KB 2023 004108 - [2025] EWHC 1824 (KB)

The UK GDPR, as supplemented by Part 2 of the Data Protection Act 2018 (“DPA 2018”):

“1.

... lays down rules relating to the protection of natural persons with regard to the processing of personal data.

2.

... protects fundamental rights and freedoms of natural persons ... in particular their right to the protection of personal data.”

See article 1 UK GDPR.

Having regard to the recitals to the UK GDPR (albeit taking into account the guidance provided in R(M) v Chief Constable of Sussex Police [2021] EWCA Civ 42 at [87]), I note the balance that is to be struck between the protection of data rights and other fundamental rights, as provided by recital (4):

“The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles in the [Charter of Fundamental Rights of the European Union] ... in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”

“Personal data” is that which is referable to an identified or identifiable natural person (“data subject”): article 4(1) UK GDPR. A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data is a “controller” for the purposes of the UK GDPR: article 4(7).

Those who process or control the processing of personal data must do so compatibly with the rules laid down by the UK GDPR, which set the standard for processing by reference to six principles as set out at article 5 of the UK GDPR, relevantly as follows:

“(1)

Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; […] (‘purpose limitation’); (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); (d) accurate .., (‘accuracy’); (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’); (f) processed in a manner that ensures appropriate security of the personal data, ... using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

As for what “processing” is “lawful”, that is made clear by article 6, which provides (again, so far as relevant for present purposes):

“(1)

Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;(b) ...;(c) processing is necessary for compliance with a legal obligation to which the controller is subject;(d) ...;(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

The lawfulness of processing is also addressed by at section 2 DPA 2018, where, in relation to article 6(1)(e), it is explained that this will include processing of public data that is necessary for (relevantly): “(a) the administration of justice”.

Article 9 of the UK GDPR identifies “special categories” of personal data as necessitating heightened protection; this includes “data concerning health” (article 9(1)), which is defined as meaning “data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status” (article 4(15)). As acknowledged by recital (51) to the UK GDPR:

“Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.”

The heightened protection afforded to special category personal data takes effect by a prohibition on the processing of such data (article 9(1)) except where, and to the extent that, a lawful processing condition under article 9(2) applies. Relevantly, such conditions include:

“(f)

processing that is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.”

Under Chapter III UK GDPR, specific provision is made for particular “rights of the data subject”. The claimants in the present proceedings place reliance on articles 14 (right to information) and 17 (right to erasure).

Article 14 applies where (as here) personal data has been obtained other than from the data subject themselves. The right to be informed includes being told of the purpose of any intended processing, the legal basis for that processing, and any legitimate interest relied on; it also provides for an obligation to inform the data subject of their right to object to the processing (and article 21 provides for an express right to object). The rights provided by article 14(1)-(4) will not apply, however, where the obligation to information about intended data processing would be likely to render impossible, or seriously impair the achievement of the objectives of that processing; in such cases, the controller is required to take “appropriate measures to protect the data subject’s rights and freedoms and legitimate interests” (article 14(5)(b)). Article 14 is also to be read subject to the exemptions provided under schedule 2 DPA 2018 (see further below).

Article 17 provides a right to erasure, sometimes referred to as a “right to be forgotten”. The right is to request erasure of personal data where (relevantly):

“(1)

... (a) the personal data are no longer necessary in relation to the purposes for which there were collected or otherwise processed; ... (c) the data subject objects to the processing ... and there are no overriding legitimate grounds for the processing ...”

By article 17(3), however, it is made clear that this right:

“... shall not apply to the extent that processing is necessary: ... (b) for compliance with a legal obligation which requires processing under domestic law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; ... (e) for the establishment, exercise or defence of legal claims.”

More generally, paragraph (5) of schedule 2 to the DPA 2018, provides that the “listed GDPR provisions” will not apply to personal data where disclosure of the data:

“(c)

is otherwise necessary for the purposes of establishing, exercising or defending legal rights,

to the extent that the application of those provisions would prevent the controller from making the disclosure.”

The “listed GDPR provisions” are those set out in paragraph 1 of the schedule, and include (relevantly) articles 14 and 17, and article 5, so far as it provisions corresponds to rights and obligations provided in articles 13-21, and to the article 5(1)(a) requirement of lawful, fair and transparent processing (other than the lawfulness requirements provided by article 6) and to the purpose limitation thereunder.

Under Chapter IV, the UK GDPR sets out obligations on data controllers and processors. In the current proceedings, the claimants place reliance on article 25, which provides (more relevantly):

“1.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons posed by the processing, the controller shall ... implement appropriate technical and organisation measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and to protect the rights of data subjects.”

The reference to “pseudonymisation” has a specific legislative definition under the UK GDPR, as provided by article 4(5), as follows:

“the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

Unlike anonymised data, pseudonymised data thus remains personal data (the data subject will be indirectly identifiable), but pseudonymisation can reduce the risks to the data subjects concerned (see recital (28) UK GDPR) and should be done “as soon as possible” (recital (78). Practical guidance in relation to the pseudonymisation of personal data is provided by the ICO.