The Data Protection (Charges and Information) Regulations 2018
| Year | 2018 |
2018 No. 480
Data Protection
The Data Protection (Charges and Information) Regulations 2018
Made 11th April 2018
Coming into force 25th May 2018
The Secretary of State makes the following Regulations in exercise of the powers conferred by sections 108(1) and (5) and 110(6) of the Digital Economy Act 20171.
The Secretary of State makes these Regulations—
(a) after consultation in accordance with section 109(1) of that Act; and
(b) having regard to the matters specified in section 109(2) of that Act.
In accordance with section 110(2) of that Act, a draft of this instrument was laid before Parliament and approved by a resolution of each House of Parliament.
Citation, commencement and interpretation
1.—(1) These Regulations may be cited as the Data Protection (Charges and Information) Regulations 2018 and come into force on 25th May 2018.
(2) In these Regulations—
“business” includes any trade or profession;
“charge period” has the meaning given in regulation 2(6);
“data controller’s financial year” means—
(a) if the data controller2has been in existence for less than 12 months, the period of its existence, or
(b) in any other case, the most recent financial year of the data controller that ended prior to the first day of the charge period in respect of which information is being provided, or a charge is being paid, pursuant to regulation 2;
“exempt processing” has the meaning given in the Schedule;
“financial year”, in paragraph (b) of the definition of “data controller’s financial year”—
(a) in relation to a company, is determined in accordance with section 390 of the Companies Act 20063,
(b) in relation to a limited liability partnership, is determined in accordance with section 390 of the Companies Act 2006 as applied by regulation 7 of the Limited Liability Partnerships (Accounts and Audit) (Application of Companies Act 2006) Regulations 20084, and
(c) in relation to any other case, means the period, covering 12 consecutive months, over which a data controller determines income and expenditure;
“member of staff” means any—
(a) employee,
(b) worker within the meaning given in section 296 of the Trade Union and Labour Relations (Consolidation) Act 19925,
(c) office holder, or
(d) partner;
“number of members of staff” means the number calculated by—
(a) ascertaining for each completed month of the data controller’s financial year the total number of persons who have been members of staff of the data controller in that month,
(b) adding together the monthly totals, and
(c) dividing by the number of months in the data controller’s financial year;
“processing”, in relation to personal data, means an operation or set of operations which is performed on personal data;
“public authority” means a public authority as defined by the Freedom of Information Act 20006or a Scottish public authority as defined by the Freedom of Information (Scotland) Act 20027;
“turnover”—
(a) in relation to a company, has the meaning given in section 474 of the Companies Act 2006,
(b) in relation to a limited liability partnership, has the meaning given in section 474 of the Companies Act 2006 as applied by regulation 32 of the Limited Liability Partnerships (Accounts and Audit) (Application of Companies Act 2006) Regulations 2008, and
(c) in relation to any other case, means the amounts derived by the data controller from the provision of goods and services falling within the data controller’s ordinary activities, after deduction of—
(i) trade discounts,
(ii) value added tax, and
(iii) any other taxes based on the amounts so derived.
Requirements on data controllers
2.—(1) A data controller must comply with the requirements of this regulation unless all of the processing of personal data they undertake is exempt processing.
(2) Within the first 21 days of each charge period a data controller must pay a charge to the Information Commissioner, determined in accordance with regulation 3.
(3) Within the first 21 days of each charge period a data controller must provide to the Information Commissioner the following information, as of the first day of each charge period—
(a)
(a) the name and address of the data controller;
(b)
(b) whether the number of members of staff of the data controller is—
(i) less than or equal to 10,
(ii) greater than 10 but less than or equal to 250, or
(iii) greater than 250;
(c)
(c) whether the turnover for the data controller’s financial year is—
(i) less than or equal to £632,000,
(ii) greater than £632,000 but less than or equal to £36 million, or
(iii) greater than £36 million; and
(d)
(d) whether the data controller is a public authority.
(4) Paragraph (3)(c) does not apply to a data controller that is a public authority.
(5) For the purposes of paragraph (3)(a)—
(a)
(a) the address of a registered company is that of its registered office, and
(b)
(b) the address of a person (other than a registered company) carrying on a business is that of the person’s principal place of business in the UK.
(6) In this regulation—
“charge period” means—
(a) for a person who is a data controller immediately before 25th May 2018 and has paid a fee pursuant to section 18(5) or 19(4) of the Data Protection Act 19988—
(i) the period of 12 months beginning on the date which is 12 months after the date on which that fee was most recently received by the Information Commissioner, and
(ii) each subsequent period of 12 months;
(b) for a person who is a data controller immediately before 25th May 2018 but has not paid a fee pursuant to section 18(5) or 19(4) of the Data Protection Act 1998—
(i) the period of 12 months beginning on 25th May 2018, and
(ii) each subsequent period of 12 months; or
(c) for a person who becomes a data controller on or after 25th May 2018—
(i) the period of 12 months beginning on the date on which the person becomes a data controller, and
(ii) each subsequent period of 12 months;
“registered company” means a company registered under the Companies Acts as defined by section 2(1) of the Companies Act 2006.
Amount of charge payable under regulation 2
3.—(1) For the purposes of regulation 2(2), the charge payable by a data controller in—
(a)
(a) tier 1 (micro organisations), is £40;
(b)
(b) tier 2 (small and medium organisations), is £60;
(c)
(c) tier 3 (large organisations), is £2,900.
(2) For the purposes of this regulation, a data controller is, subject to paragraph (3)—
(a)
(a) in tier 1 if—
(i) it has a turnover of less than or equal to £632,000 for the data controller’s financial year,
(ii) the number of members of staff of the data controller is less than or equal to 10,
(iii) it is a charity, or
(iv) it is a small occupational pension scheme;
(b)
(b) in tier 2 if it is not in tier 1 and—
(i) it has a turnover of less than or equal to £36 million for the data controller’s financial year, or
(ii) the number of members of staff of the data controller is less than or equal to 250;
(c)
(c) in tier 3 if it is not in tier 1 or tier 2.
(3) Paragraphs (2)(a)(i) and (2)(b)(i) are to be disregarded in relation to a public authority.
(4) For the purposes of regulation 3(2), the turnover and number of members of staff is determined on the first day of the charge period to which the charge relates.
(5) The applicable charge in paragraph (1) is reduced by £5.00 for a data controller that makes payment of the charge by direct debit.
(6) In this regulation—
“charity”—
(i) in...
To continue reading
Request your trial