Mitchells & Butlers Pension Plan
Mitchells & Butlers Executive Pension Plan
Mitchells & Butlers Executive life assurance scheme (together the ‘plans’)

Data protection notice

Who are we?

This is a data protection notice provided on behalf of the respective Trustee of each of the Plans (the Trustees, we or us). We collect, hold and use personal information to help us run each of the Plans.

Contents of this notice
Each of the Trustees are data controllers in respect of the personal information that we hold in relation to the relevant Plan. Because we use your personal information, we have to provide you with certain information in order to comply with new data protection legislation set out in the General Data Protection Regulation (GDPR).

This notice contains information on:

the personal information we collect about you, what we do with this information and why we hold it. This is explained in more detail in section one.
who else we get personal information from and who else we share personal information with. This is explained in more detail in section two.
what rights you have in relation to your personal information and who to contact if you have any problems. This is set out in section three.

We have set out additional information on how and why we process your personal information, your rights under the GDPR, third parties with whom we share your personal information and an explanation of the key terms and phrases that are used in this notice.

Where can I get more information?
We also provide printed versions (including large print versions) on request.

This notice explains how the Trustees process your personal information. Please read this notice (and any other privacy information that we send to you) so that you are aware of how and why we are using your personal information.

We may change this notice from time to time. Please visit this webpage or contact us in order to receive the most up to date version of this notice. Our contact details are set out in section three of this notice.

Section one

About your personal information

What information do we collect and process?
We collect and process your personal information because you are or were a member, or are or were connected to a member of one or more of the Plans. We also collect personal information if you contact us in connection with your membership of the relevant Plan.

We collect and process the following categories of personal information about you:

personal contact details – names, titles, addresses, telephone numbers and email addresses;
information about you – dates of birth, sex, marital status, dependents and next of kin;
payroll information – National Insurance numbers, payroll numbers, bank account details, tax status, salary and employment information; and
pension benefits – information about the pension benefits that you have accrued, investment choices and death benefit nomination forms.

What sensitive personal information do we collect and process?
We usually only ask for sensitive personal information when it is required to help us make a decision in relation to your rights under one or more of the Plans. For example, we may request:

health information / medical records – we may ask you to provide health information if you request payment of a benefit that can only be paid if you meet certain medical criteria (e.g. ill health early retirement benefits). In addition to receiving this information from you, we may receive medical information from third parties such as your doctor or a third party occupational health provider; or
other sensitive personal information – we may ask you to provide other sensitive personal information (e.g. information about your personal relationships) if it is relevant to help us decide on an internal dispute resolution procedure.

In addition, certain categories of sensitive personal information (e.g. race, ethnicity, religious beliefs and sexual orientation) may be revealed on formal documentation that we process in order to identify the recipients of benefits under the Plans (e.g. birth certificates, marriage certificates, driving licenses and passports). You may also decide to provide us with sensitive personal information voluntarily (e.g. when raising queries or making a complaint).

How do we collect your personal information?
When you joined the relevant Plan, you and/or your employer provided personal details so that we could create your membership record.

This information is updated whilst you are a member of the Plan, even if you have since left service with any of the Plans’ employers. Updated information may come from:

you (e.g. if you get in touch to let us know a new address);
your employer or former employer (e.g. updated salary and payroll information); and
other third parties (e.g. if you contact the Plan's administrator to update your personal information or if HMRC provides us with information so that we can deduct the correct level of tax). In addition, we may request additional information in certain circumstances (e.g. if you request to transfer your benefits to another pension scheme, if you apply for ill health benefits or when you ask for your benefits to start being paid).

Why do we process your personal information?
We use this information to:

set up your membership record for the Plans;
manage your membership of the Plans;
send you information that is relevant to your membership of the Plans;
calculate, pay and settle any benefits that you are entitled to from the Plans;
comply with our legal and regulatory duties;
help manage risks and liabilities in the Plans in order to seek to be able to pay full benefits as far as possible;
help the Plans’ sponsoring employers comply with their legal and regulatory duties;
communicate with members and their independent financial advisers with information about the Plans; and
improve our information and knowledge of pension schemes generally.

What are our legal grounds for processing your personal information?

In order to comply with our legal obligations
As the Trustees of the Plans, we are under legal obligations to process your personal information in order to comply with pensions and other relevant legislation, the Plans’ rules, court rulings and Pensions Ombudsman decisions. For example:

legislation sets out certain things trustees must do (e.g. sending certain information to the Plans’ members); and
the Trustees are subject to fiduciary duties under trust law to act in line with the Plans’ governing documentation.

It is necessary for us to process your personal information in order to comply with these legal obligations.

In order to fulfil our legitimate interests
Processing your personal information is also lawful if it is based on our 'legitimate interests'. The Trustees have a legitimate interest in running and managing the relevant Plan and managing the Plans’ risks and liabilities. In addition, certain third parties may have legitimate interests which require the processing of your personal information by the Trustees (e.g. your employer may need information in order to comply with regulatory requirements).

In order to rely on this legal ground, we have:

considered the impact the processing has on your interests and rights; and
implemented appropriate safeguards to ensure that your privacy is protected as far as possible.

What are our legal grounds for processing your sensitive personal information?
There are three legal grounds that allow us to process your sensitive personal information (sometimes referred to as special categories of personal data):

when we obtain explicit consent from you (e.g. when you sign one of the Plans’ forms which contains the appropriate consent wording);
when processing is necessary for carrying out obligations under employment, social security or social protection law. This includes obligations under pensions law; and
when processing is necessary for reasons of substantial public interest (which, under the Data Protection Act 2018, applies to certain processing by trustees of occupational pension schemes when making decisions about benefits).

What would happen if we did not collect and process your personal information?
If we did not collect and process your personal information then:

we would not be able to manage or administer the Plans appropriately;
we would not be able to pay the benefits that you are entitled to under the relevant Plan; and
we would be in breach of our legal and regulatory duties.

How long do we keep your personal information for?
The Plans were set up to provide benefits over a very long time. The Trustees need to maintain records in order to properly run the Plans, to determine who should receive what level of benefits and when they should receive them, and to respond to any disputes about an individual's rights under the Plans.

As a result, the Trustees will generally keep your personal information for a long period of time i.e until the wind up of the relevant Plan or the death of the last beneficiary, in either case, plus 15 years (which is the longest period of time that someone can bring a claim against any of the Plans). Our service providers (and former service providers) may also have similar valid grounds to keep your personal information for such long periods.

Section two

Using and sharing your personal information

How do we keep your personal information secure?
We use a range of measures to safeguard your personal information, in line with the requirements set out in the Data Protection Legislation. These apply to both paper and electronic records. We also require our third party service providers to give certain assurances and agree to contractual terms in respect of data protection and the security of your personal information.

What do we do with any personal information that is provided by third parties?
We receive personal information from sources other than directly from you. This includes information shared by your Plan employer, the Plans’ administrator, its professional advisers, service providers and other relevant third parties.

When we receive this information, we add it to the information we already hold about you in order to help us make sure that your details are as up to date and accurate as possible and so that we can manage your membership of the relevant Plan and the Plans more generally.

Who do we share your personal information with?
For the purposes of administering and managing the Plans, managing its risks and liabilities, and paying benefits, the Trustees may need to share your personal information with third parties. This will include your employer (e.g. the payroll, finance, compliance, audit and HR teams). It will also include third parties who provide advice or services to the Trustees. These third parties may include actuaries, administrators, auditors, insurers, prospective insurers, lawyers, medical advisers, and any other such third parties as may be necessary for the operation of the Plans and to enable the Trustees to carry out their duties.

We've set out a list of the third parties with whom we share your personal information together with links to their data protection and privacy information where applicable (see Part 12 of the Further Information section).

Our suppliers and service providers who act as data processors must act in accordance with our instructions. Some of our suppliers and service providers also act as data controllers in respect of your personal information. We've included links to their online privacy information if you want to find out more about how they process your personal information.

In some circumstances, we may have to disclose your personal information by law, because a court or the police or other law enforcement agency has asked us for it. We may also need to pass your personal information to The Pensions Regulator or HM Revenue and Customs.

We may also share your personal data with the Plans’ employers (and their professional advisers) to enable them to carry out activities in their legitimate interests (this is usually in connection with managing their business from a regulatory, HR or finance perspective).

Sometimes, in order to improve our knowledge and information of pension schemes generally (so that we may improve our ability to run the Plans appropriately, we pool the personal data we hold with that of other pension schemes through third parties (for example, to obtain up to date and more accurate longevity data).

Section three

Your rights and who to contact

What rights do you have in respect of your personal information?
In certain circumstances, you have the following rights in respect of your personal information:

the right to object to us processing your personal information;
the right to request access to personal information relating to you;
the right to request that we correct any mistakes in your personal information;
rights in relation to automated decision taking;
the right to request to restrict or prevent processing of your personal information;
the right to request to have your personal information transferred to another data controller (e.g. if you decide to transfer your pension benefits to another pension scheme); and
the right to request to have your personal information deleted.

We've set out more information about these rights in part two of the additional information starting on page 9.

How will we respond to your request?
We will usually respond to any request that you make in relation to your rights within a month of receiving your request. If your request is particularly complex, we will let you know that we've received your request and let you know when we aim to respond. You can find out more about your rights under the UK's data protection laws at www.ico.org.uk.

Under the UK's data protection legislation, there are exemptions which mean that, in certain circumstances, we may continue to store, process or transfer your personal information (for example where we need to comply with a legal requirement or have a legally valid legitimate interest in doing so) even if you ask us not to.

What should you do if you have any questions or complaints?
You may be entitled to compensation for damage caused by breach of the Data Protection Legislation. If you do not think that we have processed your data in accordance with this notice, please contact us in the first instance (see 'How to contact us' below). If you are not satisfied, you can complain to the Information Commissioner's Office. Information about how to do this is available on their website at www.ico.org.uk/concerns or by calling their helpline on 0303 123 1113.

How to contact us
Please contact us if you have any questions about this privacy notice or the information we hold about you.

If you wish to contact us, please send an email or a letter to pensions@mbplc.com or The Pensions Department, Mitchells & Butlers plc, 27 Fleet Street, Birmingham B3 1JP. Alternatively, you can call the Pensions Department on 0121 498 5767.

Further information - part one

More about how and why we process your personal information

Category of personal information	What we use this information for	Legal ground(s) for processing	Where we got this information from
Address	We use this information so that we can send you information that we are legally required to provide you with. In addition, we use this information to get in touch with you when we need to in order to run the Plans. Finally, we use it to send you information that we think will be relevant to you as a member of the relevant Plan.	We have a legal obligation to send certain information to members of the Plans. In addition, we may send additional information to fulfil our legitimate interest of running the Plans.	This information is initially provided by you or your employer when you joined the relevant Plan. Your employer may share updated information if you update your records with HR. In addition, you may have updated your information by contacting us or the Plans’ administrator. If a member's details are not kept up to date, we may lose contact with that member. In these cases, we may use a third party tracing agent to obtain up to date contact information.
Telephone number	We use this information so that we can send you information that we are legally required to provide you with. In addition, we use this information to get in touch with you when we need to in order to run the Plans. Finally, we use it to send you information that we think will be relevant to you as a member of the relevant Plan.
Email address	We use this information so that we can send you information that we are legally required to provide you with. In addition, we use this information to get in touch with you when we need to in order to run the Plans. Finally, we use it to send you information that we think will be relevant to you as a member of the relevant Plan.
Name and title	We use this information to identify you and to create and update your membership record in the relevant Plan.	We have a legal obligation to pay the correct level of benefits to the correct individuals. This requires us to obtain and update this information. We also have a legal obligation to properly identify individuals who receive or may receive benefits from the Plans. The Trustees are also required to comply with tax legislation and deduct the correct level of tax from benefits. Processing this information also fulfils the Trustees’ legitimate interests in running and managing the Plans.
Date of birth and your Plan retirement date
Sex
Marital status	We use this information to help us decide who should receive what benefits from the Plans.
Dependents	We use this information to help us decide who should receive what benefits from the Plans.
Next of kin	We use this information to help us decide who should receive what benefits from the Plans.
National Insurance number	We use this information to identify you and to create and update your membership record in the relevant Plan. Your National Insurance number is also needed so that we can receive the correct information from HMRC and so that we can deduct the correct level of tax from your benefits.
Employment start and, if applicable, end dates	We use this information to identify you and to create and update your membership record in the relevant Plan. Your National Insurance number is also needed so that we can receive the correct information from HMRC and so that we can deduct the correct level of tax from your benefits.
Payroll number	We use this information to identify you and to create and update your membership record in the relevant Plan. Your National Insurance number is also needed so that we can receive the correct information from HMRC and so that we can deduct the correct level of tax from your benefits.
Plan reference number	We use this information to identify you and to create and update your membership record in the relevant Plan. Your National Insurance number is also needed so that we can receive the correct information from HMRC and so that we can deduct the correct level of tax from your benefits.		The Plans’ administrators may create a unique reference number so that your records can be easily identified.
Bank account details	We use this information in order to pay your benefits under the relevant Plan directly to you.		Your bank details provided by you when you fill in your membership form and when you update your details.
Tax status	We use this information to deduct the correct level of tax from your benefits.		Your tax status is provided to us by your Plan employer and/or HMRC.
Salary details	We use this information to calculate the correct level of your benefits under the Plans.		Your salary details are provided to us by your Plan employer.
Details about your entitlement to pension benefits under the relevant Plan	We use this information to calculate the correct level of your benefits under the Plans.	See the section above on the previous page.	Details about your entitlement to pension benefits under the Plans may be provided by your employer or may be determined by reference to the Plans’ governing documentation. In addition, the Plan's actuary and administrators will carry out calculations, the results of which will be added to your record.
Investment choices	We use this information to ensure that your additional voluntary contributions and/or money purchase benefits are invested in the correct investment plan.	We have a legal obligation to ensure that the Plan is run properly and in line with its governing documents. There is also specific legislation that governs payment of contributions into money purchase investment plans.	We (or our third party providers) give you information about the investment options that are available to you. You then provide us with your choices and any changes to your investment choices.
Death benefit nomination forms	We use this information as part of our decision making process when deciding who will receive death benefits.	As the respective Trustees of the Plans, we have a legal obligation to make decisions in line with trust law. This includes an obligation to take account of all the relevant facts and ignore all the irrelevant facts when making decisions and exercising discretions. We also have a legal obligation to pay the correct level of benefits to the right individuals at the right time.	You provide us with the information that is contained on our death benefit nomination forms.
Medical information (including medical records and doctors' opinions)	We use this information as part of our decision making process when deciding ill health benefits under the Plans.		Medical information relating to you may be provided directly by you, by the Plan employer, your doctor or by a third party providing health assessments / reports.
Information about your personal relationships	This information is used to determine who is entitled to benefits in relation to your membership of the relevant Plan.		This information is usually provided by you. In certain circumstances, we may also need to obtain information from relevant third parties.
Certified copies of official documents, including: passport; driving license; birth certificate; marriage certificate death certificate; and decrees nisi / absolute.	This information is used to: identify you; determine the status of your relationship; determine who may be entitled to benefits under the Plans; and trigger certain processes in respect of your benefits under the Plan (e.g. payment of death benefits or splitting of benefits in cases of divorce).	As the respective Trustees of the Plans, we have a legal obligation to make decisions in line with trust law. This includes an obligation to take account of all the relevant facts and ignore all the irrelevant facts when making decisions and exercising discretions. We also have a legal obligation to pay the correct level of benefits to the right individuals at the right time. Certified copies of official documentation are sometimes essential for the Trustees to make legally valid decisions.	This information is usually provided directly by you or from your next of kin. In more unusual cases (e.g. when we are having difficulty locating a member or identifying their next of kin) publically available official documentation may be obtained by a third party tracing agent.

Further information - part two

More about your rights under the gdpr

As a data subject, you have a range of rights under the Data Protection Legislation. These rights are explained in more detail below. If you have any comments, concerns or complaints about our use of your personal information, please contact us directly.

You can email or write to us at:
pensions@mbplc.com or The Pensions Department, Mitchells & Butlers plc, 27 Fleet Street, Birmingham B3 1JP

Alternatively, you can call the Pensions Department on 0121 498 5767

Right to object to our processing of your personal information
You may object to us processing your personal information where we are relying on a legitimate interest as our legal grounds for processing. Our legal grounds for processing are set out in section one of this data protection notice and part one of the Further Information section.

If you have the right to object to processing (i.e. for personal information that we process in order to fulfil our legitimate interests or the legitimate interests of a third party) and you exercise this right, we will no longer be able to process your personal information unless we can demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds as set out in section one of this data protection notice and in part one of the further information.
The key point to note is that, if we cannot continue to process your personal information, we would be unable to ensure that we are providing the correct level of benefits in respect of your membership of the Plan. As we are legally required to pay the correct level of benefits to the right people at the right time, in these circumstances we may have to delay or even stop payments / requests until we have sufficient information.

Right to access personal data relating to you
You can ask us to confirm whether we are processing your personal information. If we are, you may ask us to provide the following:

a copy of your personal information (please note that, if you want more than one copy of your personal information, we reserve the right to charge a reasonable fee based on our administrative costs for the provision of such further copies);
details of the purpose for which your personal information is being, or is to be, processed;
details of the recipients or classes of recipients to whom your personal information is, or might be, disclosed, including, if the recipient is based in a country outside of the European Union, what protections are in place in relation to the transfer to that recipient;
the period for which your personal information is held (or the criteria we use to determine how long it is held);
any information available about where we obtained your personal information; and
confirmation as to whether we carry out any automated decision-making (including profiling) and, where we do, information about the logic involved and the envisaged outcome or consequences of that decision or profiling.

Requests for your personal information must be made to us in writing (see ‘How can you contact us?’ above). A copy of your request will be kept on your membership record. To help us find the information easily, please give us as much information as possible about the type of information you would like to see.

If, to comply with your request, we would have to disclose information relating to or identifying another person, we may need to obtain the consent of that person if possible. If we cannot obtain consent, we may need to withhold that information or edit the data to remove the identity of that person if possible.

There are certain types of information which we are not obliged to disclose to you, which include personal information which records our intentions in relation to any negotiations with you where disclosure would be likely to prejudice those negotiations.

Right to correct any mistakes in your information
You can require us to correct any mistakes (including adding missing information) in any of the personal information concerning you which we hold. Please contact us using the contact details set out at the beginning of this section.

Rights in relation to automated decision making/profiling
The Trustees do not use automated decision making or profiling.
Automated decision making occurs when decisions are taken solely on automated processes. Under the Data Protection Legislation, you have the right to ask that, if you are being evaluated (for example, when a bank carried out credit checks before making decisions on issuing loans or credit cards), any decisions are not solely based on automated processes and to have any decision reviewed by a member of staff.

These rights will not apply in all circumstances, for example where the decision is authorised or required by law and steps have been taken to safeguard your interests.

Right to request that we restrict the processing of your personal information
You may request that we restrict the processing of your personal information in any of the following circumstances:

where you do not think that your personal information is accurate. In this case, we will start processing again once we have checked whether or not your personal information is accurate;
where the processing is unlawful, but you do not want us to erase your information;
where we no longer need the personal information for the purposes of our processing, but you need the information to establish, exercise or defend legal claims; or
where you have objected to processing because you believe that your interests should override our legitimate interests. In this case, we will start processing again once we have checked whether or not our legitimate interests override your interests.

If our processing is restricted in any of the circumstances described above, we will inform you in advance if that restriction is to be lifted.

Right to request that we delete your personal information
You can ask us to delete your personal information where your personal information is being processed on a legal ground other than for complying with a legal obligation and:

you believe that we no longer need to process it for the purposes set out in this privacy notice;
you had given us consent to process it, but you withdraw that consent and there is no other legal ground upon which we can process it;
you have successfully objected to our processing it; or
it has been processed unlawfully or has not been erased when it should have been.

Right to request transfer of your personal information
You may, in specified circumstances, ask a data controller to provide you with an electronic copy of personal information that you have provided to it, or to have such a copy transmitted directly to another data controller.

Those circumstances do not, however, generally apply in relation our processing of your personal information in connection with the Plans. This is because:

our legal grounds for processing will not normally be that you have consented to the processing; and
we do not carry out processing by automated means.

Right to withdraw consent
We usually only request your consent when we ask you for sensitive personal data. You have the right to withdraw any consent you have given us at any point.

However, as highlighted above, the Trustees only request sensitive personal data that is required to make decisions in respect of specific member benefits or complaints. If you withdraw your consent for us to process this information, we may have to delay or even stop payments / requests until we have sufficient information.

What will happen if your rights are breached?
You may be entitled to compensation for damage caused by breach of the Data Protection Legislation. If you do not think that we have processed your information in accordance with this notice, please contact us in the first instance.

If you are not satisfied, you can complain to the Information Commissioner's Office. Information about how to do this is available on their website at www.ico.org.uk/concerns or by calling their helpline on 0303 123 1113..

Further information - part three

Third parties and transfers

For the purposes of administering the Plans and paying benefits under them, the Trustees may need to share your personal information with certain third parties. This section lists the key third party service providers with whom we share your personal information.

Mitchells & Butlers Pension Plan:

Role	Third party	Other information (if applicable)
Actuary	Mercer	Mercer and the Plan's named actuary for statutory purposes use personal data in order to perform actuarial calculations, or as requested by the Trustees to provide advice in respect of the Plan. The Plan's actuary has to use personal data in order to fulfil certain statutory or regulatory duties, for example, relating to the formal scheme valuations. Mercer also uses the Plan's personal data for data analytics purposes, including to create insights, reports and other analytics to improve the quality of and market Mercer’s advice, products and services. The Trustees are satisfied that this is a reasonable use for the Plan's personal data because the Trustees benefit from it. The research, information and analysis is made available to those at Mercer who advise the Trustees so that it can be used to improve and extend the services available to the Trustees. Some of the information may be available to the Trustees directly and helps inform them of pension industry knowledge. Mercer has confirmed to us that none of its data analysis output discloses individual details of Plan members or other beneficiaries.
Administrator	Legal & General (DC Section) Mercer (DB Section)	https://www.legalandgeneral.com/privacy-policy/ https://www.uk.mercer.com/privacy.html
Legal advisers	Gowling WLG	https://gowlingwlg.com/en/privacy-statement
Sponsoring Employer	Mitchells & Butlers plc	https://www.mbplc.com/privacy/
Auditor	PWC Barnett Waddingham Accurate Data Services Experian Prudential AAA Trustee Ltd 20-20 Trustee Services Wordshop Gallaghers Law Debenture	https://www.pwc.co.uk/who-we-are/privacy-statement.html https://www.barnett-waddingham.co.uk/privacy-policy/ http://www.accuratedata.co.uk/data-security https://www.experian.co.uk/consumer/privacy.html https://www.pru.co.uk/privacy-security/ http://trustee.uk.com http://2020trustees.co.uk/terms/ https://www.wordshop.co.uk/policies/ http://www.gallaghereb.com/Pages/Privacy-and-Cookies-Policy.aspx https://www.lawdebenture.com/privacy-policy/

Mitchells & Butlers Executive Pension Plan

Role	Third party	Other information (if applicable)
Actuary	Mercer	https://www.uk.mercer.com/about-mercer/use-personal-data-mercer-scheme-actuaries-providing-actuarial-services.html
Administrator	Legal & General (DC Section) Mercer (DB Section)	https://www.legalandgeneral.com/privacy-policy/ https://www.uk.mercer.com/privacy.html
Legal advisers	Gowling WLG	https://gowlingwlg.com/en/privacy-statement
Sponsoring Employer	Mitchells & Butlers plc	https://www.mbplc.com/privacy/
Auditor	PWC Barnett Waddingham Accurate Data Services Experian Prudential AAA Trustee Ltd 20-20 Trustee Services Wordshop Gallaghers Law Debenture	https://www.pwc.co.uk/who-we-are/privacy-statement.html https://www.barnett-waddingham.co.uk/privacy-policy/ http://www.accuratedata.co.uk/data-security https://www.experian.co.uk/consumer/privacy.html https://www.pru.co.uk/privacy-security/ http://trustee.uk.com http://2020trustees.co.uk/terms/ https://www.wordshop.co.uk/policies/ http://www.gallaghereb.com/Pages/Privacy-and-Cookies-Policy.aspx https://www.lawdebenture.com/privacy-policy/

Transfers of your personal information out of the EU

Your information may be transferred out of the European Union. Our service providers have confirmed that they either:

do not transfer the Plans’ data outside of the European Union; or
do or may transfer the Plans’ data outside of the European Union, but only when certain protections that are approved by the European Commission are applied. These protections aim to ensure the security of your personal information, safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms.

Further information - part four

Key terms and phrases

Data controller means the natural or legal person or other body who, alone or jointly with others, determines the purposes and means of the processing of personal data. This means that the data controller exercises overall control over the 'why' and 'how' of a data processing activity.

Data Protection Act 1998 is the legislation that currently applies to the processing of personal data in the UK. The Data Protection Bill 2017 – 19 will repeal the Data Protection Act 1998.

Data Protection Legislation means the Data Protection Act 1998, the Data Protection Bill 2017 – 19 and the General Data Protection Regulation, together with regulatory guidance issued by the European Commission (via the Article 29 Working Party) and the Information Commissioner's Office.

Data protection principles means the principles that are set out in the Data Protection Legislation relating to the processing of personal data. In the General Data Protection Regulation, there are six principles:

lawfulness, fairness and transparency;
purpose limitation;
data minimisation;
accuracy;
storage limitation; and
integrity and confidentiality.

In addition, there is an overarching principle of accountability.

Data processor means a natural or legal person or other body who processes personal data on behalf of the data controller.

Data subject means the identified or identifiable living individual to whom personal data relates.

General Data Protection Regulation (GDPR) is the primary EU legislation that, on and from 25 May 2018, will apply to the processing of personal data in all member states of the EU.

Information Commissioner's Office (ICO) is the UK's national data protection authority. It is a public body that is charged with regulating information rights, public sector transparency and individual's privacy in the UK.

Personal data or Personal information means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number etc.

Privacy notice means the information that is provided to inform individuals about what you do with personal data. Under the Data Protection Legislation, data controllers must provide accessible information to individuals about the use of their personal data.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Special categories of personal data
(also referred to as sensitive personal data) means:

personal data that is personal data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person;
data concerning health; or
data concerning a natural person's sex life or sexual orientation.