a

Article 29 Working Party Opinion 1/2006

On the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime (WP 117). Note: this predates GDPR but may still provide some useful guidance

c

Consent

ICO Guidance on consent

Consent

Article 29 Working Party’s final Guidance on Consent

Controller-Processor Agreements

Bar Council guidance: Signing Controller-Processor Agreements with Solicitors’ Firms

d

Data Protection Bill

Introduction to the Data Protection Bill (Please note that the Data Protection Act 2018 has received Royal Assent – see link above – and that some changes were made after this note was produced.  Nonetheless it may still be a source of useful background information to assist the understanding of the Act.)

Data Protection Officer

Law Society guidance on appointing a Data Protection Officer

Data transfers between EU and non-EU  countries

Standard contractual clauses for data transfers between EU and non-EU  countries.  Note: These predate GDPR

h

Higinbotham (formerly BWK) v Teekhungam & Anor [2018] EWHC 1880 (QB)

Dismissal of claim for misuse of private information, breach of confidence and breach of the Data Protection Act 1998 as an abuse of process.

i

ICO Data sharing code of practice

Note: this predates GDPR and the Data Protection Act 2018. The ICO is working on updating the code.

ICO guidance on Data Controllers and Data Processors (Data Protection Act 1998)

Data controllers and data processors: what the difference is and what the governance implications are.  Note: this guidance relates to the law pre-GDPR

ICO guidance on Data Controllers and Data Processors (GDPR)

See ICO guidance: Contracts and liabilities between controllers and processors
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/

Impact Assessments

ICO guidance on Data Protection Impact Assessments (DPIAs)

Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd& Ors [2017] EWCA Civ 121

Pre-GDPR appeal. Information is not disqualified from being “personal data” merely because it has been supplied to the data controller by the data subject. A person who processed data as agent for a data controller was not himself a data controller. Proportionality applied and there was no obligation to search for material covered by legal professional privilege. Whether it is reasonable to disclose information about another individual is an evaluative judgement.

l

Law Society

Preparing for the GDPR: A guide for law firms - The Law Society

Legitimate Interests

ICO Guidance on Legitimate Interests

Lloyd v Google LLC [2018] EWHC 2599 (QB)

Class action against Google dismissed.

Lonsdale v National Westminster Bank Plc [2018] EWHC 1843 (QB)

Disclosure of a Suspicious Activity Report ordered under CPR 31.14 in an action for defamation and breach of contract. Suspicious Activity Reports are subject to qualified, not absolute, privilege. Discussion as to entitlement to receive copies following a Subject Access Request under the Data Protection Act 1998 (pre-GDPR).

m

Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339

Morrisons’ unsuccessful appeal against a finding of vicarious liability for a data breach by a rogue employee, despite the adequacy of its data security measures.

Morrisons Supermarket Plc v Various Claimants (Rev 1) [2017] EWHC 3113 (QB)

Various Claimants v WM Morrisons Supermarket Plc (Rev 1) [2017] EWHC 3113 (QB)
Morrisons found vicariously liable for a data breach by a rogue employee, despite the adequacy of its data security measures.

n

National Cyber Security Centre (NCSC)

GDPR Security Outcomes – joint guidance from the ICO and National Cyber Security Centre describing a set of technical security outcomes that are considered to represent appropriate measures under the GDPR

r

Record keeping

ICO template Excel spreadsheets for record keeping (one for data controllers, one for data processors) in accordance with Article 30

Right to be informed

ICO guidance on the right to be informed

s

Security Outcomes

GDPR Security Outcomes – joint guidance from the ICO and National Cyber Security Centre describing a set of technical security outcomes that are considered to represent appropriate measures under the GDPR

u

Unabhangiges Landeszentrum fur Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein (Facebook Ireland Ltd and Vertreter des Bundesinteresses beim Bundesverwaltungsgericht intervening) Case C-210/16

The administrator of a fan page hosted on Facebook was held to be a joint controller with Facebook. By creating such a page, it gave Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person had a Facebook account. (Preliminary ruling in relation to Directive 95/46/EC, so pre-GDPR.)

v

Various Claimants v WM Morrisons Supermarket Plc (Rev 1) [2017] EWHC 3113 (QB)

Morrisons found vicariously liable for a data breach by a rogue employee, despite the adequacy of its data security measures.

x

Xerpla Ltd v. Information Commissioner [2018] UKFTT 2017_0262 (GRC) (14 August 2018)

Consent: Successful appeal against monetary penalty notice imposed by the Information Commissioner relating to direct marketing by electronic communications contrary to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Note: The facts predate the changes to the definition of ‘consent’ introduced by GDPR.

Return To Top

LATEST PUBLICATIONS, Events & News