🔆 📖 👤

Statutory Instruments

2018 No. 480

Data Protection

The Data Protection (Charges and Information) Regulations 2018

Made

11th April 2018

Coming into force

25th May 2018

The Secretary of State makes the following Regulations in exercise of the powers conferred by sections 108(1) and (5) and 110(6) of the Digital Economy Act 2017 .

The Secretary of State makes these Regulations—

(a)

after consultation in accordance with section 109(1) of that Act; and

(b)

having regard to the matters specified in section 109(2) of that Act.

In accordance with section 110(2) of that Act, a draft of this instrument was laid before Parliament and approved by a resolution of each House of Parliament.

Citation, commencement and interpretation

1.—(1) These Regulations may be cited as the Data Protection (Charges and Information) Regulations 2018 and come into force on 25th May 2018.

(2) In these Regulations—

business” includes any trade or profession;

charge period” has the meaning given in regulation 2(6);

data controller” means a person who is a controller for the purposes of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);

data controller's financial year” means—

(a)

if the data controller has been in existence for less than 12 months, the period of its existence, or

(b)

in any other case, the most recent financial year of the data controller that ended prior to the first day of the charge period in respect of which information is being provided, or a charge is being paid, pursuant to regulation 2;

exempt processing” has the meaning given in the Schedule;

financial year”, in paragraph (b) of the definition of “data controller's financial year”—

(a)

in relation to a company, is determined in accordance with section 390 of the Companies Act 2006,

(b)

in relation to a limited liability partnership, is determined in accordance with section 390 of the Companies Act 2006 as applied by regulation 7 of the Limited Liability Partnerships (Accounts and Audit) (Application of Companies Act 2006) Regulations 2008 , and

(c)

in relation to any other case, means the period, covering 12 consecutive months, over which a data controller determines income and expenditure;

member of staff” means any—

(a)

employee,

(b)

worker within the meaning given in section 296 of the Trade Union and Labour Relations (Consolidation) Act 1992 ,

(c)

office holder, or

(d)

partner;

number of members of staff” means the number calculated by—

(a)

ascertaining for each completed month of the data controller's financial year the total number of persons who have been members of staff of the data controller in that month,

(b)

adding together the monthly totals, and

(c)

dividing by the number of months in the data controller's financial year;

personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);

processing”, in relation to personal data, means an operation or set of operations which is performed on personal data;

public authority” means a public authority as defined by the Freedom of Information Act 2000 or a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 ;

turnover”—

(a)

in relation to a company, has the meaning given in section 474 of the Companies Act 2006,

(b)

in relation to a limited liability partnership, has the meaning given in section 474 of the Companies Act 2006 as applied by regulation 32 of the Limited Liability Partnerships (Accounts and Audit) (Application of Companies Act 2006) Regulations 2008, and

(c)

in relation to any other case, means the amounts derived by the data controller from the provision of goods and services falling within the data controller's ordinary activities, after deduction of—

(i)

trade discounts,

(ii)

value added tax, and

(iii)

any other taxes based on the amounts so derived.

Requirements on data controllers

2.—(1) A data controller must comply with the requirements of this regulation unless all of the processing of personal data they undertake is exempt processing.

(2) Within the first 21 days of each charge period a data controller must pay a charge to the Information Commissioner, determined in accordance with regulation 3.

(3) Within the first 21 days of each charge period a data controller must provide to the Information Commissioner the following information, as of the first day of each charge period

(a)the name and address of the data controller;

(b)whether the number of members of staff of the data controller is—

(i)less than or equal to 10,

(ii)greater than 10 but less than or equal to 250, or

(iii)greater than 250;

(c)whether the turnover for the data controller's financial year is—

(i)less than or equal to £632,000,

(ii)greater than £632,000 but less than or equal to £36 million, or

(iii)greater than £36 million; and

(d)whether the data controller is a public authority.

(4) Paragraph (3)(c) does not apply to a data controller that is a public authority.

(5) For the purposes of paragraph (3)(a)—

(a)the address of a registered company is that of its registered office, and

(b)the address of a person (other than a registered company) carrying on a business is that of the person's principal place of business in the UK.

(6) In this regulation—

charge period” means—

(a)

for a person who is a data controller immediately before 25th May 2018 and has paid a fee pursuant to section 18(5) or 19(4) of the Data Protection Act 1998

(i)

the period of 12 months beginning on the date which is 12 months after the date on which that fee was most recently received by the Information Commissioner, and

(ii)

each subsequent period of 12 months;

(b)

for a person who is a data controller immediately before 25th May 2018 but has not paid a fee pursuant to section 18(5) or 19(4) of the Data Protection Act 1998

(i)

the period of 12 months beginning on 25th May 2018, and

(ii)

each subsequent period of 12 months; or

(c)

for a person who becomes a data controller on or after 25th May 2018—

(i)

the period of 12 months beginning on the date on which the person becomes a data controller, and

(ii)

each subsequent period of 12 months;

registered company” means a company registered under the Companies Acts as defined by section 2(1) of the Companies Act 2006.

Amount of charge payable under regulation 2

3.—(1) For the purposes of regulation 2(2), the charge payable by a data controller in—

(a)tier 1 (micro organisations), is £52 ;

(b)tier 2 (small and medium organisations), is £78 ;

(c)tier 3 (large organisations), is £3,763 .

(2) For the purposes of this regulation, a data controller is, subject to paragraph (3)—

(a)in tier 1 if—

(i)it has a turnover of less than or equal to £632,000 for the data controller's financial year,

(ii)the number of members of staff of the data controller is less than or equal to 10,

(iii)it is a charity, or

(iv)it is a small occupational pension scheme;

(b)in tier 2 if it is not in tier 1 and—

(i)it has a turnover of less than or equal to £36 million for the data controller's financial year, or

(ii)the number of members of staff of the data controller is less than or equal to 250;

(c)in tier 3 if it is not in tier 1 or tier 2.

(3) Paragraphs (2)(a)(i) and (2)(b)(i) are to be disregarded in relation to a public authority.

(4) For the purposes of regulation 3(2), the turnover and number of members of staff is determined on the first day of the charge period to which the charge relates.

(5) The applicable charge in paragraph (1) is reduced by £5.00 for a data controller that makes payment of the charge by direct debit.

(6) In this regulation—

Requirements in respect of partnerships

4.—(1) In any case in which two or more persons carrying on a business in partnership are the data controllers in respect of personal data for the purposes of that business, the requirements of regulation 2 may be satisfied in respect of those persons in the name of the firm.

(2) Where the requirements of regulation 2 are satisfied in the name of a firm under paragraph (1) above—

(a)the name to be specified for the purposes of regulation 2(3)(a) is the name of that firm, and

(b)the address to be specified for the purposes of regulation 2(3)(a) is the address of that firm's principal place of business.

(3) For the purposes of regulations 2 and 3, references to the turnover and number of members of staff of a data controller which is a partnership are references to the turnover and number of members of staff of the firm as a whole.

Requirements in respect of the governing body of, and head teacher at, any school

5.—(1) In any case in which a governing body of a school and a head teacher at a school are both data controllers for the purposes of that school, the requirements of regulation 2 may be satisfied in respect of that governing body and head teacher in the name of the school.

(2) Where the requirements of regulation 2 are satisfied in the name of a school under paragraph (1) above, the name and address to be specified for the purposes of regulation 2(3)(a) are those of the school.

(3) For the purposes of this regulation, in the definition of “number of members of staff” in regulation 1(2) any reference to a data controller is to be treated as a reference to the school.

(4) In this regulation—

head teacher” includes, in Northern Ireland, the principal of a school;

school”—

(a)

in relation to England and Wales, has the same meaning as in the Education Act 1996 ,

(b)

in relation to Scotland, has the same meaning as in the Education (Scotland) Act 1980 , and

(c)

in relation to Northern Ireland, has the same meaning as in the Education and Libraries (Northern Ireland) Order 1986 .

Crown application

6. These Regulations bind the Crown but do not apply to—

(a)Her Majesty in Her private capacity,

(b)Her Majesty in right of the Duchy of Lancaster, or

(c)the Duke of Cornwall.

Margot James

Minister of State

Department for Digital, Culture, Media and Sport

Regulation 2(1)

SCHEDULEEXEMPT PROCESSING

Interpretation

1. In this Schedule—

elected representative” has the meaning given in paragraph 23(3)(a) to (d) and (f) to (m) of Schedule 1 to the Data Protection Act 2018;

judge” includes—

(a)

a justice of the peace (or, in Northern Ireland, a lay magistrate),

(b)

a member of a tribunal, and

(c)

a clerk or other officer entitled to exercise the jurisdiction of a court or tribunal;

public register” means any register which, pursuant to a requirement imposed—

(a)

by or under any enactment, or

(b)

in pursuance of any international agreement,

is open to public inspection or open to any inspection by any person having a legitimate interest.

Exempt processing

2.—(1) For the purposes of regulation 2(1), processing of personal data is exempt processing if it—

(a)falls within one or more of the descriptions of processing set out in sub-paragraph (2), or

(b)does not fall within one or more of those descriptions solely by virtue of the fact that disclosure of the personal data is made for one of the reasons set out in sub-paragraph (3).

(2) The processing is—

(a)of personal data which is not being processed wholly or partly by automated means or recorded with the intention that it should be processed wholly or partly by automated means;

(b)undertaken by a data controller for the purposes of their personal, family or household affairs, including—

(i)the processing of personal data for recreational purposes, and

(ii)the capturing of images, in a public space, containing personal data;

(c)for the purpose of the maintenance of a public register;

(d)for the purposes of matters of administration in relation to the members of staff and volunteers of, or persons working under any contract for services provided to, the data controller;

(e)for the purposes of advertising, marketing and public relations in respect of the data controller's business, activity, goods or services;

(f)subject to sub-paragraph (4), for the purposes of—

(i)keeping accounts, or records of purchases, sales or other transactions,

(ii)deciding whether to accept any person as a customer or supplier, or

(iii)making financial or financial management forecasts,

in relation to any activity carried on by the data controller;

(g)carried out by a body or association which is not established or conducted for profit and which carries out the processing for the purposes of establishing or maintaining membership or support for the body or association, or providing or administering activities for individuals who are either a member of the body or association or who have regular contact with it; ...

(h)carried out by—

(i)a judge, or

(ii)a person acting on the instructions, or on behalf, of a judge,

for the purposes of exercising judicial functions including the functions of appointment, discipline, administration or leadership of judges; or

(i)carried out by—

(i)a member of the House of Lords who is entitled to receive writs of summons to attend that House, or

(ii)a person acting on the instructions, or on behalf, of such a member,

for the purposes of exercising the member’s functions as such;

(j)carried out by—

(i)an elected representative, or

(ii)a person acting on the instructions, or on behalf, of such a representative,

for the purposes of exercising the elected representative’s functions as such;

(k)carried out by—

(i)a person seeking to become (or remain) an elected representative (a “prospective representative”), or

(ii)a person acting on the instructions, or on behalf, of a prospective representative,

in connection with any activity which can be reasonably regarded as intended to promote or procure the election (or re-election) of the prospective representative.

(3) The disclosure is—

(a)required by or under any enactment, by any rule of law or by the order of a court;

(b)made for the purposes of—

(i)the prevention or detection of crime,

(ii)the apprehension or prosecution of offenders, or

(iii)the assessment or collection of any tax or duty or of any imposition of a similar nature,

and not otherwise being able to make the disclosure would be likely to prejudice any of the matters in (i) to (iii) above;

(c)necessary—

(i)for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or

(ii)for the purposes of obtaining legal advice,

or is otherwise necessary for the purposes of establishing, exercising or defending legal rights; or

(d)required for the purpose of avoiding an infringement of the privileges of either House of Parliament.

(4) The processing of personal data by or obtained from a credit reference agency (within the meaning of section 145(8) of the Consumer Credit Act 1974) does not fall within the description of processing set out in sub-paragraph (2)(f).

Status: There are currently no known outstanding effects for the The Data Protection (Charges and Information) Regulations 2018.
The Data Protection (Charges and Information) Regulations 2018 (2018/480)

Displaying information

Status of this instrument

footnotecommentarytransitional and savingsin force statusrelated provisionsgeo extentinsert/omitsource countin force adj
F1Words in reg. 1(2) inserted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 421 (with ss. 117, 209, 210, Sch. 20 para. 26); S.I. 2018/625, reg. 2(1)(g)this amendment (text inserted) should be read in conjunction with other related provisions, see the commentary.inserted
F2Sum in reg. 3(1)(a) substituted (17.2.2025) by The Data Protection (Charges and Information) (Amendment) Regulations 2025 (S.I. 2025/63), regs. 1(1), 2(a) (with reg. 3)this amendment (text substituted) should be read in conjunction with other related provisions, see the commentary.substituted
F3Sum in reg. 3(1)(b) substituted (17.2.2025) by The Data Protection (Charges and Information) (Amendment) Regulations 2025 (S.I. 2025/63), regs. 1(1), 2(b) (with reg. 3)this amendment (text substituted) should be read in conjunction with other related provisions, see the commentary.substituted
F4Sum in reg. 3(1)(c) substituted (17.2.2025) by The Data Protection (Charges and Information) (Amendment) Regulations 2025 (S.I. 2025/63), regs. 1(1), 2(c) (with reg. 3)this amendment (text substituted) should be read in conjunction with other related provisions, see the commentary.substituted
F5Words in Sch. para. 1 inserted (1.4.2019) by The Data Protection (Charges and Information) (Amendment) Regulations 2019 (S.I. 2019/478), regs. 1, 2(2)inserted
F6Word in Sch. para. 2(2)(g) omitted (1.4.2019) by virtue of The Data Protection (Charges and Information) (Amendment) Regulations 2019 (S.I. 2019/478), regs. 1, 2(3)(a)omitted
F7Word in Sch. para. 2(2)(h) inserted (1.4.2019) by The Data Protection (Charges and Information) (Amendment) Regulations 2019 (S.I. 2019/478), regs. 1, 2(3)(b)inserted
F8Sch. para. 2(2)(i)-(k) inserted (1.4.2019) by The Data Protection (Charges and Information) (Amendment) Regulations 2019 (S.I. 2019/478), regs. 1, 2(3)(c)inserted
M12017 c. 30.
M2“Data controller” for the purposes of these Regulations is defined by s.108(8) of the Digital Economy Act 2017.
M32006 c. 46.
M4S.I. 2008/1911, to which there are amendments not relevant to these Regulations.
M51992 c. 52. There are amendments to this section which are not relevant to these Regulations.
M62000 c. 36.
M72002 asp 13.
M81998 c. 29.
M92011 c. 25.
M102005 asp 10.
M112008 c. 12. Section 1 is modified for certain purposes by S.R. 2013 No. 211, art. 2.
M12S.I. 2006/349.
M131996 c. 56.
M141980 c. 44.
M15S.I. 1986/594 (N.I. 3), as applied by S.I. 1993/2810 (N.I. 12) and S.I. 2003/424 (N.I. 12).
M161974 c. 39. Section 145(8) was substituted by S.I 2013/1881, art. 20(1) and (41)(g).
Defined TermSection/ArticleIDScope of Application
businessreg. 1.business_lgeKxVs
charge periodreg. 1.charge_per_lgGMCSW
charge periodreg. 2.charge_per_lggeDWp
charityreg. 3.charity_rtEoHS7
data controllerreg. 1.data_contr_lgGzM3f
data controller's financial yearreg. 1.data_contr_lgyz3TC
data controller's financial yearreg. 1.data_contr_rtP0S1e
elected representativepara 1. of SCHEDULEelected_re_rtXqjrH
exempt processingreg. 1.exempt_pro_lgq7ucI
financial yearreg. 1.financial__rtwWA4h
head teacherreg. 5.head_teach_lgT7CHh
judgepara 1. of SCHEDULEjudge_lgGJ8Sm
member of staffreg. 1.member_of__lgG4szu
number of members of staffreg. 1.number_of__lgOSgjI
personal datareg. 1.personal_d_lgd9sNA
processingreg. 1.processing_lgnh22u
prospective representativepara 2. of SCHEDULEprospectiv_rt9IQ7e
public authorityreg. 1.public_aut_lg6eDCk
public registerpara 1. of SCHEDULEpublic_reg_lgNDFrc
registered companyreg. 2.registered_lgvDlE8
schoolreg. 5.school_rtmlXI7
small occupational pension schemereg. 3.small_occu_lgKRXLF
turnoverreg. 1.turnover_rtjf5Jr
Changes that affect Made by
Sort descending by Changed Legislation Sort descending by Year and Number Changed Provision Type of effect Sort descending by Affecting Legislation Title Sort descending by Year and Number Affecting Provision Sort descending by Changes made to website text Note
The Data Protection (Charges and Information) Regulations 2018 2018 No. 480 reg. 3(1)(a) sum substituted The Data Protection (Charges and Information) (Amendment) Regulations 2025 2025 No. 63 reg. 2(a) Not yet
The Data Protection (Charges and Information) Regulations 2018 2018 No. 480 reg. 3(1)(b) sum substituted The Data Protection (Charges and Information) (Amendment) Regulations 2025 2025 No. 63 reg. 2(b) Not yet
The Data Protection (Charges and Information) Regulations 2018 2018 No. 480 reg. 3(1)(c) sum substituted The Data Protection (Charges and Information) (Amendment) Regulations 2025 2025 No. 63 reg. 2(c) Not yet

Status of changes to instrument text

The list includes made instruments, both those in force and those yet to come into force. Typically, instruments that are not yet in force (hence their changes are not incorporated into the text above) are indicated by description 'not yet' in the changes made column.