therefore it is reasonable to ask people, be that employees or visitors to your organisations, to tell you if they are experiencing COVID-19 symptoms and hence collect special category data about them. Don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards and discarded as soon as it becomes obsolete.

For example, the best thing to ask would be a simple yes or no question as to whether an employee or visitor is experiencing COVID-19 symptoms or if anybody in their household is. Gaining any medical information unrelated to COVID-19 or their ability to visit your organisation would be deemed unnecessary.

You could also ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms. This approach should help you to minimise the information you need to collect.


Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances. This includes the potential need to specifically train homeworkers on their obligations and those of the employer in relation to data protection and confidentiality, concerning the procedures which they must follow, and what is, and is not, an authorised use of data.

Should Organisations Consider Undertaking a Data Protection Impact Assessment (DPIA)?

GDPR requires organisations to undertake a mandatory DPIA:

  • if their processing is likely to result in high risk to the rights and freedoms of individuals – this should involve considerations of the likelihood and severity of potential harm. Article 35(3) of the GDPR provides the following examples of when a processing operation is "likely to result in high risks":
  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
  • Processing on a large scale of special category data, or of personal data relating to criminal convictions and offences.
  • A systematic monitoring of a publicly accessible area on a large scale.
  • (relevant data to COVID-19) when processing biometric data, genetic data and/or tracking data.
  • The GDPR defines biometric data in Article 4(14) as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of a person, such as facial images or dactyloscopic.” A fingerprint would be an example.
  • The GDPR defines genetic data in Article 4(13) as “personal data relating to the inherited or acquired genetic characteristics of a natural person”. A genetic profile of an individual would be an example.
  • Tracking data – an example would if an organisation uses device location data when accessing the geographical implications of COVID-19.

If an organisation has already started to undertake such processing activities or process this kind of data without undertaking a DPIA then they should perform one as soon as possible.

In the context of COVID-19 a DPIA will be necessary if an organisation has processed data in this way or of this nature in response to the pandemic. It is also helpful to know the context in which an organisation would be expected to perform a DPIA so that they can avoid it. Another example might be an organisation who becomes involved in the large scale processing of data in response to the crisis. Such an organisation should be prepared to undergo a DPIA if the nature of this new processing requires it.

Undertaking a DPIA, mandatorily or not, can still be useful for organisations in order to understand potential risks within their data controlling/processing activities.

If you need any help with COVID-19 data protection issues or on any other aspects of data protection law please get in touch with one of our data protection lawyers.


InsurTech – Big Data, AI and Web Scraping

While InsurTech is disrupting the traditional means by which insurance products and services are provided and accessed by consumers, it also gives rise to a range of regulatory concerns, in particular around the use of data.

What is InsurTech?

InsurTech is a portmanteau of "Insurance" and "technology". InsurTech does not have an agreed definition, but is instead used as a broad term covering the use of technology in the insurance value chain and the rethinking of existing processes, usually across the following themes:

  • Product innovation in relation to novel risks arising from new technologies.These include new products such as pay-as-you-go (PAYG), parametric, disaster relief, connected device and sensor and peer-to-peer (P2P) type products, usually enabled by leveraging one or more aspects of disruptive technologies.
  • Deployment of disruptive technologies across the insurance value chain. The application of innovative technologies (or a combination), such as internet of things (IoT) devices and artificial intelligence (AI), large data sets (Big Data) to facilitate product development, distribution, underwriting and claims and administration practices.
  • Development of new technology-enabled insurance business models. These include start-ups reimagining discretionary mutual models and industry consortia seeking to reinvent the insurance value chain through technologies such as blockchain or distributed ledger technology (DLT).
  • Rethinking existing insurance processes using technology. The development of new technology platform solutions for adoption by the wider market, with a view to automating paper-based processes and centralising the reconciliation and storage of data.

Rapid change

Awareness of InsurTech solutions and their underlying technologies, coupled with effective mitigation and management of the risks associated with their adoption are vital in a regulated sector pursuing rapid change. The development of new technologies, such as drones, cryptocurrencies and automated vehicles, has prompted product innovation relating to the emergence of new risks created.

InsurTech Regulators

The Financial Conduct Authority (FCA) has indicated its support for innovative products and services coming to the UK market and new business models being applied, while maintaining its position as a technology agnostic regulator. To this end, the FCA has created a "regulatory sandbox" as part of its wider innovation agenda (known as "Project Innovate"). This helps innovators navigate the layers of financial services regulation and aims to promote competition in the interest of customers. The sandbox aims to facilitate a "safe space" for InsurTech start-ups to prove their business plans without immediately incurring all the costs and regulatory consequences of engaging in regulated activities.

Big Data analytics

The traditional underwriting model for insurance is based on a combination of customer responses to proposal forms, historical claims data and risk studies; data that is used by analysts to predict consumer behaviour and identify patterns in claims losses.

Within the underwriting context, InsurTech solutions seek to alter traditional models by exploiting the connectivity facilitated by IoT devices and the vast amounts of data points available for analysis, or "Big Data", that they accumulate. The accumulation of Big Data sets and developments in data analytics capabilities, including AI tools employing machine learning and deep learning techniques, have the potential to inform increasingly precise and segmented underwriting decisions. This is allowing some insurers to offer cover for risks on better terms than would have been possible without this data. In some cases, customers would not have been able to obtain cover without it. Big Data analytics is also used to facilitate prediction of consumer behaviour in the underwriting process, enabling insurers to assess risk more precisely, price policies better and estimate necessary reserves accordingly.

Legal and regulatory implications of Big Data

The most obvious and wide-reaching legal and regulatory implications for InsurTech relate to the assemblage and analysis of Big Data sets:

  • Data privacy.Much of the Big Data being gathered in insurance products constitutes "personal data" under the GDPR. Personal data is defined broadly under European data protection law and includes pseudonymised data. Even if an ID has been attached to an individual (rather than a name or other types of more obviously personally identifiable data), it is still possible that personal data is being processed and data protection issues therefore need to be considered. The key GDPR considerations in the context of Big Data are:
    • Transparency requirements. The GDPR sets out requirements for consent on the part of the individual to the use and processing of their personal data (including in relation to wholly automated decision making). This can be challenging in the context of Big Data, particularly when the specifics of the intended use of data may not be known at the point at which data is collected and notices are given.
    • Purpose limitation. Under the GDPR, data collected for a specified purpose cannot then be used for an incompatible purpose.
    • Data minimisation. The principle of data minimisation means only processing data that is required for the purposes for which it is collected and therefore not collecting unnecessary data.
    • Storage limitation. Finally, the GDPR includes a requirement around storage limitation – not keeping more data in personally identifiable form then is necessary, or for longer than is necessary.

Accordingly, it is important to undertake a privacy impact assessment when accumulating and analysing a Big Data project. It will also be key to consider the terms of privacy notices, the specifics of the types of data to be analysed and any steps that can be taken to anonymise it and potentially take it out of the scope of the GDPR data protection regime.

  • Pricing practices.Regulators are concerned that Big Data creates the potential for underwriters to create customer profiles and price based on data collected about customer income and appetite for shopping around. Regulators are also conscious of practices where pricing is set based on an expectation that customers will provide enhanced underwriting data, with those who are unwilling to provide this being penalised with increased premiums.
  • Micro risk segmentation.Regulators are concerned that analytics of Big Data is likely to result in more sophisticated and predictive underwriting models, with underwriting increasingly being performed on the basis of ever smaller or more segmented pools of risk or categories of insureds. This has the potential to pose moral hazard issues in relation to the creation of "uninsurable" risks or classes of risk.

InsurTech Artificial Intelligence

Various forms of AI are in widespread use across the insurance value chain, particularly in distribution and claims administration where defined (and often time-consuming) processes, procedures and actions are commonplace.

AI's most tangible impact to date has been in the areas of policy monitoring and claims processing, which are gradually becoming subject to intelligent automation to improve efficiency and produce cost-savings, consequently lowering premiums. One example of this is through the development of chatbots and other forms of robo-advisers, which are designed to simulate an intelligent conversation and replace humans in various insurance processes.

A number of InsurTech solutions focus on embedding fraud deterrence and detection software as part of claims management processes. Smartphones enable photographs and videos to be sent to claims managers to evidence damage. Online claims forms can be monitored to identify amendments to draft submissions in response to requests later in the process for evidence or a verbal summary of the relevant loss. Fraud detection software, often utilising AI, can also enable earlier and more effective detection of fraudulent claims, through discerning human emotions by monitoring facial expressions and natural language.

GDPR requires algorithms used in decision making relating to retail insurance products to be explainable. AI is also attracting an increased focus from regulators. They are keen to ensure that the implementation and use of such technologies in the insurance value chain is subject to appropriate systems and controls and that requirements to be able to explain how decisions are made are met. This can be challenging particularly in the context of some non-deterministic forms of AI, such as deep learning applications, which are programmed to learn through their own errors.

Financial institutions using AI should ensure that they have governance processes in place relating to the use of AI within their organisations that ensure compliance with law and ethical standards, and set processes for ensuring these matters can be properly audited. It will also be important to ensure that board members are educated on the forms of AI being used in their operations and the potential implications of these technologies on business processes in practice.

See our blog on AI for more information.

Big Data and web scraping

In the insurance context, terms such as "web scraping" describe practices leveraging publicly available online data to assist with pre-population of proposal forms, underwriting decisions and claims assessment. These practices give rise to a number of issues from a contractual, data privacy, IP and reputational perspective:

  • Intellectual Property.Consideration will be required as to whether collection of data through web scraping from third-party sources would constitute a breach of any IP rights (principally literary copyright and database rights infringement).
  • Many websites' terms and conditions have express prohibitions against the collection of content and materials from their site and often refer to web scraping specifically. There are a number of tools by which third parties do make their data available to other sources. However, these are often subject to various licence terms, which may place controls on what can be done with the data.
  • Most companies want to make sure that they are giving their client base, and the individuals with who they interact, assurances that their data is being handled responsibly. There is a risk that the collection of data from third-party sources could be seen to be intrusive or inappropriate, which could have a negative reputational impact on the company.
  • Data protection.The GDPR specifically requires that individuals must be told about the sources of collection of personal data, which will be relevant where data is not collected from the individuals themselves but from third-party sources. There are rules under the GDPR that apply in relation to decision-making that is taken on a solely automated basis and produces legal effects relating to the individual or other similarly significant effects. Guidance from the Information Commissioner's Office (ICO) suggests that this could include decisions taken about insurance premiums. The rules around automated decision-making are such that consent is likely to need to be obtained to undertake this type of activity if it does in fact fall within the scope of automated decision-making under the GDPR. There are also requirements around providing individuals with rights to challenge decisions that are made automatically and potentially to obtain some human involvement in that process.

See our blog on web scraping for more information.

InsurTech – The benefits of technology

Being able to analyse data on a big scale has enhanced an industry for which information is the main source of its operations. Being able to do this through automation, access to publicly available information online and without the need for a human perspective comes with a load of legal consequences. Whilst the FCA encourages innovation in insurance, with some believing it can improve customer experience, the ethical dimension is tied up in a range of regulation which needs to be built into any InsurTech system.

EM Law specialises in technology law and data protection law. Please get in touch with one of our lawyers if you need any help.

EM Law Data Protection

Personal Data Transfers: Transfers Outside The EEA

The UK company passes information about its employees to this HR service. These are international personal data transfers and, on the face of it, are prohibited by the GDPR. However, personal data transfers such as these happen every single day. So how does the GDPR cater for this and what should your business be doing to ensure that it stays data protection compliant?

Personal Data Transfers - What are Restricted Transfers?

A few months ago, the ICO published updated guidance in relation to international personal data transfers under the GDPR. In this guidance the ICO clarified that personal data transfers are restricted if:

  • The GDPR applies to your processing of the personal data that you are transferring. In general, the GDPR applies if you are processing personal data in the EEA, and may apply in certain circumstances if you are outside the EEA and processing personal data about individuals in the EEA;
  • You are sending personal data, or making it accessible, to a receiver to which the GDPR does not apply. Usually this is because they are located in a country outside the EEA; and
  • The receiver is a separate organisation or individual. So, for example, a transfer from a UK based organisation to its employee working outside the EEA would not be classified as a restricted transfer.

It should be noted that “transfer” does not mean the same as transit. If personal data is simply electronically routed through a non-EEA country but the transfer is actually from one EEA country to another, then it is not a restricted transfer. To give an example, a controller in France may transfer personal data to a controller in Ireland via a server in Australia. As there is no intention that the personal data will be accessed or manipulated while in Australia, the transfer is only to Ireland and is not classed as a restricted transfer.

Which countries are located within the EEA?

The EEA countries consist of the EU member states and the EFTA States. The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom. The EEA states are Iceland, Norway and Liechtenstein. The EEA joint committee recently made a decision that the GDPR does apply to these countries therefore transfers to these countries are not restricted.

How can you make restricted personal data transfers in accordance with the GDPR?

Before making personal data transfers that are restricted, you should consider whether the transfer is necessary. It may be that you can achieve your aims without actually sending data or you can make data anonymous so that it is not possible to identify individuals. If you decide that there is no other way, then clearly the transfer is necessary and the rights of individuals will have to be protected in another way.

Adequacy decision

The first thing you should consider is whether the relevant country or international organisation is covered by an adequacy decision. The European Commission has the power to determine, on the basis of article 45 of the GDPR, whether a country outside the EU offers an adequate level of data protection. A transfer to an adequate country is the simplest way to transfer data outside the EEA; these transfers are permitted and legal under the GDPR. Currently, there are full findings of adequacy for Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. There are also partial findings of adequacy about Canada and the USA. The adequacy finding for Canada only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act. The adequacy finding for the USA only covers personal data transfers covered by the EU-US Privacy Shield framework. Adequacy talks are currently ongoing with South Korea and the adoption procedure of the adequacy decision concerning Japan was launched a few months ago.

Appropriate safeguards

In the absence of an adequacy decision by the Commission, personal data transfers may only be made to a third country or an international organisation if the transfer is covered by appropriate safeguards. These safeguards are set out in article 46 of the GDPR. The appropriate safeguards, which may be provided for without requiring any specific authorisation from a supervisory authority, include:

  • a legally binding and enforceable instrument between public authorities or bodies;
  • Binding Corporate Rules;
  • standard contractual clauses adopted by the Commission;
  • standard contractual clauses adopted by the supervisory authority and approved by the Commission;
  • approved codes of conduct; and
  • approved certification mechanisms.

In practice, the safeguards that are likely to be the most relevant are Binding Corporate Rules and standard contractual clauses.

In short, Binding Corporate Rules are internal rules designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA. Binding Corporate Rules can be used by both controllers and processors, provided that the data exporter is established in an EU member state. Binding Corporate Rules must be approved by the relevant data protection authority (in the UK this is the ICO) and in order to gain this approval, an applicant must demonstrate that it has in place adequate safeguards for protecting data throughout the organisation. Once implemented and operational, Binding Corporate Rules are much easier to maintain than a matrix of intra-group contracts and offer greater flexibility to organisations.

As Binding Corporate Rules do not cover transfers outside a corporate group, many companies opt for standard contractual clauses, also known as EU model clauses. At the moment there are three sets of standard contractual clauses; two sets for transfers from data controllers established in the EEA to data controllers established outside the EEA and one set for the transfer from data controllers established in the EEA to processors established outside the EEA. An important thing to remember with standard contractual clauses is that you must not amend them. Additional clauses may be added if necessary however these should be purely commercial in nature.


In the absence of an adequacy decision, or of appropriate safeguards, restricted personal data transfers may still take place if they fall within one of the exceptions set out in Article 49 of the GDPR. Some of the exceptions include:

  • Where the individual has given his or her explicit consent to the restricted transfer.
  • Where the transfer is necessary for the performance of a contract with the individual.
  • Where the transfer is necessary for important reasons of public interest.
  • Where the transfer is necessary for the establishment, exercise or defence of legal claims.

Although useful, these exceptions should be used narrowly and only in exceptional cases. It should also be noted that the consent and contract exceptions cannot be relied upon by public authorities in the exercise of their public powers.

Final thoughts

While the rules on international personal data transfers may at first sight seem complicated, the GDPR offers a variety of solutions for all types of organisations. In a world more connected than ever, these solutions are a crucial addition to the new data protection laws.

If you have any questions around international personal data transfers or you would like some general advice on data protection compliance please contact Neil Williamson.

EM Law Data Protection

Data Subject Access Requests - What You Need To Know

Data subject access requests are a key element of GDPR. Although an individual’s right to access their data has been a major part of data protection legislation since 1984, the development of technology has led to a massive expansion in the nature and quantity of data being processed. This blog takes a look at data subject access requests, how they work, and the impact that the GDPR has had upon them. We specialise in data protection so if you have any questions about this blog please get in touch. Our lead lawyer for data protection advice is Neil Williamson.

What are data subject access requests?

Put simply, a data subject access request is a request that allows individuals to find out what personal data an organisation holds about them, why they hold it and who the information is disclosed to. For information to be personal data, it must relate to an identified or identifiable natural person. Such information, either on its own or in combination with other data, may include personal contact details about that individual, information about their appearance, or information about sick leave.

How do I make a data subject access request? 

For data subject access requests to be valid, they must come from an individual or from someone acting on their behalf. Often, this will be a solicitor acting on behalf of a client but can also be a family member or friend.

Individuals can make data subject access requests verbally or in writing. The ICO even suggests that individuals can make data subject access requests through social media sites such as the organisation’s Facebook or Twitter. A request does not have to include the phrase ‘subject access request’ or refer to Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.

How do I respond to data subject access requests?

To avoid inadvertently disclosing personal information to the wrong person, an organisation should first seek to establish that the individual making the request is who they say they are. If there are doubts, organisations can request proof of ID or request proof of a relationship with the individual. Some organisations may find it easier to provide individuals with a specially designed form. These forms can help organisations track data subject access requests and streamline internal processes and procedures. However, individuals are not obliged to use these forms and could still request their information in other ways.

In addition to a copy of an individual’s personal data, organisations must provide other information. This information includes the retention period for storing the data, the individual’s right to request erasure of their data, and the safeguards in place when their data is transferred to an international organisation. The full list of information is set out in Article 15 of the GDPR. An organisation may find that they have already disclosed most of this information in their privacy notice. In this case, an organisation can point an individual towards this.

Organisations should be mindful where an individual’s personal data includes information about other individuals. The Data Protection Act 2018 states that an organisation does not have to comply with a request if it means disclosing information about other individuals unless the other individual has consented to the disclosure or it is reasonable to comply with the request without that individual’s consent. In determining whether it is reasonable to comply, there are a number of factors that should be taken into consideration. These include the type of information being disclosed, any duty of confidentiality owed, and any express refusal of consent. If the other individual does not give their consent and it is not reasonable in the circumstances to disclose the data without their consent, an organisation should consider removing or redacting the data about that other individual.

What will happen if I don’t respond to a data subject access request?

The ICO has a range of enforcement tools available to it under the GDPR including issuing warnings, notices, ordering compliance and imposing fines. These fines can be very large; up to 20 million euros or, if higher, 4% of an organisations worldwide annual turnover.

Are there any exemptions?

The Data Protection Act 2018 sets out a number of exemptions which allow information to be withheld from individuals where it would usually need to be disclosed. These exemptions include:

  • Legal advice and proceedings – organisations do not have to disclose data which is covered by legal professional privilege;
  • Confidential references – organisations do not have to provide access to confidential references that they have given in relation to an employee’s employment; and
  • Management information – organisations do not have to disclose data which relates to management planning and forecasting.

Can I use a data subject access requests for the purposes of litigation?

As data subject access requests are limited to personal data, they are less wide-ranging than general disclosure obligations. Nonetheless, actual and potential litigants often use data subject access requests as a tactic in litigation or as a means of collecting information from their opponent. In Dawson-Damer v Taylor Wessing LLP (2017), the Court of Appeal decided that the motivation behind a data subject access request was irrelevant. Data subject access requests are valid even if the collateral purpose is to obtain information for the purposes of litigation.

The GDPR does not refer to the intention behind a subject access request and therefore the starting point is that any individual is entitled to exercise their right of subject access. The ICO makes clear that companies cannot refuse to supply information simply because the information requested in connection with actual or potential legal proceedings.

How has the GDPR changed data subject access requests?

Time Limit

The time limit for acting on data subject access requests has been reduced from 40 days to one calendar month. An organisation must now act without undue delay and in any event within one month of receipt. The time limit can be extended by a further two months if the request is complex or there has been a number of requests from the individual. In these circumstances, an organisation must let the individual know within one month of receiving the request and explain why the extension is necessary. Unfortunately, there is no specific guidance on what would constitute ‘complex’ at this stage.


In most cases, organisations can no longer charge a fee for carrying out a data subject access request. However, where the request is manifestly unfounded or excessive, a “reasonable fee” may be charged for the administrative costs of complying with the request.

Refusal to deal with the request

Organisations can refuse to deal with data subject access requests if they are manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If an organisation refuses to comply with a request, they should inform the individual about the reasons for their decision, the right to make a complaint and the ability to seek to enforce this right through a judicial remedy. An organisation may also refuse to deal with a request if the person to whom the subject access request was addressed is not the data controller or the request infringes the EU doctrine of abuse of rights. In all cases, an organisation must inform the individual within one month.

Electronic access

Individuals can now make data subject access requests electronically. Where an individual makes a request electronically, an organisation should provide the information electronically, unless the individual requests otherwise.

If you have any questions around data subject access requests please contact Neil Williamson.

Privacy Breach EM Law Data Protection

Data Protection – Our First Enquiry About A Privacy Breach

According to a recent ITV report, the number of privacy breach complaints reported to the Information Commissioner has nearly doubled since GDPR came into force in May. Apparently, 4214 complaints were made in July.

Here at EM Law we are receiving our first enquiries from individuals who want to know whether they can bring a claim against their employers for privacy breach. We predicted that claims of this nature would start appearing more often, driven by new claims factories bringing actions on behalf of clients who probably weren’t as distressed about their data not being handled correctly as they were making out. The very first enquiry we received, though, gave our cynical outlook a bit of a knocking and reminded us why GDPR has been introduced - to protect individuals from organisations who fail to look after their data properly. Below is an outline of that enquiry.

An individual (let’s call her Miss A) contacted me to say that a work colleague of hers had got hold of her employment contract along with the contracts of other employees in their organisation. She’d done so by replicating a key for the filing cabinet in which the employment contracts were held. Miss A told me that she felt very distressed by the fact that her colleague knew what she earned. I asked Mis A why her colleague was behaving in this way. Miss A thought it was because her colleague was showing off – thinking it was clever to have access to all this information.

I asked Miss A about her employer – what changes had they made as a result of GDPR coming into force? Had they made any announcements to staff or provided any training? Turns out the employer had done nothing about GDPR.

I advised Miss A that her employer should be contacting the Information Commissioner to advise them that there had been a data privacy breach and writing to staff to explain what had happened and how their personal data had been wrongly accessed. I advised Miss A that she had a potential claim against the employer for failing to put adequate measures in place to protect her personal data from being disclosed improperly. No one should be keeping employment contracts in hard copy in a filing cabinet. I can’t understand why anyone would want to anyway – data protection aside. You’re just clogging up space with items that can be kept in softcopy on a database.

Miss A didn’t contact me to be aggressive or because she saw a way of making some money. She contacted me because she was upset that a colleague of hers knew what she was earning. I totally understand why that would be upsetting. I think her intention is to go back to her employer and tell them that they need to do something about data protection and her privacy breach and take notice of GDPR. I wonder what their reaction will be.

Miss A’s story was a useful reminder to me of how individuals can be hurt when their personal data isn’t looked after properly leading to a privacy breach. EM Law usually supports organisations who are implementing measures to be compliant with data protection law. So we’re usually on the employer side, sympathising with them about the hoops they need to jump through. Next time I’m doing some training though, I’ll mention Miss A’s story and hopefully this will bring it home why putting in place appropriate measures and systems is the right (as well as the lawful) thing to do.

If you would like more information on data protection, GDPR requirements or if you are concerned about a personal data breach contact Neil Williamson at EM Law.

EMLaw - GDPR – A brief guide

GDPR Guide EM Law

GDPR Guide Introduction

I am EM Law's lead adviser on data protection compliance.

We all know that the GDPR has been coming for some time, but few businesses are properly prepared for it. Most businesses know that they should be doing something but, because the GDPR is complicated, they have not got around to understanding what it is they need to be doing. Some managers I have spoken to think that the effect of the GDPR is being overstated by lawyers and other professionals trying to cash in on the unwarranted panic they are causing. I have some sympathy for this attitude – especially having seen some of the very heavy guides out there!

Unfortunately, though, while there is no need for the vast majority of businesses to panic, all businesses, large or small, have work to do to make sure that from 25 May they will be complying with the new law.

This GDPR guide is aimed at you, the director of a small/medium-sized business, who does not know much about data protection. You know that data protection laws exist. You know that your business has a responsibility to keep data secure and that if data gets lost your business can get sued. Your business probably has a privacy policy published somewhere – perhaps on your website - that you do not pay much attention to. Your contracts contain data protection clauses somewhere towards the back of them – you’ve relied on your lawyer making sure that these are correct.

This GDPR guide will hopefully give you a good overview of what the GDPR is about and what you need to do to make sure that your business will be compliant come 25 May. You will certainly not know all there is to know by the end of reading this GDPR guide but it will give you a platform to enable you to find out more or to seek help in an informed way.

This GDPR guide is applicable to the majority of UK based businesses. It does not apply to:

  • Public authorities.
  • Organisations that are established outside the UK.
  • Organisations that sell products or services to children.
  • Organisations that handle information relating to criminal convictions and offences.

GDPR Guide Quick Q&A

Q: Does the GDPR apply to your business?
A: As your business is established in the UK then, yes, it does and it will apply to data that your business collects both inside and outside the EU.

Q: What is it the GDPR about?
A: It is a set of rules that govern how your business may process “personal data” and the systems that your business must put in place in connection with that processing.

Q: What is personal data?
A: Information that relates to an identified or identifiable living individual e.g. personal details, medical details, financial details, employment details, lifestyle details, IP address.

Q: The GDPR applies to “the processing of personal data”. What does “processing” mean?
A: “Processing” is described so widely (e.g. it includes “collection”, “storage” and “use”) that we do not see how you could not be “processing” personal data. So, any activity involving personal data falls within the scope of the GDPR.

Q: Who is a “data controller”?
A: A data controller is the person responsible for deciding how and for what reason personal data is processed. Your business, as an employer, will be the data controller in relation to personal data processed about your employees. Your business, as a supplier, will be the data controller in relation to personal data processed about its customers.

Q: Who is a “data processor”?
A: A data processor is the person who processes data on behalf of a data controller. Your business, as a supplier, will be a data processor in relation to personal data that your business customer (the data controller) has given you about its employees or clients.

GDPR Guide: Data Protection Principles

Data controllers and data processors must comply with all of the following principles when dealing with personal data:

Lawfulness, Fairness and Transparency

Your business must give individuals whose personal data it collects certain information about who your business is and what it does with their data.

Your business can only process personal data on the basis of one or more of the following grounds:

The individual has given their consent

If your business is relying on obtaining an individual’s consent to process their personal data then that individual must have understood clearly what they were consenting to and they must have given their consent by some positive action and without being under any pressure to do so. An individual signing a stand-alone document that clearly sets out how your business will process their data is a good way of obtaining consent. Burying a consent clause in the back pages of a contract will not be acceptable. Individuals must also be informed of their right to withdraw their consent at any time.

It is necessary for entering into or performing a contract with the individual

For example, your business will need to store an employee’s financial details so that your business can pay them.

It is necessary for compliance with a legal obligation

For example, your business will need to disclose employee salary details to HMRC.

It is necessary to protect the vital interests of the individual

This ground usually only applies in life or death situations. If, for example, an employee is seriously injured at work your business may need to disclose that employee’s medical history to the medics.

It is necessary for the performance of a task carried out in the public interest

This is relevant to public authorities or private businesses acting under the control of public authorities.

It is necessary for the purposes of legitimate interests pursued by you or by a third party

(as long as your interests are not overridden by the fundamental rights of the individual). For example, for direct marketing purposes or preventing fraud, for internal administrative purposes between group companies, for reporting possible criminal acts.

NB if your business processes “special categories” of personal data i.e. data that reveals: racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, sex life and sexual orientation then the grounds upon which your business is allowed to process that data are more restrictive than the ones set out above.

Purpose limitation

Your business can only collect personal data for specified, explicit and legitimate purposes that it makes known.

Data minimisation

Collection of personal data must be limited to what is necessary for the purposes your business collects it.


The personal data your business collects must be accurate.

Storage Limitation

Your business must not store personal data for longer than necessary.

Integrity and Confidentiality

Personal data must be held securely.


Your business must be able to demonstrate compliance with its data protection obligations.

GDPR Guide: Right of Individuals

Individuals may:

  • Withdraw their consent at any time (in which case your business would need to rely on another lawful ground to enable it to process their personal data).
  • Require data controllers to tell them what information they are holding about them, what for, how long for etc.
  • Require data controllers to correct inaccuracies in their data.
  • Require data controllers to erase information held about them.
  • Require data controllers to provide them with a copy of all personal data held on them.
  • Object to the processing of their data.

GDPR Guide: Obligations of Data Controllers and Data Processors

If a data controller appoints a data processor then certain clauses must be contained in the written contract between them.

Your business must appoint a data protection officer if either (a) its core activities require regular and systematic monitoring of individuals or (b) its core activities consist of processing “special categories” of data (see above definition) on a large scale. The majority of businesses will not need to appoint a data protection officer.

Data controllers must maintain records of the processing activities under their control which include at least the following:

  • The name and contact details of the controller.
  • The name and contact details of the data processing officer (if there is one).
  • The purposes of the processing.
  • A description of categories of data subjects and of the categories of personal data relating to them.
  • The recipients of the personal data.
  • Where applicable, transfers of data to a third country or an international organisation.
  • Where possible, a general indication of the time limits for erasure of the different categories of data.
  • The description of the technical and organisational security mechanisms the data controller employs.

Data processors must maintain records of all categories of processing activities carried out on behalf of a controller. This includes the following information:

  • The name and contact details of the processor and of each controller.
  • The name and contact details of the processor’s data protection officer (if there is one).
  • The categories of processing carried out on behalf of each controller.

Data Controllers must conduct an impact assessment if they are involved in “profiling” or processing “special categories” of data (see above definition) on a large scale or if they are systematically monitoring publicly accessible data on a large scale. The majority of businesses will not be involved in these activities.

Your business must implement appropriate measures to keep personal data secure e.g. data encryption, disaster recovery, security testing, staff training.

The Data Controller must flag up any data security breaches.

GDPR Guide: Cross-border Data Transfers

Your business must not transfer personal data outside of the European Economic Area (EEA) unless:

  • It is to a country that the EU Commission has said it is ok to transfer the data to.
  • Your business puts in place appropriate safeguards (for example the contract with the person who your business transfers the data to contains certain clauses that the EU Commission has approved); or
  • An exemption applies (for example the individuals whose data is being transferred have given their consent having been informed of the possible risks of such transfer).

Please bear in mind that your business will be transferring personal data outside of the EEA if, for example, its IT system is cloud-based and the data centre where that data is stored is outside the EEA.

Please also bear in mind that the US is not on the Commission’s approved list of countries where personal data can be sent to. Instead, the EU Commission and the US Government have agreed an arrangement called the EU- US Privacy Shield. Basically, it is ok for your business to transfer personal data to a US company whose name is on the EU-US Privacy Shield list (this list is managed by the US Department of Commerce). At least for now. This arrangement is subject to review.

GDPR Guide: Sanctions for breach of the GDPR

Organisations that breach the GDPR may be hit with administrative fines of up to EUR20 million or up to 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher. If an individual, for example, an employee in your business, suffers damage because your business has breached its obligations under the GDPR, that individual can claim compensation, not just for any financial loss they have incurred but for any distress they have suffered as well. We believe that there will be a significant increase in claims being brought by individuals against businesses following the GDPR coming into force.

GDPR Guide: What should I do now to prepare my business for the GDPR?

First of all don't panic! Yes, there is work to do but EM Law can do the heavy lifting for you. Here is what needs to be done:

  • Designate someone in the business to be the lead on GDPR matters.
  • Consider whether your business needs to appoint a Data Protection Officer.
  • Audit and map all data processing activities.
  • Assess all data processing activities to see how they align with GDPR principles and requirements and perform a gap assessment. Create an action plan and then implement procedures to implement changes to align activities with GDPR. Review and document the legal basis for GDPR-covered processing activities.
  • Update privacy policies / notices.
  • Update consent mechanisms i.e. check to what extent your business relies on consent from individuals to process their data and then consider whether your business can rely on another lawful ground to process data or what changes need to take place around obtaining consent in compliance with GDPR requirements.
  • Review supplier and customer contracts to ensure that they address GDPR requirements.
  • Prepare for new documentation (record keeping) requirements. It is important to understand that GDPR requires your business to demonstrate how it complies with GDPR.
  • Review personal data protection and security measures – is the personal data that your business processes stored securely enough?
  • Review any cross-border transfers of personal data that your business makes.

This GDPR Guide is very much an overview. If you need any help interpreting the GDPR or implementing its requirements just let us know. We can help you with advice, training, documentation to help you with your data processing assessments, standard form documentation such as privacy policies and GDPR tailored clauses to include in your contracts.