Processing meaning

In brief In summary, UK data protection rules exist to make sure details about living people — captured as 'personal data' — are handled lawfully, fairly and responsibly. To achieve this, the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR) places a range of obligations on anyone 'processing' personal data, and on the controllers supervising that processing, when they fall within the scope of the UK GDPR regime. The UK GDPR also confers rights on individuals whose personal data is handled (the 'data subjects'). 'Processing' covers practically any operation performed on personal data, meaning doing almost anything with it, such as storing, sharing, deleting, or using it. It is almost impossible to run a business or other organisation without processing personal data. Among other requirements, the controllers of personal data processing must provide information to data subjects, to make sure they are aware of the following: the reasons their personal data is collected; the ways it is used; ...

In brief In summary, EU data protection rules are designed to ensure information about living people, within the meaning of ‘personal data’, is used fairly and responsibly. To help ensure that aim, the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), sets numerous obligations on those ‘processing’ personal data, and on the controllers overseeing such processing, whenever they fall within the scope of the regime. The rules also grant rights to individuals whose personal data is processed (the ‘data subjects’). ‘Processing’ covers doing almost anything with personal data, including storing, sharing, deleting or using it in practice. Operating a business or any other organisation without handling personal data is virtually impossible. Among other requirements, the controllers of personal data processing must provide certain information to data subjects, so they know why their personal data is being collected, how it is being used, who it is being shared with, and their own key rights; this is referred to as the ‘right to be informed’)...

This Checklist outlines the main factors a controller would ordinarily consider when undertaking an audit with a view to assessing whether a potential or current processor of personal data is suitable under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). For more detail about controllers’ obligations and engaging processors within the UK GDPR regime, see the following Practice Notes: The UK General Data Protection Regulation (UK GDPR) Key definitions under UK data protection law Supply chains under data protection law—arrangements between controllers and processors Audits of processors Although processors subject to the UK GDPR have distinct duties under the legislation, controllers remain accountable for a processor’s handling of personal data carried out under their instructions and on their behalf. Under the accountability principle of the UK GDPR, the controller is responsible for, and must be able to demonstrate, compliance with the data protection principles in Article 5(1) UK GDPR—which include lawfulness, fairness and transparency; purpose limitation;...

STOP PRESS: This document is currently being updated to take account of the full implementation of the Data (Use and Access) Act 2025 (DUAA 2025), which amends both the UK GDPR and the Data Protection Act 2018. For further guidance on the compliance consequences of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications. The UK General Data Protection Regulation (UK GDPR) grants data subjects several rights, including, among others: access to their personal data rectification erasure restriction of processing data portability a right of data subjects Individuals may ask an organisation at any time of their choosing to exercise one or more of these rights, and strict time limits and deadlines apply to responding to such requests promptly. See Practice Note: How to handle data subject requests. This Flowchart sets out a process for dealing with data subject requests made under the UK GDPR and reflects the requirements in the UK GDPR together...

STOP PRESS: This document is being revised to take account of the Data (Use and Access) Act 2025 (DUAA 2025), which updates the UK GDPR and the Data Protection Act 2018. For more on the compliance impact of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications... This Flowchart steers you through the lawful mechanisms for sending personal data to a country outside the UK, for example: an adequacy decision or regulation appropriate safeguards such as standard contractual clauses (SCCs) or the International Data Transfer Agreement (IDTA), or binding corporate rules (BCRs) a derogation Such transfers are barred by the data protection regime unless one of these tools is in place. These mechanisms exist to ensure data subjects remain protected when their personal data leaves the UK... The mechanisms follow a hierarchy, and this Flowchart helps you select the route most suitable for your organisation and processing operations... This Flowchart reflects the UK General Data...

This diagram mirrors HMRC’s Flowchart 4, set out at paragraph 5.24 of the Guidance Note on residence, domicile and the remittance basis (RDR1). It is for use when a taxpayer clearly plans to depart the UK in the future...

Bayerische Landesbank and another v Ruschemalliance LLC [2024] EWHC 1822 (Comm) What are the practical implications of this case? In keeping with comparable determinations, this judgment succinctly sets out the jurisdictional thresholds and principal considerations the court applies when evaluating applications for anti‑suit injunctions. It underscores the judiciary’s practical bent and operates as a constructive illustration of inter‑court co‑ordination, projecting a clear signal where numerous contests flow from identical underlying events, even though such matters are dealt with at varying moments and tiers of the court structure. In sum, the outcome reasserts the English courts’ steadfast commitment to upholding arbitration, including in circumstances where the arbitral seat is situated in a foreign state. What was the background? In 2021, the defendant, Ruschemalliance LLC (“RCA”), a Russian entity, entered into two Engineering, Procurement and Construction agreements for the development of liquefied natural gas and gas processing plant facilities in Russia. The obligations owed by RCA’s counterparties, the German companies Linde GmbH and Renaissance Heavy Industries LLC (together,...

On 19 November 2025, the Commission unveiled its Digital Omnibus proposal. It comprises two principal strands: one delivering ‘quick fixes’ to pain points in Regulation (EU) 2024/1689, the EU AI Act, and another, more intricate, amending the data acquis, most notably Regulation (EU) 2016/679, the EU General Data Protection Regulation (EU GDPR), Directive 2022/58/EC, the ePrivacy Directive, and Regulation (EU) 2023/2854, the EU Data Act. The headline items are delays to the high-risk AI rules under the EU AI Act, and a fresh EU GDPR lawful basis of legitimate interest for processing personal data when developing or operating AI systems (with safeguards). There is much to absorb—just as we get to grips with the new regime, changes are proposed, some bound to be disputed while others will be seen as eminently sensible. Here we outline the key points. EU GDPR The EU’s flagship legislation, the EU GDPR, is poised for its first substantial overhaul, with several significant amendments on the table...

MLex was informed by the Data Protection Commission that it has written to DeepSeek seeking details about how it processes data relating to individuals in Ireland. The watchdog declined to add anything more for now. Ordinarily, the DPC acts as the principal data regulator handling privacy issues involving major technology companies in the EU, since many base their European headquarters there. However, DeepSeek’s operators lack an EU establishment, so any member state authority is able to open a probe into issues impacting its own jurisdiction directly too...

Data security sits at the heart of the EU General Data Protection Regulation (EU GDPR). The sixth data protection principle—integrity and confidentiality—requires you to adopt suitable technical and organisational measures so that personal data is processed with appropriate security, including: protection against unauthorised or unlawful processing accidental loss, destruction, or damage This Practice Note reflects Data Protection Commission (DPC) guidance on personal data breaches under the EU GDPR, and also draws on guidance from the European Data Protection Board (EDPB). Data security requirements Article 32 puts practical detail behind the GDPR’s integrity and confidentiality principle. You must implement appropriate technical and organisational measures to achieve a level of security proportionate to the risk, taking into account: the nature, scope, context, and purpose of processing the risk of varying likelihood and severity for the rights and freedoms of data subjects Where appropriate, your security measures should include: the pseudonymisation and encryption of...

Data security sits at the heart of the UK General Data Protection Regulation (UK GDPR). The sixth data protection principle — integrity and confidentiality — obliges you to implement suitable technical and organisational steps so that personal data is handled with appropriate safeguards and security when processed, including: protection against unauthorised or unlawful processing accidental loss, destruction or damage This Practice Note draws on ICO guidance regarding personal data breaches under the UK GDPR. It also incorporates further practical pointers and information drawn from ICO guidance on managing data security breaches issued under the previous data protection regime; that guidance has now been withdrawn. The Practice Note additionally aligns with materials from the European Data Protection Board (EDPB). According to the ICO, although the UK has left the EU, these guidelines continue to be relevant. Data security requirements Article 32 expands upon the GDPR’s integrity and confidentiality principle by setting out further detail...

STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill secured Royal Assent, transforming into the Data (Use and Access) Act 2025 (DUAA 2025) and taking partial effect on that same date. Provisions of DUAA 2025 dealing with issues such as handling data subject access requests, and granting the power to make further regulations, commenced immediately on 19 June 2025. Other elements, relating to notices issued by the Information Commissioner and certain facets of law enforcement processing, began to apply on 19 August 2025 (being two months from the date of Royal Assent). The bulk of DUAA 2025’s measures will only commence once additional regulations, by way of statutory instruments, are made and brought into force. Parts 5 and 6 of DUAA 2025 operate to revise and update areas of UK data protection and ePrivacy law within the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations...

Within this precedent, the following extra defined terms are used: ‘Agreement’, ‘Business Day’, ‘Charges’, ‘Customer’, ‘Services’, ‘Supplier’ and ‘Supplier Personnel’. They are not specific to data processing and are assumed defined separately in the relevant agreement...

Note These provisions are prepared on the basis that the applicable contract is a business-to-business arrangement, with the supplier acting as processor for a customer in the role of controller, in relation to the processing of personal data governed by the United Kingdom General Data Protection Regulation (UK GDPR), Assimilated Regulation (EU) 2016/679. The terms ‘supplier’ and ‘customer’ (in place of ‘processor’ and ‘controller’) are used to simplify incorporation into commercial contracts. The drafting also relies on the additional defined terms ‘Agreement’, ‘Business Day’, ‘Customer’, ‘Data Protection Laws’, ‘Data Subject’, ‘GDPR’ and ‘Supplier’, which are assumed to be defined appropriately elsewhere in the relevant agreement. It is further assumed that ‘GDPR’ refers to UK GDPR and that ‘Data Protection Laws’ includes UK GDPR. These provisions can also be adapted for circumstances where the EU General Data Protection Regulation (EU GDPR), Regulation (EU) 2016/679, applies... 1 Definition (to be incorporated into relevant part of the agreement) 1.1 Representative •...

1 Background information Assessment covering [ specify if the assessment applies to the entire organisation or a particular department ] Assessor [ insert name ] Assessment date [ insert date ] 2 Which personal data do you obtain and/or keep? Reflect on the personal data you receive and/or store, and identify any inherent risks. 2.1 Review Category of personal data Type of data How is it acquired? How is it stored?...

In any specific context, a controller handling personal data or information must assess if the processing activity complies with what is now the applicable Assimilated Regulation (EU) 2016/679, the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018 (DPA 2018)...

We have concentrated specifically on sections 108–110 of the Digital Economy Act 2017 (DEA 2017) and sections 132–133 of the draft Data Protection Bill 2017 (DPB 2017) for the purposes of this Q&A. Part III of the Data Protection Act 1998 (DPA 1998) obliges data controllers who handle personal data to notify the Information Commissioner of their processing for inclusion in the register maintained by the Information Commissioner’s Office (ICO). Controllers seeking to register must pay an applicable fee. For further details, consult the Data Protection (Notification and Notification Fees) Regulations 2000, SI 2000/188, and official guidance from the Information Commissioner...

GDPR The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, sets out a framework that protects individuals in respect of the processing of personal data, whilst at the same time promoting the free movement of that data. The Data Protection Act 2018 incorporates the GDPR into the law of England and Wales. Accordingly, it applies to the handling of data within insolvency proceedings in this jurisdiction. For comprehensive information and an overview of the GDPR regime, see: UK data protection law collection. GDPR and Insolvency Proceedings As noted in the question, section 312(2)(b) of the Insolvency Act 1986 (IA 1986) imposes a duty on the prior trustee in bankruptcy to deliver property and records to the new trustee in bankruptcy. It is important to recognise that this obligation has serious consequences, and a failure to comply amounts to contempt of court...