Data Protection Act 2018
Processing of personal data
71. (1) A controller shall, as respects personal data for which it is responsible, comply with the following provisions:
(a) the data shall be processed lawfully and fairly;
(b) the data shall be collected for one or more specified, explicit and legitimate purposes and shall not be processed in a manner that is incompatible with such purposes;
(c) the data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed;
(d) the data shall be accurate, and, where necessary, kept up to date, and every reasonable step shall be taken to ensure that data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) the data shall be kept in a form that permits the identification of a data subject for no longer than is necessary for the purposes for which the data are processed;
(f) the data shall be processed in a manner that ensures appropriate security of the data, including, by the implementation of appropriate technical or organisational measures, protection against—
(i) unauthorised or unlawful processing, and
(ii) accidental loss, destruction or damage.
(2) The processing of personal data shall be lawful where, and to the extent that—
(a) the processing is necessary for the performance of a function of a controller for a purpose specified in section 70(1)(a) and the function has a legal basis in the law of the European Union or the law of the State, or
(b) the data subject has, subject to subsection (3), given his or her consent to the processing.
(3) Where the processing of personal data is to be carried out on the basis of the consent of the data subject referred to in subsection (2)(b), the processing shall be lawful only where, and to the extent that—
(a) having been informed of the intended purpose of the processing and the identity of the controller, the data subject gives his or her consent freely and explicitly,
(b) the request for consent is expressed in clear and plain language, and where such consent is given in the context of a written statement that also concerns other matters, the request for consent is presented to the data subject in a manner that is clearly distinguishable from those other matters, and
(c) the data subject may withdraw his or her consent at any time, and he or she shall be informed of this possibility prior to giving consent.
(4) Where a data subject withdraws his or her consent to the processing of personal data pursuant to subsection (3)(c), the withdrawal of consent shall not affect the lawfulness of processing based on that consent prior to the consent being withdrawn.
(5) Where a controller collects personal data for a purpose specified in section 70(1)(a), the controller or another controller may process the data for a purpose so specified other than the purpose for which the data were collected, in so far as—
(a) the controller is authorised to process such personal data for such a purpose in accordance with the law of the European Union or the law of the State, and
(b) the processing is necessary and proportionate to the purpose for which the data are being processed.
(6) A controller may process personal data, whether the data were collected by the controller or another controller, for—
(a) archiving purposes in the public interest,
(b) scientific or historical research purposes, or
(c) statistical purposes,
provided that the said processing—
(i) is for a purpose specified in section 70(1)(a), and
(ii) is subject to appropriate safeguards for the rights and freedoms of data subjects.
(7) A controller shall ensure, in relation to personal data for which it is responsible, that an appropriate time limit is established for—
(a) the erasure of the data, or
(b) the carrying out of periodic reviews of the need for the retention of the data.
(8) Where a time limit is established in accordance with subsection (7), the controller shall ensure, by means of procedural measures, that the time limit is observed.
(9) A processor, or any person acting under the authority of the controller or of the processor who has access to personal data, shall not process the data unless the processor or person is—
(a) authorised to do so by the controller, or
(b) required to do so by the law of the European Union or the law of the State,
and then only to the extent so authorised or required, as the case may be.
(10) A controller shall ensure that it is in a position to demonstrate that the processing of personal data for which it is responsible is in compliance with subsections (1) to (8) of this section.