The ICO’s recent decision to take enforcement action against a number of organisations (both in the form of investigations and regulatory fines) for sending unsolicited email and text based electronic marketing communications to individuals should serve to prompt organisations to take stock of the ways in which they promote their products and services using electronic marketing, especially if they rely on so-called ‘soft opt-in consent’, the subject of much of the ICO’s recent enforcement action.

We have sought in this article to set out a refresher of the rules that currently apply to electronic marketing as well as carry out a closer examination of soft opt-in consent.

Executive Summary:

In order to avoid complaints from individuals and enforcement action from the ICO, organisations seeking to rely on soft-opt in consent should ensure that they:

  • only target individuals with whom they have a pre-existing relationship;
  • only target individuals who have either previously purchased or shown a genuine interest in a product or service;
  • only send marketing communications about products and services that are genuinely similar in nature to those that the individual has previously purchased or shown a genuine interest in purchasing;
  • notify such individuals in advance of their intention to send them marketing communications about similar products and services; and
  • always provide such individuals with an opportunity to opt out of receiving these electronic marketing communications.

The extent to which stricter ePrivacy rules could be introduced under the new European ePrivacy Regulation, as well as the extent to which the UK will follow any such stricter rules in a post-Brexit world is still unclear at this stage.

The relevant law

Under the General Data Protection Regulation (“GDPR”) as now incorporated into UK law by virtue of the European Union Withdrawal Act 2018, a company must be able to rely on one of the six available lawful bases in order to process personal data. Where a company wishes to send marketing communications to individuals, obtaining consent or relying on the legitimate interests condition are likely to be the most appropriate legal bases for the purposes of Article 6 GDPR.

Organisations in the UK also need to observe the requirements of the Privacy and Electronic Communications Regulations (“PECR”) in relation to electronic marketing communications. PECR was implemented in 2003 and sits alongside the UK GDPR. Under PECR, a company must not send electronic marketing communications by email or text, unless:

  1. the individual has given their explicit consent to receive such communications; or
  2. the organisation can rely on soft opt-in consent.

Given that PECR effectively imports the definition of consent from the GDPR, an organisation wishing to rely on explicit consent for carrying out electronic marketing for the purposes of PECR needs to ensure that the UK GDPR conditions (which stipulate that consent must be freely given, specific, informed and unambiguous) are met. Further, separate consents must be obtained for different types of electronic marketing, unbundled from any other consents that the organisation is seeking at the same time.

This can be an onerous undertaking and so organisations often seek to rely on soft opt-in consent, which provides a more practical alternative to legitimise sending electronic marketing communications to an existing customer base.

An organisation may rely on soft opt-in consent when the organisation receives an individual’s contact details in the course of making or negotiating a sale of a product or service, notifies the individual of their intention to market similar goods and services to them and provides the individual with the opportunity to opt-out of receiving those marketing communications, both at the outset and each time the individual receives any subsequent marketing communications.

In this scenario, the individual is presumed to be happy to receive marketing communications about similar products or services from the organisation, even where they have not provided any specific opt-in consent to this marketing activity.

PECR makes it very clear that in order to rely on soft opt-in consent, an organisation must only seek to promote its own products or services which are similar in nature to those purchased or under consideration by the individual at the initial point of contact, which means that organisations cannot rely on soft opt-in consent to send electronic marketing communications on behalf of a third party.

Recent ICO enforcement action

As stated above, the ICO has taken enforcement action against a number of organisations in relation to their electronic marketing activities, intervening following complaints from individuals about being sent electronic marketing communications by organisations with whom they had no prior relationship (and who they sometimes hadn’t even heard of) without being given any privacy notification in advance and/or the opportunity to opt out of receiving these electronic marketing communications.

In a lot of these cases, the offending organisations had sought to rely on soft opt-in consent to justify sending these electronic marketing communications to individuals where according to the ICO, they did not have the right to do so.

Issues interpreting soft opt-in

We set out below a breakdown of the criteria that an organisation must meet when seeking to rely on soft opt-in consent and the difficulties that organisations seem to face when interpreting these criteria.

1. Marketing to pre-existing customers

As we have established, organisations may only market to individuals with whom they have a pre-existing relationship (as opposed to new customers) when seeking to rely on soft opt-in consent.

However, the question of whether an organisation has a pre-existing relationship with an individual is less clear-cut in scenarios involving multiple organisations facilitating a single sale transaction e.g. when online retailers work with payment solution providers and other third parties to deliver their service offering. In such cases, each of the organisations involved should consider whether the individual is aware of their role in the transaction and whether the individual would reasonably expect to receive marketing communications from them.

Organisations might seek to make individuals aware of their role in the transaction by ensuring that their privacy notice is incorporated into and is sufficiently prominently displayed as part of the customer journey and stating their intention in this privacy notice to process the individual’s personal data to market similar goods and services to them in the future.

2. Similarity of goods or services

As we have established, soft opt-in consent only allows organisations to send electronic marketing communications relating to products or services which are similar in nature to those purchased or considered by the individual at the time of the initial transaction. However, determining what amounts to an acceptable degree of similarity between products and services for this criterion to be met can be challenging for organisations, especially for multi-channel retailers/service providers who offer a broad range of products/services spanning multiple product/service categories.

For example, an individual purchasing an item of clothing on a fashion website may reasonably expect to receive an offer for a matching handbag. On the other hand, the same individual may not expect to receive an email or text message about a dining set, even if the fashion retailer has branched out and offers homeware products on its website.

Whilst what constitutes products or services which are similar in nature is dependent on the type of business and the context of the transaction, organisations should always consider whether the individual would reasonably expect messages about the product or service. Where a range of products or services is being offered, organisations should ensure they separate such channels for the purposes of sending electronic marketing messages.

3. Making or negotiation of a sale

As outlined above, a company is permitted to rely on soft opt-in consent where an individual has provided their details in the course of a sale. However, an organisation may also rely on this mechanism where the sale of a product or service was merely negotiated, e.g. if an individual contacts an organisation to enquire about the particular features of a product or service.

Whilst this allows for the organisation to rely on soft opt-in consent to contact potentially interested customers with whom they have had previous interactions but who have not necessarily purchased or ordered anything, organisations should be careful not to stretch this concept too far.

For instance, if an individual fills out a form to make a general enquiry about an organisation, e.g. to enquire about employment opportunities at a retail location and the organisation subsequently sends marketing emails using the details from the enquiry form, the organisation would find it difficult to defend its position given the general non-commercial nature of the initial interaction.

Whilst it may be difficult for organisations to determine the level of customer engagement/interaction for this criterion to be met, organisations should consider whether an individual has made contact to show genuine interest in a product or service, including taking positive action to affirm their interest such as requesting a quote before sending them electronic marketing materials in reliance on the soft opt-in consent principle.

In all three scenarios, individuals should be provided with a choice to opt-out of receiving marketing communications at the outset and at each subsequent time they receive a marketing communication. The opt-out prompt should be clearly visible and unobstructed – if an individual is left searching for a way to stop receiving the marketing communications, the ICO may deem the organisation’s reliance on soft opt-in consent to be invalid on the basis that the individual has lost control of their data and that the obfuscation constitutes an unnecessary barrier preventing the individual from exercising their rights.

Conclusion and legislative outlook

Although soft opt-in consent provides a convenient alternative to explicit consent for organisations wishing to carry out electronic marketing activities, organisations should be careful that they do not seek to rely on soft opt-in consent inappropriately to avoid enforcement action from the ICO.

Organisations should also bear in mind that changes to ePrivacy legislation are incoming as the European Union is in the process of replacing the Directive upon which PECR is based with the more onerous e-Privacy Regulation. However, whilst PECR continues to apply in the UK alongside the UK GDPR post Brexit, it is unclear the extent to which the UK will align its rules governing ePrivacy with the EU and whether changes imposed by the new European e-Privacy Regulation will be implemented into UK law.

Duc Tran

Duc Tran
Senior Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2954

Julia Ostendorf

Julia Ostendorf
Trainee Solicitor, London
+44 20 7466 2154

EU-UK Brexit Deal grants an interim data transfer window

On Christmas Eve, the EU and UK announced that they had reached an agreement on their future relationship, which we expect to come into effect on 1 January 2021 (the “Brexit Deal”). Further details of the deal itself will be discussed by my colleagues on our Beyond Brexit blog, available here. And for the most part, the Brexit Deal does not deal with data protection specific issues.

However, for those data practitioners amongst us, you will know that the main area of concern related to Brexit has long been the issue of data transfers and whether or not the UK will be considered ‘adequate’ for GDPR purposes. In this respect, the Brexit Deal does throw a slightly unexpected lifeline of sorts.

The interim data transfer window

Article FINPROV.10A (Interim provision for transmission of personal data to the United Kingdom) provides for a four month window (which can be extended to six months) during which the UK will still not be treated as a ‘third country’ for GDPR purposes, thereby allowing the free flow of data from the EU and EEA Member States to the UK. So far so good, and many companies may be breathing a sigh of relief that the 31st December ‘cliff edge’ has been avoided. However, the interim data transfer window comes with strings attached.

The draft Brexit Deal makes it clear that the interim data transfer window will only remain open provided that the UK: (i) does not change its data protection laws from those in place on 31 December 2020 (i.e. the UK GDPR); and (ii) does not exercise any of its ‘designated powers’ without agreement from Europe. The ‘designated powers’ referred to are a relatively long shopping list of actions that the UK may not take with respect to international data transfers. For example, it may not publish its own set of ‘standard contractual clauses’ or approve a draft Code of Conduct with respect to international transfers of data. If the UK takes any such action without agreement from Europe, then the transfer window will automatically close (meaning the companies would need to put additional transfer mechanisms in place to legitimise the transfer of data from the EU to the UK). This appears to be a relatively significant restraint on the UK’s autonomy over its own laws in the pending post-Brexit world, although presumably a concession that the UK was willing to make given that it had always intended to effectively transpose the GDPR into UK domestic law.

Implications for adequacy

It is difficult at this stage to understand what the implications of the Brexit Deal could be for the ongoing adequacy assessment being undertaken by the European Commission. The establishment of an interim 4-6 month data transfer window could lead some to be cautiously optimistic that the European Commission simply needs a bit more time to dot its ‘i’s and cross its ‘t’s with respect to adequacy. However, the relatively long shopping list of actions that the UK is prevented from taking in the field of data protection in order to keep the data transfer window open for that 4-6 month period hints at a nervousness within the European Commission that the UK may move away from the principles of the GDPR in the future, something that could prevent an adequacy decision being granted in its favour. As a result, many companies may be left with the distinct impression that the deal is simply delaying the inevitable cliff edge when it comes to data transfers. The implications of not obtaining an adequacy decision are particularly concerning when considering the possible implications of the CJEU judgment in the Schrems II case earlier this year (for further details, please see our Schrems blog posts available here). So whilst the interim data transfer window provided by the Brexit Deal will likely be welcomed, there nonetheless remains an anxious wait to understand the European Commission’s position on the long-term adequacy of the UK in the eyes of data protection law.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Singapore data privacy law updates 2020

Singapore has recognised regional certification for transferring personal data overseas

In June 2020, the Personal Data Protection Regulations 2014 (“Regulations”) were revised to recognise the Asia Pacific Economic Cooperation (“APEC”) Cross Border Privacy Rules (“CBPR”) System and, for data processors, the Privacy Recognition for Processors (“PRP”) System certifications as an additional data transfer mechanism under the PDPA for transferring personal data outside Singapore. Continue reading

China Cybersecurity and Data Protection: What you need to know about China’s draft Personal Information Protection Law

Mid-October marked the start of the formal legislative approval process for China’s proposed new law on personal information protection. The milestone draft Personal Information Protection Law (PIPL) underwent is first reading by the Standing Committee of the 13th National People’s Congress and was released for public consultation on 22 October 2020.

For further details on the draft PIPL please refer to our briefing by clicking here. In this briefing we highlight the key provisions of the draft law and set out our observations.


The draft PIPL expands the scope of personal information and sets out the key concepts and principles for processing personal information. It replaces the current consent-based protection regime with a new one allowing multiple legal bases for processing personal information, as well as setting out more detailed requirements for consent. The draft PIPL also lays down obligations on processors when sharing and transferring personal information to third parties. The safeguards on export of personal information and the requirements on data localisation are less stringent and more practical as compared to previous draft regulations. The GDPR-style extraterritorial effect extends the application of the PIPL to processors outside of China. Individuals may exercise a comprehensive set of rights against processors, and processors are required to take a range of measures to protect personal information.

The Cyberspace Administration of China is responsible for coordinating the ministries who are charged with regulating and supervising the protection of personal information, and the draft PIPL equips them with a wide range of powers to discharge their duties. It sets out the legal liabilities for those processing personal information and dramatically increases the economic penalties that may be imposed for breaches. Significantly, public interest litigation is introduced into the personal information protection regime for the first time. New technologies such as automated decision-making are also regulated by the draft PIPL.

Although there are a number of points still to be clarified by future drafts and guidelines, we can now see for the first time the future regulatory landscape of the personal information protection regime in China. Once the PIPL is enacted, it will have a far-reaching impact on protection of personal information as well as the business and compliance practices for companies.

For further details on China’s draft Personal Information Protection Law please refer to our briefing here.

James Gong

James Gong
Of Counsel, Corporate
+86 10 6535 5106

Mark Robinson

Mark Robinson
Partner, Corporate
+65 68689808

Nanda Lau

Nanda Lau
Partner, Corporate
+86 21 23222117

European Commission publishes new draft Standard Contractual Clauses for consultation

Hot on the heels of the EDPB’s guidance on ‘supplementary measures’ with respect to international data transfers as a result of the Schrems II judgment (for further details see our blog post here), the European Commission has now published its long-awaited draft new Standard Contractual Clauses (the “New SCCs”) for consultation.

Legal Background

Chapter V of the GDPR prohibits the transfer of personal data out of the EEA to a third country or international organisation unless one of a number of available conditions under the GDPR is satisfied.

One of the conditions most often relied upon to legitimise the international transfer of personal data is use of the so-called Standard Contractual Clauses (“SCCs”). These are effectively a contract entered into between the data exporter and the data importer and impose certain data protection obligations on both parties. There are currently two different sets of SCCs which have been approved by the European Commission to cover transfers from: (i) a controller to another controller; and (ii) a controller to a processor.

However, the existing SCCs did not get updated when the GDPR came into force and so still refer to the old EU Data Protection Directive rather than the GDPR. There has also been criticism of the SCCs for a number of reasons, including because they don’t cover processor to processor transfers, leaving organisations the difficult task of trying to fit a square peg into a round hole when it comes to transfers from an EEA processor to a non-EEA sub-processor. The recent Schrems II case (see our blog post on the case here) also raised the question of whether or not contractual ‘supplemental measures’ are required when using the SCCs in order to further protect personal data being sent to countries which don’t otherwise provide adequate protection.

The New SCCs have therefore been eagerly awaited.

In this blog post we ‘summarise’ some of the key changes (both good and bad) and what they could mean for organisations and international data flows. With apologies for the length of this post, there is (fortunately or unfortunately) quite a lot to comment on! We have tried to limit our comments below to some of the more ‘big ticket’ issues. However, as always the devil is in the detail and there is an awful lot of detail with devils in it.

Grace period

The New SCCs contemplate a one year grace period for implementation, from the date of the European Commission’s implementing decision. Whilst this may seem positive in contrast to, for example, the ECJ’s decision in the Schrems II case to invalidate the EU-US Privacy Shield with immediate effect, it is important to note that the one year grace period applies because the New SCCs will repeal the existing clauses, meaning that organisations will have no choice but to re-paper their contracts to put the New SCCs in place. See further our ‘repapering’ section below.


The New SCCs adopt a modular format, allowing organisations to include or exclude particular modules depending on the factual scenario in question. Whilst at first blush, this appears to be a sensible and perhaps surprisingly flexible approach, it does appear to result in a particular sting in the tail as it means that it is not easily possible to ‘rip and replace’ and swap out the SCCs with the New SCCs. See further our ‘repapering’ section below.

Scope (data transfers)

As mentioned above, the SCCs only cover controller to controller (“C2C”) transfers or controller to processor (“C2P”) transfers. This created significant hurdles when an EEA controller was transferring data to an EEA processor who then wanted to onwards transfer to a non-EEA sub-processor, as there were no processor to processor (“P2P”) clauses available. In addition, since implementation of the GDPR, it has been unclear how the SCCs were supposed to apply in the context of a non-EEA controller subject to the GDPR as a result of the extra-territoriality provisions in Article 3. The SCCs only contemplated controllers/exporters located in the EEA.

The New SCCs contemplate all transfer scenarios, being C2C, C2P, P2P and even processor to controller (“P2C”). They also contemplate transfers where the data exporter is located outside of the EEA. This extended scope is likely to be good news for organisations who have long struggled to make the existing scope fit for purpose in the context of complex supply chains.

Scope (processor clauses)

As well as updating the SCCs for international data transfer purposes, the European Commission has also used the opportunity to incorporate into the New SCCs a set of processor clauses required by Article 28 GDPR. The GDPR mandates the inclusion of certain provisions in contracts between controllers and processors so, once again, at first blush it seems absolutely sensible to include such provisions in an international data transfer contract between a controller exporter and a processor importer.

However, the Article 28 provisions in the New SCCs are not a ‘module’ in and of themselves, meaning they cannot easily be extracted. In addition, the New SCCs make it clear that, in the event of a conflict between the provisions of the New SCCs and the provisions of any other agreement between the parties, the terms of the New SCCs will prevail. For organisations who have spent significant time and resource over the last 2-3 years negotiating data protection provisions into their commercial contracts, it is unlikely to be welcome news to understand that at least some of those negotiated positions may be superseded by the version of Article 28 that the European Commission has decided to incorporate into its New SCCs. See also our ‘liability’ section below.

Extending the extra-territorial reach of the GDPR?

The New SCCs (in the C2C module) contain an interesting requirement for non-EEA data importers who are controllers to notify the competent EU supervisory authority of any personal data breach likely to result in ‘significant adverse effects’. This would apply even to a non-EEA controller not otherwise subject to the GDPR, therefore extending the extra-territorial reach of the GDPR even beyond Article 3(2). In addition, the threshold is ‘significant adverse effects’ rather than the thresholds referred to in the GDPR. Thresholds aside however, this is likely to be a challenging obligation for controller importers who would otherwise have no interaction or relationship with any EU supervisory authority.


It was almost inevitable that the New SCCs would include provisions to try and deal with some of the challenges brought about by the Schrems II case. Indeed, many commentators have suggested that the reason it has taken the European Commission such a long time to publish the New SCCs is because it wanted to be able to publish a version which responded to the Schrems case. It is therefore not surprising that the New SCCs include ‘supplementary measures’ to address concerns about the transfer of personal data to countries which don’t provide adequate protection.

The Schrems-related provisions in the New SCCs include: (i) a warranty from the parties that they have no reason to believe that the laws in the importer country prevent the importer from fulfilling its obligations under the New SCCs; (ii) a requirement to assess the laws of the importer country; (iii) a requirement to document the assessment referred to in (ii); and (iv) a requirement to make the documented assessment available to a competent supervisory authority on request. In addition, there are obligations on the data importer to challenge requests for access received from an authority and only provide the minimum amount of personal data possible once such challenges have been exhausted.

These types of obligations are a fairly logical consequence of the Schrems judgment but they are nonetheless onerous on the parties to the transfer. For small/medium data importer organisations in particular, the requirement to exhaust legal challenges in response to access requests is likely to be expensive and challenging. Similarly, the requirement on data exporters to assess the relevant laws in the importing country appears to place an obligation on private sector companies that the European Commission itself hasn’t been able to discharge other than with respect to a handful of countries that have obtained an adequacy decision. The final sting in the tail here would also appear to come in the form of the recently published EDPB Schrems guidance which suggests that contractual supplementary measures are nonetheless unlikely to enable a data exporter to transfer data to a third country that does not have essentially equivalent laws (i.e. the inclusion of these clauses in the New SCCs could make no difference whatsoever to the ability of a data exporter to transfer the data in a compliant manner).

Repapering (again)

As mentioned several times above, there appears to be no escaping the fact that the New SCCs are going to require every single organisation in Europe that transfers data outside of the EEA to undertake a mass repapering effort. Coming so soon after data protection repapering exercises undertaken to deal with: (i) the invalidation of the Safe Harbor; (ii) the implementation of the GDPR; (iii) the invalidation of the EU-US Privacy Shield; and (iv) the upcoming expiry of the Brexit transition period, this is likely to be particularly unwelcome news. The prospect of asking for additional budget to undertake such an exercise is also unlikely to be particularly appetising for many privacy professionals within organisations.

However, the modular structure of the New SCCs means that a simple ‘rip and replace’ for existing SCCs in unlikely to be possible. In addition, the introduction of P2P and P2C clauses will require the papering of new relationships as these clauses didn’t exist previously.

As well as the administrative burden of a repapering exercise though, it appears that this latest project is also likely to require more careful legal analysis than those that went before it. The interplay between commercially negotiated C2P positions and the provisions in the New SCCs will need to be carefully considered to understand the extent to which existing positions conflict with the New SCCs. There will also likely end up being a divergence between the processor terms negotiated between controllers and processors based in the EU, and those negotiated between controllers in the EU and processors outside of the EEA. In summary, it won’t be simple.


It perhaps follows on from the point above regarding potential conflict between negotiated commercial positions and the New SCCs that the issue of liability is likely to become a particular sticking point. The New SCCs contain more detailed liability provisions than are currently set out in the SCCs, and many organisations will already be aware of the complex negotiations undertaken commercially with respect to processor liability in particular. For example, the interaction between commercial agreed liability caps and the ‘uncapped’ liability position in the New SCCs is unclear – would an agreed liability cap be viewed as being in ‘conflict’ with the position in the New SCCs?


The New SCCs are not all bad news. It is clear that the European Commission has tried to address many of the criticisms of the existing clauses with its new drafting and flexible modular structure. However, regardless of whether or not the drafting has been improved, the fact that their implementation will require yet another resource-heavy and expensive repapering exercise is possibly a disadvantage that many will consider outweighs any possible benefit. In combination with the recent EDPB guidance on Schrems, it seems to make for a rather bleak outlook for organisations trying to balance data protection compliance with the commercial reality of global data flows.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Alasdair McMaster

Alasdair McMaster
Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2194

A change in approach to subject access? ICO Publishes Updated DSAR Guidance


  • The ICO (the UK privacy regulator) has updated its guidance on data subject access rights, and the revised guidance appears to be aimed at giving organisations practical advice on managing and responding to subject access requests by including further detail and examples.
  • Although the revised guidance has not changed dramatically, it is fair to say that there are a few elements of the revised guidance which offer a glimmer of hope for organisations currently struggling to effectively manage the burden of DSAR compliance, and increasingly frustrated regarding the use of DSARs as a ‘fishing expedition’ for disgruntled employees.
  • In certain circumstances, the guidance provides that organisations can now stop the clock when clarifying access requests with data subjects.
  • Additional guidance is now also available on what constitutes a ‘manifestly excessive’ request (i.e. when an organisation can refuse to comply with a subject access request).
  • The ICO has also widened the circumstances in which organisations are permitted to charge a reasonable fee for DSAR responses.
  • Interestingly, the guidance contains a new section on ‘enforced’ subject access requests (sometimes seen in the employment context as a tool to carry out background checks), and concludes that in some circumstances these can result in a criminal offence being committed.

Continue reading


The Information Commissioner’s Office in the UK (the “ICO”) has published for consultation its draft statutory guidance setting out how it will regulate and enforce data protection legislation in the UK.

The document explains all of the ICO’s key powers (including information notices, assessment notices, enforcement notices and penalty notices). Perhaps most interestingly for organisations, it also sets out for the first time, the ICO’s approach to how it calculates fines under the GDPR, giving organisations a better sense of the level of fine to which they could be subject for GDPR non-compliance.

However, although the ICO has provided a table setting out it’s ‘starting point’ for the calculation of fines, there is nonetheless a large amount of discretion that the regulator can apply to adjust the fine both upwards and downwards, meaning that the process is not as transparent as it may at first seem.

Although the fine calculator is only in draft form at this stage, it is the first time that the process adopted by the ICO has been made public. Responses to the consultation are required by 5pm on Thursday 12 November 2020.

GDPR fine calculator

The ICO’s draft guidance sets out nine steps which will factor into the calculation of a fine for non-compliance with the GDPR, including seriousness, culpability, aggravating and mitigating factors, economic impact and dissuasiveness.

These steps will be applied to all GDPR fines, regardless of whether the so-called ‘standard maximum amount’ or ‘higher maximum amount’ applies. As per the GDPR, the higher maximum amount is €20 million or 4% of annual worldwide turnover (whichever is greater). The standard maximum amount is €10 million or 2% of annual worldwide turnover (whichever is greater).

The following three steps will be considered initially in order to enable the ICO to identify its ‘starting point’:


The factors to consider when assessing the seriousness of any infringement reflect those set out in the GDPR, including the nature, gravity, and duration of the failure; any action taken by the data controller or processor to mitigate the damage suffered by data subjects; the degree of cooperation with the ICO; and the way the breach became known to the ICO, including whether the data controller or processor notified the ICO of the failure.


When assessing culpability, the ICO will take into account the intentional or negligent character of the failure; specifically whether the organisation was intentional or negligent about its responsibility for the breach.


The ICO will review relevant accounts and obtain expert financial, or accountancy advice if required, to determine the amount of turnover (or equivalent for non-profit organisations such as the annual revenue budget and the financial means of individuals).

In circumstances where turnover or equivalent is minimal, the ICO will give greater weight to other factors such as dissuasiveness, particularly where there is a serious breach. Where there is a lack of cooperation in providing all relevant financial information, the panel will rely on the information available or otherwise give greater weight to factors such as aggravating features.

Starting point

Once the factors above have been assessed, the helpful table below sets out the ‘starting point’ for the fine, stated as a percentage of annual worldwide turnover, against which various other factors will be applied:

Once the appropriate starting point has been identified, the ICO will then apply the following other factors in order to adjust the starting point and reach the final level of the fine:

Aggravating and mitigating factors

The ICO will consider any aggravating and mitigating factors applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the breach.

When determining the amount of any proposed administrative fine, the ICO will then adjust the starting point figure for each band accordingly, upwards or downwards, to reflect its assessment of applicable aggravating or mitigating circumstances. It will clearly record which aggravating and mitigating features it has taken into account and why and how it considers that these influence the proposed administrative penalty.

Financial means

The ICO will consider the likelihood of the organisation or individual being able to pay the proposed penalty and whether it may cause undue financial hardship.

Economic impact

The ICO will, where appropriate, consider any economic impact on the wider sector, or related regulatory impact of the proposed penalty beyond the organisation or individuals it is serving the penalty on.

Effectiveness, proportionality and dissuasiveness

The ICO will ensure that the amount of the fine proposed is effective, proportionate, and dissuasive and will adjust it accordingly.

Early payment discount

The ICO will reduce the monetary penalty by 20%, if it receives full payment of the monetary penalty within 28 calendar days of sending its final penalty notice. However, this early payment discount is not available if the controller decides to exercise its right of appeal to the First-tier Tribunal.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378


More than two years after the GDPR came into force, the European Data Protection Board (the “EDPB”) finally published its long-awaited draft guidelines on the concepts of controller and processor on 7 September 2020.

Prior to this date, UK organisations only had the relatively limited guidance set out on the ICO website and the old Article 29 Working Party guidance, which predated the implementation of the GDPR, to go on when attempting to apply these fundamental concepts to real-world scenarios.

The new draft guidelines, which are open for public consultation until 19 October 2020, are split into two parts:

  • Part I addresses the concepts of controller, joint controller, processor and third party/recipient and the scenarios in which these roles should be allocated to parties that are involved in the processing of personal data; and
  • Part II sets out details of the measures that need to be put in place when controller-processor and joint controller relationships arise, providing detailed commentary in relation to the contents of a valid data processing agreement entered into between a controller and processor (“DPA”) and joint controller arrangement.

While the contents of the new draft guidelines largely confirm our existing understanding of these concepts and measures, they do contain some helpful sections which serve to offer clarification in relation to a number of issues that have arisen since the implementation of the GDPR. Other sections, however, arguably serve to complicate certain issues further and it is fair to say that many practical questions that organisations and practitioners have, are likely to remain unanswered.

Taking the positive from the draft guidelines however, we set out below seven practical takeaways for organisations looking to navigate to challenges of these concepts.

1. An organisation does not need to have access to or receive personal data to be deemed a controller

If an organisation instructs another party to carry out processing of personal data, or otherwise has processing carried out on its behalf, the organisation can be deemed a controller without ever having access to or receiving personal data.

This guidance confirms that an organisation that provides detailed instructions to a service provider to process personal data on its behalf (e.g. to conduct market research), but only ever receives statistical output information from that service provider in return will not be excused from having to comply with its obligations under the GDPR as a controller simply because it never sees any personal data.

Although not explicitly addressed, it would seem unlikely when this situation arises that contractual provisions would be sufficient to rebut this assumption. For example, we consider it unlikely that a provision in the contract between an organisation and a processor service provider, expressly prohibiting the service provider from providing the personal data to the counterparty organisation, would be sufficient to avoid the organisation being deemed a controller.

2. A service provider can be a processor even if the main object of the service is not the processing of personal data (but not if it only processes personal data on an incidental basis)

If a service provider provides a service where the main object of that service is not the processing of personal data, but has routine or systematic access to personal data, it will be deemed to be a processor. Conversely, a service provider will not be deemed to be a processor if it only comes across very limited quantities of personal data on an incidental basis.

This guidance clarifies that a service provider such as an IT helpdesk service that routinely accesses personal data (e.g. by liaising directly with a customer’s employees or by screen sharing) will deemed to be a processor even if this is not the main object of its role but another service provider, which has, for example, been instructed to fix a specific software bug and will not have the same level of access to personal data (but might see some inadvertently), will not be deemed to be a processor.

3. A service provider that processes personal data for its own purposes will be deemed a controller in respect of those activities

If a service provider carries out processing of personal data for and on behalf of a customer in accordance with the customer’s instructions, it will be deemed a processor in respect of these processing activities. However, if the service provider also processes personal data for its own purposes in the course of carrying out these services (e.g. to conduct data analytics to assist with improving its services for the benefit of its entire customer base), it will be deemed to be a controller in relation to these processing activities, even if it remains a processor for the majority of the processing activities that it carries out for its customer.

This means that the service provider will need to find a way of complying with its obligations under the GDPR as a controller in respect of these processing activities, including the transparency requirements, and it should also make the extent of these activities clear to its customer in any services agreement.

This guidance also reinforces the idea that a service provider is unlikely to solely act as a processor in relation to all processing activities that it carries out in the context of providing services to a customer and is instead likely to act as a mixture of processor, controller and potentially joint controller in respect of the different processing activities that it carries out under these arrangements. This is something that we regularly see reflected in commercial agreements, although the defining lines between the roles that a party may have are often more difficult to discern.

4. Controllers and processors are equally responsible for putting a DPA in place which meets the requirements of Article 28 of the GDPR

Though the wording of Article 28 does not make it entirely clear as to whether it is the responsibility of: (i) the controller; or (ii) both the controller and processor, to put a DPA in place containing Article 28 compliant provisions, it has traditionally been the controller rather than the processor which has taken it upon itself to ensure that the provisions in the DPA are sufficiently robust and detailed so as to meet this requirement. This is possibly a hangover from the Directive and the Data Protection Act 1998.

The guidelines confirm, however, that fulfilling this obligation is the responsibility of both controller and processor and emphasise that processors are also open to receiving administrative fines under the GDPR, which means that processors need to be equally as proactive and engaged as controllers in relation to ensuring these requirements are met.

5. It is not sufficient for a DPA to merely restate the provisions of Article 28

In the absence of a standard set of regulator-sanctioned DPA clauses, controllers and processors have had to exercise their discretion when determining what to set out in a DPA in order to meet the requirements of Article 28 of the GDPR. Typically, parties tend to set out detailed provisions in a DPA if the processing activities to be undertaken are extensive and/or high-risk, whereas if the processing activities are to be minimal or routine, it is not uncommon to see “light touch” DPA wording which simply cross refers to or incorporates by reference certain elements of Article 28 without any additional detail (e.g. in relation to security, “the processor shall take all measures required under Article 32 of the GDPR”).

The guidelines now make clear that merely restating the requirements Article 28 GDPR is never sufficient or appropriate when drafting a DPA: details of the procedures that processor will follow to assist the controller with meeting the listed obligations under Article 28 of the GDPR (e.g. in relation to personal data breach reporting and adopting adequate technical and organisational measures to ensure the security of processing) will need to be set out, potentially in annexes to the DPA. For many organisations that have spent considerable time and resources repapering their commercial agreements to include Article 28 wording, this push for additional detail which may not already be included in many organisations’ DPAs is unlikely to be welcomed given the time often already required to negotiate the provisions of a DPA with counterparties.

6. A controller-processor relationship will only arise where a processor is a separate legal entity in relation to the controller

The guidelines clarify that a department within a company cannot generally be a processor to another department within the same entity and so it will not be necessary to put a DPA in place when this situation arises.

Although the guidelines do not explicitly address whether this principle also applies to a branch and a head office, it follows that it may also not be necessary to put a DPA in place if one were to process personal data for the other.

7. Attributing the roles of controller, processor and joint controller to parties involved in less straightforward processing relationships will remain a challenging exercise

The guidelines set out a number of new tests to help with applying the concepts of controller, processor and joint controller in practice.

For example, the guidelines state that a party will be deemed to be a controller if exercises a “determinative influence” in respect of the processing and if it determines the “essential means” of processing such as making fundamental decisions with regards to the type of data to be processed, the duration of the processing, the categories of recipients and the categories of data subjects. Conversely, if a party only determines the “non-essential means” of the processing, which might include considerations such as choice of hardware or software to be used, it will be deemed to be a processor.

The guidelines also provide that a joint controller relationship will arise where more than one party holds “decisive influence” in respect of the processing either by making a “common decision” or “converging decisions”, where the processing would not be possible without both parties’ participation and where both parties’ processing activities are inseparable or inextricably linked.

While these new tests are welcome insofar that they serve to flesh out the existing guidance available, they do not make the task of attributing the roles of controller, processor and joint controller to parties involved in complex processing arrangements any easier. In particular, the guidelines do not appear to add much clarity with respect to the concept of joint controllers and when such a relationship will arise. Market practice since implementation of the GDPR has seemed to shy away from parties considering themselves to be joint controllers and the draft guidelines do little to clarify whether such practice is sustainable or not. Arguably, these tests will only serve to complicate matters further by requiring additional layers of analysis to be carried out at the outset of every matter involving the processing of personal data. They also offer no guidance on what to do in circumstances where the contractual parties disagree on the analysis – a situation which is potentially only likely to become more common.

Duc Tran

Duc Tran
Senior Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2954

Julia Ostendorf

Julia Ostendorf
Trainee Solicitor, London
+44 20 7466 2154

High GDPR fine issued but not for a data security breach

The Hamburg data protection regulator in Germany has issued a fine of €35.3 million against retail firm H&M for breaches of the GDPR relating to the excessive and unlawful collection of employee data. Interestingly, although the fine is the highest yet levied by a German regulator, it did not relate to a data security breach, which is how we have to date seen the biggest fines originating. In comparison to multiple high profile ongoing enforcement investigations in the UK and Ireland, the investigation in Germany has also been concluded at relatively high speed, in just under a year.


H&M is registered in Hamburg and operates a service centre in Nuremberg. Since at least 2014, according to the Hamburg regulator’s investigation, parts of the workforce have been subject to extensive recording of details about their private lives.

After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, comprehensive details of the employees holiday experiences or illness and diagnosis (in the case of sickness absence) would be recorded. In addition, some supervisors recorded personal information ranging from rather harmless details to family issues and religious beliefs as a result of casual and informal conversations with employees.

The recorded information was accessible by up to 50 other managers throughout the company and the information was used to create a detailed profile of individual employees and sometimes used to make employment-related decisions.

The excessive and unlawful collection of employee data came to light towards the end of October 2019 when a configuration error meant that the data became accessible company-wide for several hours. The Hamburg regulator was informed about the data collection through press reports and proactively issued an order for the contents of the network drive to be “frozen” and then demanded it to be handed over. The company complied and submitted a data record of around 60 gigabytes for evaluation.

Despite the company’s full cooperation with the investigation, and its offer to compensate affected employees – actions which the regulator acknowledged as being an unprecedented acknowledgement of corporate responsibility following a data protection incident – the regulator considered that the seriousness of the breach warranted a significant fine (although not as significant as it appears it could have been according to the German authorities’ fine calculation model).

Practical Implications

We have set out below some key takeaways from this enforcement action:

  • Be warned that significant fines are not only reserved for security incidents – there are many ‘breaches’ of the GDPR that could potentially result in a fine of up to 4% of annual worldwide turnover;
  • Make sure that your HR and privacy functions are joined up and that HR personnel are properly trained in data protection issues – the HR function is a naturally data heavy part of any organisation;
  • Even within the HR function itself, ensure that personal data is only accessible to personnel on a need to know basis;
  • Keep the data minimisation principal front of mind and only collect data that is necessary; and
  • Full cooperation with the regulator could lead to a reduced fine but will not absolve an organisation of regulatory liability.
Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

National Data Strategy: The UK’s Data Revolution

On 9 September, the UK Government published a National Data Strategy which places data at the core of the UK’s recovery from the COVID-19 pandemic. The UK Government aims to ensure that companies and organisations can use data to drive digital transformation and innovation and boost growth across the UK economy. This new strategy comes after the UK Government recently announced that the responsibility for the UK Government’s use of data has transferred from the Department for Digital Culture Media and Sport to the Cabinet Office.

The National Data Strategy outlines five plans of action to capitalise on the opportunities data offers. These include:

1.     Unlocking the value of data across the economy: plans to make data more accessible to businesses and other organisations and encourage better coordination between the public and private sectors, whilst ensuring the appropriate protections are in place for international data transfers.

2.     Securing a pro-growth regime: plans to secure a regime which includes regulation of the digital and technology landscape, as well as data protection laws.

3.     Transforming government’s use of data to drive efficiency and improve public services: plans to change the way the UK Government uses data to boost digital innovation by hiring a Government Chief of Data Officer.

4.     Ensuring the security and resilience of the infrastructure on which data relies: plans to ensure that all data in the UK and all data transfers are handled securely in order to reduce cyber threats.

5.     Encouraging the international exchange of data: plans to cooperate with other countries to align data standards following the UK’s departure from the EU, and pursue an adequacy decision from the European Commission. The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection. The effect of this decision for the UK would be that personal data can flow from the EU to the UK without any further safeguard for international data transfer (as set out in the General Data Protection Regulation) being put in place.


Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Rachel Kane

Rachel Kane
Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2968

Dhara Ladwa

Dhara Ladwa
Paralegal, Digital TMT, Sourcing and Data, London
+44 20 7466 2558