category personal data meaning

These Flowcharts These Flowcharts offer direction on the proper method for completing the parts of a stock transfer form that address consideration, stamp duty certification, and execution. They are included within an annotated stock transfer form, which clearly sets out instructions explaining how its sections should be properly filled in...

This Flowchart This Flowchart helps determine the appropriate rate of stamp duty land tax (SDLT) for the transaction in question. Different SDLT rates may apply to purchases depending on the property type (residential, non-residential (commercial property), or mixed-use property). Use this Flowchart in conjunction with Practice Note: Rates of SDLT. This Flowchart proceeds on the basis that: the buyer is acquiring a single property and the purchase is not linked with any other transaction. For further detail on linked transactions, see Practice Note: SDLT chargeable consideration—Linked transactions no relief from SDLT applies to the transaction...

This diagram outlines the concluding payment procedure for the JCT Intermediate Building Contract 2016 (with and without contractor’s design)...

What are the most significant changes introduced by the Act that pension scheme trustees need to prepare for? The most notable reforms in the Act that trustees should be ready for are: Data subject complaints: complaints about the handling of personal data must be acknowledged within 30 days and answered without undue delay. ICO enforcement powers: the Information Commissioner’s Office (ICO) now has authority to compel interviews and require the production of documents to assess compliance. Data subject access requests (DSARs): the Act codifies the ICO’s existing guidance, meaning (i) trustees must apply a ‘reasonable and proportionate’ search standard when responding; and (ii) the ‘stop the clock’ rule pauses the one-month deadline for a response. Automated decision making (ADM): the Act allows reliance on the full set of lawful bases — including ‘legitimate interests’ — when non-special category personal data is used for significant automated decisions about an individual, provided suitable safeguards are in place. ...

Does the GDPR apply to unincorporated associations, such as sports clubs, and who is responsible for compliance by an unincorporated association with the GDPR? Who is ‘controller’ or ‘processor’? Yes—the General Data Protection Regulation, Regulation (EU) 2016/679, applies to unincorporated associations in the same way it applies to companies or partnerships. The GDPR’s definitions of a ‘controller’ and a ‘processor’ encompass both natural persons and legal persons. The challenge for unincorporated associations is that they are not legal persons. They have no separate legal personality; they exist by contract, and neither statute nor case law sets out clear, definitive rules for what their governing provisions must contain. What truly matters under the GDPR is not the category of person or entity undertaking the processing, but the overall activity of collecting and using personal data. The rationale is straightforward: the law should not be capable of being avoided, and there must always be an accountable individual or body answerable to data subjects. In that respect, there is no distinction. Determining...

In this issue: Brexit highlights Brexit SIs Post-Brexit transition guidance Equality and human rights Judicial review Freedom of information Public procurement Subsidy control and State aid Public sector pensions State accountability and liability Free webinars: Judicial Review: Practice and Procedure Pt 1 and 2 LexTalk®Public Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Dates for your diary Trackers Useful information Brexit highlights Institute for Government explainer on UK–EU summit outcome The Institute for Government has released an explainer following the inaugural UK–EU Summit in London, setting out the freshly announced results of the UK–EU reset. See: LNB News 03/06/2025 43. Weekly round-up of EU–UK TCA Specialised Committees’ publications—30 May 2025 This summary covers publications issued by Specialised Committees created under the EU–UK Trade and Cooperation Agreement (TCA) for the period 27–29 May 2025. See: LNB News 30/05/2025 15...

As of 31 January 2020, the UK left the EU and the EEA. This Practice Note introduces: the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) framework (which applied within UK law up to the end of the Brexit implementation period—11 pm UK time on 31 December 2020—and continues to operate across the EEA; therefore, any references in this Practice Note to EEA or EU states should be read as also covering the UK until that period concluded) the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) framework (which applies under UK law from the end of the Brexit implementation period) Where there is no need to draw a distinction, this Practice Note refers to both as ‘GDPR’ for ease. When looking at the routine processing of personal data, the UK GDPR and the Data Protection Act 2018 (DPA 2018) should be consulted together, as both sets of provisions have direct effect. Practitioners will generally...

This Practice Note outlines the matters an employer must weigh up when obtaining medical assessment reports for their staff and prospective recruits...

UK GDPR regime This material focuses on the UK GDPR framework, with legislative references pointing to Assimilated Regulation (EU) 2016/679, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), unless expressly indicated otherwise. It also takes into account the Data (Use and Access) Act 2025 (DUAA 2025). Note that pages within the Information Commissioner’s Office (ICO) UK GDPR guidance and resources are being revised to reflect DUAA 2025. When preparing for and managing employment tribunal proceedings, employers will need to process—ie gather, organise, use and disclose—information about claimants (whether prospective, current or former employees or workers) and other individuals, which will amount to personal data. The employer may additionally wish to process: special category data (previously known as sensitive personal data); and personal data regarding criminal convictions and offences, or related security measures (criminal offence data) For further information on what is meant by: personal data, see: Personal data—lawful processing conditions below...

1 Background information Assessment covering [ specify if the assessment applies to the entire organisation or a particular department ] Assessor [ insert name ] Assessment date [ insert date ] 2 Which personal data do you obtain and/or keep? Reflect on the personal data you receive and/or store, and identify any inherent risks. 2.1 Review Category of personal data Type of data How is it acquired? How is it stored?...

Stop press: The Data (Use and Access) Act 2025 (Commencement No 6 and Transitional and Saving Provisions) Regulations 2026, SI 2026/82 now commence the remaining provisions of the Data (Use and Access) Act 2025 (DUAA 2025). Provisions covering the areas below apply from 5 February 2026, while those on penalty notices and complaints apply from 19 June 2026. For further details, see Practice Note: Data (Use and Access) Act 2025—employment implications. This Precedent will be updated shortly to reflect these changes. subject access requests legitimate interests purpose limitation automated decision-making international transfers enforcement [ Insert name of organisation ] Data protection privacy notice (secondment) As you are aware, it is proposed that you will be seconded to [ insert name ] (host employer). This notice sets out which personal data (information) [ insert name of employer ] [ trading as [ insert trading name, if different ] ] (‘we’ or ‘Company’) will provide to, and receive from, your...

STOP PRESS: This page is being revised to reflect implementation of the Data (Use and Access) Act 2025 (DUAA 2025), which modifies the UK GDPR and the Data Protection Act 2018. For additional direction on DUAA 2025’s compliance impact, consult Practice Note: Data (Use and Access) Act 2025—compliance implications. This data protection quick-reference guide outlines the principal elements of data protection law, including the UK General Data Protection Regulation (UK GDPR). What is the UK GDPR? The UK General Data Protection Regulation (Assimilated Regulation (EU) 2016/679—UK GDPR) forms the primary framework for data protection in the UK. It is read alongside, and augmented by, the Data Protection Act 2018 (DPA 2018). Who is the data protection regulator in the UK? In the UK, the Information Commissioner’s Office (ICO) oversees and enforces compliance with data protection legislation. What type of information does the UK GDPR regulate? The UK GDPR does not apply to every kind of information or dataset. Its remit is limited to personal...