Applicability and scope of the DPA 1998 [Archived]
Applicability and scope of the DPA 1998 [Archived]

The following Corporate guidance note provides comprehensive and up to date legal information covering:

  • Applicability and scope of the DPA 1998 [Archived]
  • Applicability and territorial scope
  • The data in transit exception
  • Using data processors
  • Applicability and territorial scope—reference table

ARCHIVED: This archived Practice Note provides information on the data protection regime before 25 May 2018 and reflects the position under the Data Protection Act 1998 (DPA 1998). This Practice Note is for background information only and is not maintained.

This Practice Note concerns the applicability and territorial scope of the DPA 1998. When considering the applicability of the DPA 1998, look at the following:

  1. the type of data being processed—the DPA 1998 applies only to the processing of personal data, other data (eg statistical or other data which does not relate to an identifiable individual) is not covered

  2. where the data controller is established—the DPA 1998 applies only to data controllers who are established in the UK and who process personal data in the context of that establishment. This covers UK based data controllers who process data connected to a UK business even if technically the processing takes place overseas (eg using servers located in another country)

  3. the equipment/location of processing—where a non-UK, non-EEA data controller processes personal data using equipment located in the UK, the DPA 1998 applies as long as the processing is not simply the routing of data in transit from one overseas server to another via the UK. This catches occasions where personal data is collected via a UK-hosted website, even if the website owner/data controller