Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

The key responsibilities of any data controller when it comes collection, storage and processing of personal data are governed by the eight ‘data protection principles’ in EU law:

  • Personal data shall be processed fairly and lawfully.
  • Personal data shall be obtained only for one or more specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • Personal data shall be processed in accordance with the rights of data subjects.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The only requirement in the Data Protection Act 2004 regarding the period for which an organisation may retain data states that “data shall… not be kept for longer than is necessary for that purpose or those purposes.” The Data Protection Act leaves the onus on organisations to determine what is ‘necessary’ in any particular circumstance. In addition, depending on the nature of the data controller’s business, it may have additional statutory requirements in respect of record keeping that affect its retention policies.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, one of the significant responsibilities of any data controller under the Data Protection Act 2004 is to enable individuals to know what information it keeps about people generally, and what information it keeps about them specifically.

Individuals have a number of key rights under the Data Protection Act regarding data relating to them:

  • the right to have information collected, stored and used in accordance with the eight data protection principles in EU law;
  • the right to access information held about them;
  • the right to have incorrect information corrected or destroyed;
  • the right to object to the use of their information for the purposes of direct marketing (ie, the communication by whatever means of any advertising or marketing material directed to a particular individual);
  • the right not to have decisions made about them solely on the basis of automatic processing of information; and
  • the right to complain to the Gibraltar Regulatory Authority and to take legal action against the improper use of information.

Do individuals have a right to request deletion of their data?

Where the data held by a data controller regarding an individual is incomplete or accurate, or otherwise contravenes the Data Protection Act 2004, the individual can request to rectify or erase it. This can include data being held than is longer than necessary.

Such a request must be made in writing, and once it is received by a company, that company must deal with the requested information within 28 days.

Once a data controller has complied with an enforcement notice, it has 35 days to notify the individual who is the subject of the data of the steps taken and, in certain circumstances, any third party to which the data was disclosed during the past 12 months.

Consent obligations

Is consent required before processing personal data?

No, but consent is central to the protection of data in EU member states. As a consequence, the phrase features prominently throughout the Data Protection Act 2004.

The starting point is that the processing of personal data is legitimate where the individual concerned has unambiguously given his or her consent. The giving of consent is defined in the Data Protection Act as being any freely given specific and informed indication by which an individual signifies agreement to his or her personal data being processed by a data controller.

If consent is not provided, are there other circumstances in which data processing is permitted?

There are a number of circumstances where data processing is permitted in the Data Protection Act 2004, even where an individual does not give consent. It is permitted where the processing is necessary:

  • for the signing or preparation of a contract between the data controller and the individual;
  • for the data controller to comply with a legal obligation;
  • to prevent injury or other damage to the health of the individual;
  • to prevent serious loss or damage to the property of the individual;
  • to protect the individual’s vital interests;
  • for the administration of justice;
  • for the performance of a public function by a third party; or
  • for the purposes of legitimate interests pursued by the data controller, except where these interest are overridden by the fundamental rights and freedoms of the individual.

The circumstances in which processing sensitive personal data without consent is permitted are different. Such processing is permitted where:

  • the data controller is processing the data in accordance with a legal right or obligation under employment law;
  • processing is carried out by a non-profit organisation (eg, charity, church or trade union) for a specified purpose;
  • the information contained in the data has been made public as a result of steps deliberately taken by the individual; or
  • the processing is necessary:
    • to protect the vital interests of the individual, or another person, where the individual is physically or legally incapable of giving consent;
  • for the administration of justice;
  • for the performance of a public function by a third party;
  • for obtaining legal advice or defending legal rights; or
  • for the purposes of medical treatment.

What information must be provided to individuals when personal data is collected?

Part of the requirement that personal data must be processed fairly is that the data controller ensures, so far as is practicable, that the individual has, is given, or has readily available the following information:

  • the identity of the data controller;
  • the intended purposes of the processing; and
  • based on the circumstances in which the data will be processed, any other information which is necessary to enable the processing to be fair to the individual, including:
    • the recipients or category of recipients;
    • the categories of the data collected, where it has come from a third party; and
    • the existence of the right to access and rectify the data concerning the individual.

Click here to view the full article.