Data subject meaning

In brief In summary, UK data protection rules exist to make sure details about living people — captured as 'personal data' — are handled lawfully, fairly and responsibly. To achieve this, the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR) places a range of obligations on anyone 'processing' personal data, and on the controllers supervising that processing, when they fall within the scope of the UK GDPR regime. The UK GDPR also confers rights on individuals whose personal data is handled (the 'data subjects'). 'Processing' covers practically any operation performed on personal data, meaning doing almost anything with it, such as storing, sharing, deleting, or using it. It is almost impossible to run a business or other organisation without processing personal data. Among other requirements, the controllers of personal data processing must provide information to data subjects, to make sure they are aware of the following: the reasons their personal data is collected; the ways it is used; ...

Checklist and timeline This concise checklist and timeline is prepared on the footing that proceedings are brought under sections 238 and/or 239 of the Insolvency Act 1986 (IA 1986) by an administrator or liquidator, and not by any assignee of the claim. Step/action: Review the events leading to the company’s insolvency and the factors underpinning the claim(s) against the respondent(s) (typically the recipients of the relevant payments/transactions). This involves securing the company’s books and records, accounting data/statements and bank statements, and interviewing directors, former directors, and any person with knowledge of the promotion, formation, business dealings, affairs or property of the company. Note that if the office-holder signals a claim against the respondent(s), they risk losing investigative powers under IA 1986, ss 235–236 in relation to that claim. Time (days): No limit (subject to limitation). Section/rule: IA 1986, ss 234–236, 238, 239; Cloverbay Ltd (joint administrators) v Bank of Credit and Commerce International SA [1991] Ch 90, [1991] 1 All ER 894. ...

Existence and validity of trusts Provincial Equity Finance Ltd v Dines (née Breda) [2023] EWHC 103 (Ch) News Analysis: A literary epigraph—‘By prosperous voyages I often made… and the great care of goods at random left’—introduces a consideration of resulting trusts and the scope of express trusts. The decision underscores the practical obstacles in proving a resulting trust where a disorganised deceased ran bank accounts for mixed ends, and confirms that an express trust can override the presumption of a resulting trust even if the contributor of funds is not a party to the express trust. Author: Nicholas Holland, McDermott Will & Emery UK LLP Jurisdiction: England & Wales Attorney General v Zedra Fiduciary Services (UK) Ltd and others [2022] EWHC 102 (Ch) News Analysis: The court sanctioned a cy près scheme for a £600m charitable trust to be used towards reducing the National Debt, addressing the suitable application of the National Fund. The judgment considers...

STOP PRESS: This document is currently being updated to take account of the full implementation of the Data (Use and Access) Act 2025 (DUAA 2025), which amends both the UK GDPR and the Data Protection Act 2018. For further guidance on the compliance consequences of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications. The UK General Data Protection Regulation (UK GDPR) grants data subjects several rights, including, among others: access to their personal data rectification erasure restriction of processing data portability a right of data subjects Individuals may ask an organisation at any time of their choosing to exercise one or more of these rights, and strict time limits and deadlines apply to responding to such requests promptly. See Practice Note: How to handle data subject requests. This Flowchart sets out a process for dealing with data subject requests made under the UK GDPR and reflects the requirements in the UK GDPR together...

This diagram mirrors HMRC’s Flowchart 4, set out at paragraph 5.24 of the Guidance Note on residence, domicile and the remittance basis (RDR1). It is for use when a taxpayer clearly plans to depart the UK in the future...

Flowchart This Flowchart helps determine which stamp duty land tax (SDLT) provisions are relevant on a lease renewal where a tenant remains in occupation by ‘holding over’ after a fixed-term lease ends. It should be considered together with the fuller Practice Note: SDLT—holding over. The SDLT provisions governing situations where a tenant holds over a lease, and that lease is subsequently renewed, are intricate and often complex...

In this issue: Employment contract Horizon scanning Pensions Tax Prohibited conduct (discrimination etc) Data protection and employee information Dates for your diary Trackers New Q&As Employment resources on Lexis+® Daily and weekly news alerts Employment contract Supreme Court reinstates High Court injunction preventing Tesco from ‘firing and rehiring’ employees on less favourable terms. In Tesco Stores Ltd v Union of Shop, Distributive and Allied Workers (USDAW) [2024] UKSC 28, the Supreme Court, unanimously and led by Lord Burrows and Lady Simler, upheld the High Court’s stance, reviving the injunction that bars Tesco from dismissing staff in order to strip them of a ‘permanent’ contractual entitlement to retained pay, then proposing re‑engagement without it. An implied term in the contracts curtailed Tesco’s ability to rely on dismissal rights for that end. Commentary on the ruling is provided by Neil Todd of Thompsons Solicitors; Jonathan Chamberlain and Connie Cliff of Gowling WLG; Philip Harman...

What are the most significant changes introduced by the Act that pension scheme trustees need to prepare for? The most notable reforms in the Act that trustees should be ready for are: Data subject complaints: complaints about the handling of personal data must be acknowledged within 30 days and answered without undue delay. ICO enforcement powers: the Information Commissioner’s Office (ICO) now has authority to compel interviews and require the production of documents to assess compliance. Data subject access requests (DSARs): the Act codifies the ICO’s existing guidance, meaning (i) trustees must apply a ‘reasonable and proportionate’ search standard when responding; and (ii) the ‘stop the clock’ rule pauses the one-month deadline for a response. Automated decision making (ADM): the Act allows reliance on the full set of lawful bases — including ‘legitimate interests’ — when non-special category personal data is used for significant automated decisions about an individual, provided suitable safeguards are in place. ...

In this issue: Sustainable finance and ESG weekly round-up Economic Crime and Corporate Transparency Act 2023 Lending Acquisition finance Shipping finance Real estate finance Sustainable finance Debt capital markets Derivatives Regulation for banking lawyers Sanctions Daily and weekly news alerts New and updated content Useful information Sustainable finance and ESG weekly round-up For a summary of this week’s Sustainable finance and ESG developments, see Sustainable finance and ESG weekly round-up—14 November 2024. Economic Crime and Corporate Transparency Act 2023 Economic Crime and Corporate Transparency Act 2023 (Commencement No 3) Regulations 2024 (SI 2024/1108): Provisions in ECCTA 2023 on civil recovery of cryptoassets in Scotland took effect on 7 November 2024, and measures introducing the UK-wide offence of failure to prevent fraud will commence on 1 September 2025. See: LNB News 07/11/2024 12. Unique Identifiers (Application of Company Law) Regulations 2024 (SI 2024/Draft): These draft Regulations would widen...

Qualifying R&D expenditure (pre-1 April 2024) This Practice Note sets out the scope of qualifying expenditure for two R&D relief schemes, each subject to detailed commencement and transitional provisions: the research and development relief for small or medium-sized enterprises (SMEs) for accounting periods beginning before 1 April 2024—see Practice Notes: SME R&D relief—additional deduction (pre-1 April 2024) and SME R&D relief—tax credit (pre-1 April 2024); and the R&D expenditure credit scheme applying to accounting periods beginning before 1 April 2024—see Practice Note: R&D expenditure credit (pre-1 April 2024). Together, this Practice Note refers to these as the pre-1 April 2024 schemes. For information about the reliefs generally applying to accounting periods beginning on or after 1 April 2024, see Practice Notes: The merged R&D expenditure credit (post-1 April 2024) and Enhanced relief for R&D-intensive loss-making SMEs (post-1 April 2024). For details on what counts as qualifying R&D expenditure for those two post-1 April 2024 schemes, see Practice Note: Qualifying R&D expenditure...

Introduction to the UK-EU Trade and Cooperation Agreement This Practice Note summarises the key features of the UK‑EU Trade and Cooperation Agreement (TCA) that affect trade in goods between the UK and the EU. It covers customs and export duties and other charges, and outlines the preferential rules of origin operating between the parties. It also considers import and export restrictions and licensing, customs valuation, trade remedies and tariff rate quotas. Further topics include sanitary and phytosanitary measures, technical barriers to trade, and measures on customs and trade facilitation. On 24 December 2020, UK and EU negotiators concluded an accord shaping their future relationship. The UK–EU Trade and Cooperation Agreement is a wide‑ranging instrument arising from the UK’s departure from the EU’s internal market (Brexit) and extends beyond trade in goods and services. It also covers a range of other Brexit‑related matters, including: investment competition state aid tax transparency air and road transport energy and sustainability fisheries data...

Data security sits at the heart of the UK General Data Protection Regulation (UK GDPR). The sixth data protection principle — integrity and confidentiality — obliges you to implement suitable technical and organisational steps so that personal data is handled with appropriate safeguards and security when processed, including: protection against unauthorised or unlawful processing accidental loss, destruction or damage This Practice Note draws on ICO guidance regarding personal data breaches under the UK GDPR. It also incorporates further practical pointers and information drawn from ICO guidance on managing data security breaches issued under the previous data protection regime; that guidance has now been withdrawn. The Practice Note additionally aligns with materials from the European Data Protection Board (EDPB). According to the ICO, although the UK has left the EU, these guidelines continue to be relevant. Data security requirements Article 32 expands upon the GDPR’s integrity and confidentiality principle by setting out further detail...

1 General information Date complaint received [ Enter date ] How was the complaint received? ☐ Email ☐ Letter ☐ In person ☐ Telephone ☐ Other—[ please specify ] When replying to the complainant, choose the most appropriate communication method. Date complaint acknowledged [ Enter a date that should be 30 days from the date you received the complaint. ] Proposed deadline for responding to complaint [ Enter a date that meets the expectation that you will handle the complaint without any delay. ] Person investigating complaint and completing this record [ Provide details of the individual who investigated the complaint and completed this report. This could be your data protection officer. ] Date of report [ Enter date ] 2 Complainant Name of data subject ...

Note These provisions are prepared on the basis that the applicable contract is a business-to-business arrangement, with the supplier acting as processor for a customer in the role of controller, in relation to the processing of personal data governed by the United Kingdom General Data Protection Regulation (UK GDPR), Assimilated Regulation (EU) 2016/679. The terms ‘supplier’ and ‘customer’ (in place of ‘processor’ and ‘controller’) are used to simplify incorporation into commercial contracts. The drafting also relies on the additional defined terms ‘Agreement’, ‘Business Day’, ‘Customer’, ‘Data Protection Laws’, ‘Data Subject’, ‘GDPR’ and ‘Supplier’, which are assumed to be defined appropriately elsewhere in the relevant agreement. It is further assumed that ‘GDPR’ refers to UK GDPR and that ‘Data Protection Laws’ includes UK GDPR. These provisions can also be adapted for circumstances where the EU General Data Protection Regulation (EU GDPR), Regulation (EU) 2016/679, applies... 1 Definition (to be incorporated into relevant part of the agreement) 1.1 Representative •...

This Agreement is entered into on [ insert date ] (the Commencement Date) by and between: Parties [ insert supplier name ], a company incorporated in England and Wales, whose registered number is [ insert company number ] and whose registered office is at [ insert registered office ] (Supplier); and [ insert customer name ], a company incorporated in England and Wales, whose registered number is [ insert company number ] and whose registered office is at [ insert registered office ] (Customer). Each of the Supplier and the Customer is a party, and together the Supplier and the Customer are the parties. Background The Supplier is [ an experienced software developer and ] [ insert the Supplier’s background details and the background to the relevant transaction ]. The Customer is [ insert the Customer’s background details ]. Subject to this Agreement, the Supplier shall develop software for the Customer and will licence (or arrange...

The Freedom of Information Act 2000 (FIA 2000) and the Data Protection Act 1998 (DPA 1998) are distinct regimes, save for the overlap raised here. They otherwise operate separately from one another as a rule. FIA 2000 contains various exemptions. Those exemptions mean the kind, character or even the presence of the information need not be revealed under FIA 2000. For this scenario, the pertinent carve-out is in FIA 2000, s 40, in particular FIA 2000, ss 40(1) and 40(5)(a). Where the material amounts to personal data and the data subject seeks disclosure via FIA 2000, the exemption applies in absolute terms...