Personal data meaning

This checklist This checklist highlights the principal issues to address when preparing contractual terms for business to business agreements on product safety and liability. See Practice Note: Product liability risk management for producers for guidance on controlling risk ahead of new supply arrangements, including carrying out appropriate due diligence on other relevant businesses in the supply chain. Identify all applicable laws (eg Sale of Goods Act 1979, Sale and Supply of Goods Act 1994, Consumer Protection Act 1987, General Product Safety Regulations 2005, SI 2005/1803, Consumer Rights Act 2015 and Digital Markets, Competition and Consumers Act 2024), as well as any standards and codes of practice that govern the products. Take into account specific legislation for the manufacture, import and sale of particular goods such as fireworks, cosmetics, toys, pharmaceuticals and medical devices, personal protective equipment (PPE), gas appliances, food and animal feed, and automotive. See Practice Notes: Consumer protection for defective or dangerous products—legal bases, Product liability and defective products and General Product Safety Regulations...

In brief In summary, UK data protection rules exist to make sure details about living people — captured as 'personal data' — are handled lawfully, fairly and responsibly. To achieve this, the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR) places a range of obligations on anyone 'processing' personal data, and on the controllers supervising that processing, when they fall within the scope of the UK GDPR regime. The UK GDPR also confers rights on individuals whose personal data is handled (the 'data subjects'). 'Processing' covers practically any operation performed on personal data, meaning doing almost anything with it, such as storing, sharing, deleting, or using it. It is almost impossible to run a business or other organisation without processing personal data. Among other requirements, the controllers of personal data processing must provide information to data subjects, to make sure they are aware of the following: the reasons their personal data is collected; the ways it is used; ...

THIS CHECKLIST APPLIES TO OCCUPATIONAL PENSION SCHEMES ON AND FROM 6 APRIL 2014 For guidance on the duty to issue basic scheme information before 6 April 2014, see Practice Note: Occupational pension schemes—disclosure requirements before 6 April 2014—Basic scheme information (ARCHIVED) and Checklist: Basic scheme information before 6 April 2014—checklist [Archived]. Basic scheme information requirement Under the Occupational and Personal Pension Schemes (Disclosure of Information) Regulations 2013, SI 2013/2734 (the 2013 Disclosure Regulations), trustees of occupational pension schemes must supply basic scheme information to: prospective members; and members who have not already been sent that information, within one month of the scheme receiving their jobholder information or, if no jobholder information has been received, within two months of their joining the scheme...

STOP PRESS: This document is currently being updated to take account of the full implementation of the Data (Use and Access) Act 2025 (DUAA 2025), which amends both the UK GDPR and the Data Protection Act 2018. For further guidance on the compliance consequences of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications. The UK General Data Protection Regulation (UK GDPR) grants data subjects several rights, including, among others: access to their personal data rectification erasure restriction of processing data portability a right of data subjects Individuals may ask an organisation at any time of their choosing to exercise one or more of these rights, and strict time limits and deadlines apply to responding to such requests promptly. See Practice Note: How to handle data subject requests. This Flowchart sets out a process for dealing with data subject requests made under the UK GDPR and reflects the requirements in the UK GDPR together...

These Flowcharts These Flowcharts offer direction on the proper method for completing the parts of a stock transfer form that address consideration, stamp duty certification, and execution. They are included within an annotated stock transfer form, which clearly sets out instructions explaining how its sections should be properly filled in...

STOP PRESS: This document is being revised to take account of the Data (Use and Access) Act 2025 (DUAA 2025), which updates the UK GDPR and the Data Protection Act 2018. For more on the compliance impact of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications... This Flowchart steers you through the lawful mechanisms for sending personal data to a country outside the UK, for example: an adequacy decision or regulation appropriate safeguards such as standard contractual clauses (SCCs) or the International Data Transfer Agreement (IDTA), or binding corporate rules (BCRs) a derogation Such transfers are barred by the data protection regime unless one of these tools is in place. These mechanisms exist to ensure data subjects remain protected when their personal data leaves the UK... The mechanisms follow a hierarchy, and this Flowchart helps you select the route most suitable for your organisation and processing operations... This Flowchart reflects the UK General Data...

In this issue: Key DR developments Cross-border disputes Pre-action and limitation Litigation Case management Evidence and disclosure ADR Scottish Dispute Resolution Dates for your diary Useful information Daily and weekly news alerts Key DR developments Guidance and reports Courts and Tribunals Judiciary publishes February 2026 updated edition of the Equal Treatment Bench Book: The Courts and Tribunals Judiciary has issued an interim February 2026 update to the Equal Treatment Bench Book. For more information, see: Courts and Tribunals Judiciary publishes February 2026 updated edition Equal Treatment Bench Book—LNB News 26/02/2026 28. HCCH publishes 2025 annual report highlighting private international law developments The Hague Conference on Private International Law (HCCH) has released its 2025 annual report, noting the creation of two new Experts’ Groups to examine private international law topics linked to Digital Tokens and Carbon Markets. For more information, see: HCCH publishes 2025 annual report highlighting private international law...

On 19 November 2025, the Commission unveiled its Digital Omnibus proposal. It comprises two principal strands: one delivering ‘quick fixes’ to pain points in Regulation (EU) 2024/1689, the EU AI Act, and another, more intricate, amending the data acquis, most notably Regulation (EU) 2016/679, the EU General Data Protection Regulation (EU GDPR), Directive 2022/58/EC, the ePrivacy Directive, and Regulation (EU) 2023/2854, the EU Data Act. The headline items are delays to the high-risk AI rules under the EU AI Act, and a fresh EU GDPR lawful basis of legitimate interest for processing personal data when developing or operating AI systems (with safeguards). There is much to absorb—just as we get to grips with the new regime, changes are proposed, some bound to be disputed while others will be seen as eminently sensible. Here we outline the key points. EU GDPR The EU’s flagship legislation, the EU GDPR, is poised for its first substantial overhaul, with several significant amendments on the table...

What are the most significant changes introduced by the Act that pension scheme trustees need to prepare for? The most notable reforms in the Act that trustees should be ready for are: Data subject complaints: complaints about the handling of personal data must be acknowledged within 30 days and answered without undue delay. ICO enforcement powers: the Information Commissioner’s Office (ICO) now has authority to compel interviews and require the production of documents to assess compliance. Data subject access requests (DSARs): the Act codifies the ICO’s existing guidance, meaning (i) trustees must apply a ‘reasonable and proportionate’ search standard when responding; and (ii) the ‘stop the clock’ rule pauses the one-month deadline for a response. Automated decision making (ADM): the Act allows reliance on the full set of lawful bases — including ‘legitimate interests’ — when non-special category personal data is used for significant automated decisions about an individual, provided suitable safeguards are in place. ...

Data security sits at the heart of the EU General Data Protection Regulation (EU GDPR). The sixth data protection principle—integrity and confidentiality—requires you to adopt suitable technical and organisational measures so that personal data is processed with appropriate security, including: protection against unauthorised or unlawful processing accidental loss, destruction, or damage This Practice Note reflects Data Protection Commission (DPC) guidance on personal data breaches under the EU GDPR, and also draws on guidance from the European Data Protection Board (EDPB). Data security requirements Article 32 puts practical detail behind the GDPR’s integrity and confidentiality principle. You must implement appropriate technical and organisational measures to achieve a level of security proportionate to the risk, taking into account: the nature, scope, context, and purpose of processing the risk of varying likelihood and severity for the rights and freedoms of data subjects Where appropriate, your security measures should include: the pseudonymisation and encryption of...

This Practice Note offers practical guidance on the stabilised text of the Joint Statement Initiative on Electronic Commerce. It examines the themes of enabling e-commerce, openness and e-commerce, trust and e-commerce, transparency, cooperation and development, and telecommunication. Introduction E-commerce has a longstanding presence within the World Trade Organization (WTO). For further background, see Practice Note: E-commerce and the WTO. At the 11th Ministerial Conference, a group of WTO Members agreed to begin exploratory work towards future WTO negotiations on trade-related aspects of e-commerce, set out in the Joint Statement on Electronic Commerce (the Joint Initiative). The Joint Initiative aimed for a high-standard outcome that builds on existing WTO agreement and frameworks, with the widest possible participation of Member States. On 26 July 2024, the co-conveners—Australia, Japan and Singapore—announced that, after five years of talks, participants had reached a stabilised text. The Joint Initiative is expected to benefit consumers and businesses engaged in digital trade, particularly Micro, Small and Medium Enterprises (MSMEs), and to support digital transformation among...

This Practice Note sets out the principal steps for properly bringing to an end a defined contribution (DC) occupational pension scheme—also described as a money purchase occupational pension arrangement or a trust-based defined contribution plan. Throughout this Practice Note, this type of arrangement is termed a ‘DC scheme’. The guidance applies across a range of DC schemes, including trusts that sit outside the authorised master trust framework and small self-administered pension schemes (SSASs), although the latter may, in certain cases, be excluded from particular statutory obligations or requirements. This Practice Note does not cover the winding-up of any: an ‘authorised master trust’ under the Pension Schemes Act 2017 (PSA 2017)—for further detailed information, please see Practice Note: The authorisation and supervisory regime for master trusts, contract-based DC arrangements (eg group personal pension arrangements)—for further details and guidance, see Practice Note: Winding up of personal pension schemes Statute makes distinct and specific provision for hybrid schemes (combining defined benefit (DB) and DC...

Danish SCCs A set of Standard Contractual Clauses (SCCs) designed to meet Article 28(3) of the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), specifically addresses contractual arrangements between controllers and processors and was formally issued by the Danish data protection supervisory authority (the Danish SCCs). Their release followed an opinion from the European Data Protection Board (EDPB). The Danish SCCs are distinct from SCCs that concern cross-border international personal data transfers under Chapter V of the EU GDPR...

Within this precedent, the following extra defined terms are used: ‘Agreement’, ‘Business Day’, ‘Charges’, ‘Customer’, ‘Services’, ‘Supplier’ and ‘Supplier Personnel’. They are not specific to data processing and are assumed defined separately in the relevant agreement...

Note These provisions are prepared on the basis that the applicable contract is a business-to-business arrangement, with the supplier acting as processor for a customer in the role of controller, in relation to the processing of personal data governed by the United Kingdom General Data Protection Regulation (UK GDPR), Assimilated Regulation (EU) 2016/679. The terms ‘supplier’ and ‘customer’ (in place of ‘processor’ and ‘controller’) are used to simplify incorporation into commercial contracts. The drafting also relies on the additional defined terms ‘Agreement’, ‘Business Day’, ‘Customer’, ‘Data Protection Laws’, ‘Data Subject’, ‘GDPR’ and ‘Supplier’, which are assumed to be defined appropriately elsewhere in the relevant agreement. It is further assumed that ‘GDPR’ refers to UK GDPR and that ‘Data Protection Laws’ includes UK GDPR. These provisions can also be adapted for circumstances where the EU General Data Protection Regulation (EU GDPR), Regulation (EU) 2016/679, applies... 1 Definition (to be incorporated into relevant part of the agreement) 1.1 Representative •...

In any specific context, a controller handling personal data or information must assess if the processing activity complies with what is now the applicable Assimilated Regulation (EU) 2016/679, the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018 (DPA 2018)...

The Freedom of Information Act 2000 (FIA 2000) and the Data Protection Act 1998 (DPA 1998) are distinct regimes, save for the overlap raised here. They otherwise operate separately from one another as a rule. FIA 2000 contains various exemptions. Those exemptions mean the kind, character or even the presence of the information need not be revealed under FIA 2000. For this scenario, the pertinent carve-out is in FIA 2000, s 40, in particular FIA 2000, ss 40(1) and 40(5)(a). Where the material amounts to personal data and the data subject seeks disclosure via FIA 2000, the exemption applies in absolute terms...

We have concentrated specifically on sections 108–110 of the Digital Economy Act 2017 (DEA 2017) and sections 132–133 of the draft Data Protection Bill 2017 (DPB 2017) for the purposes of this Q&A. Part III of the Data Protection Act 1998 (DPA 1998) obliges data controllers who handle personal data to notify the Information Commissioner of their processing for inclusion in the register maintained by the Information Commissioner’s Office (ICO). Controllers seeking to register must pay an applicable fee. For further details, consult the Data Protection (Notification and Notification Fees) Regulations 2000, SI 2000/188, and official guidance from the Information Commissioner...