Special Categories of Personal Data meaning

In this issue: Key R&I law developments Personal insolvency Restructuring Directors and insolvency Insolvency litigation The office-holder Financial institutions Daily and weekly news alerts Key dates for restructuring and insolvency professionals New content Key R&I law developments Government consults on proposed reforms to the NSI Act 2021 mandatory notification regime The UK government has opened a consultation on amendments to the National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021, which set the boundaries of the NSI Act’s mandatory notification regime. Headline proposals are: (i) creating two discrete categories for semiconductors and critical minerals, (ii) introducing a mandatory notification area for the water sector, and (iii) refining several existing sectors to enhance certainty and reflect technological and market change. The consultation runs until 14 October 2025. See: LNB News 24/07/2025 72. Scotland’s AiB publishes insolvency statistics for Q1 2025–26 The Accountant in Bankruptcy (AiB) has released...

In this issue: Data protection ePrivacy Cybersecurity LexTalk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection EDPB launches consultation on draft guidelines on interplay between EU DSA and GDPR The European Data Protection Board (EDPB) is inviting feedback on draft Guidelines 3/2025, intended to ensure the EU Digital Services Act (EU DSA) and the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) are applied coherently where their scopes overlap. The draft sets out lawful grounds for handling personal data when identifying or taking down unlawful content, clarifies transparency obligations for recommender systems and advertising, and reaffirms the ban on targeted advertising based on special categories of data. It further emphasises cooperation between Digital Services Coordinators and data protection authorities to avoid inconsistent regulation. The consultation is open until 31 October 2025. See: LNB News 12/09/2025 24. ePrivacy Google, Shein face record-setting €475m in fines for French...

In this issue: Individual rights arising from trade union membership Cross-border, international and jurisdictional issues Status and worker categories Contract of employment Policies Prohibited conduct Data protection and employee information Practice, procedure and settlement Daily and weekly news alerts Dates for your diary Trackers New Q&A Individual rights arising from trade union membership Supreme Court issues declaration of incompatibility in lawful industrial action matter In Secretary of State for Business and Trade v Mercer [2024] UKSC 12, the Supreme Court unanimously allowed the appeal and declared that section 146 of the Trade Union and Labour Relations (Consolidation) Act 1992 (TULR(C)A 1992) is incompatible with Article 11 of the European Convention on Human Rights. The Court determined that s 146 TULR(C)A 1992 is the sole avenue by which the appellant could uphold their Article 11 right; however, the orthodox construction applied to section 146 bars that route, and it is this feature...

STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill secured Royal Assent, transforming into the Data (Use and Access) Act 2025 (DUAA 2025) and taking partial effect on that same date. Provisions of DUAA 2025 dealing with issues such as handling data subject access requests, and granting the power to make further regulations, commenced immediately on 19 June 2025. Other elements, relating to notices issued by the Information Commissioner and certain facets of law enforcement processing, began to apply on 19 August 2025 (being two months from the date of Royal Assent). The bulk of DUAA 2025’s measures will only commence once additional regulations, by way of statutory instruments, are made and brought into force. Parts 5 and 6 of DUAA 2025 operate to revise and update areas of UK data protection and ePrivacy law within the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations...

FORTHCOMING CHANGE This Practice Note reflects the current legal position. Certain aspects will be affected by the Digital Omnibus proposals published on 19 November 2025 under the EU Commission’s ‘simplification’ agenda. For further detail, see Practice Note: EU Digital Omnibus—tracker. It introduces the EU’s General Data Protection Regulation, Regulation (EU) 2016/679—commonly called the GDPR and described here as the ‘EU GDPR’ to distinguish it from the UK GDPR. It summarises core concepts, regulatory supervision and organisational obligations under the EU GDPR, and ends with guidance on planning EU GDPR compliance activities. Introduction Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protecting natural persons in relation to personal data processing and the free movement of such data, which repealed Directive 95/46/EC (the General Data Protection Regulation) (the EU GDPR), was published in the Official Journal of the EU on 4 May 2016. It entered into force on 24 May 2016 and became directly applicable...

Brexit: On 31 January 2020, the UK stopped being an EU Member State and moved into an implementation period, during which EU law still applies. Throughout that window, the GDPR remains in force in the UK and, for EEA and UK data protection purposes, the UK is broadly regarded as an EU and EEA state. Consequently, any mentions of EEA or EU states in this Practice Note should be interpreted as also covering the UK until that period ends. For more on the timing of that phase and the data protection framework expected afterwards, see Practice Note: Brexit—implications for data protection [Archived]. ARCHIVED: This Practice Note is archived material, captures the situation before the General Data Protection Regulation became applicable, serves as background only and is not updated. The General Data Protection Regulation (EU) 2016/679 was published in the Official Journal of the EU on 4 May 2016 and entered into force on 24 May 2016. With 173 recitals and 99 articles across 11 chapters, it is significantly...

Date: [ insert date ] Introduction Under the UK General Data Protection Regulation (UK GDPR), some organisations are required to appoint a named individual as their Data Protection Officer (DPO). Having considered these duties in the context of [ insert name of organisation ]’s activities, this memorandum presents my conclusions and advice, together with the considerations that shaped them. A short overview of the UK GDPR provisions concerning DPOs is provided in the Appendix. Factors relevant to [ insert name of organisation ]’s appointment of a DPO Core activities [ Describe the organisation’s main functions that entail processing personal data. Reflect, for instance, on whether a private body undertakes any public functions within its work ] Controller or processor [ Explain whether, in relation to the core activities above, the organisation acts as a controller or performs the role of a processor ] Categories of data processed [ Outline the kinds of data handled by the organisation, such as special category...