 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
United Kingdom Statutory Instruments |
||
|
You are here: BAILII >> Databases >> United Kingdom Statutory Instruments >> The Data Protection (Charges and Information) (Amendment) Regulations 2025 No. 63 URL: http://www.bailii.org/uk/legis/num_reg/2025/uksi_202563_en_1.html |
||
[New search] [Help]
This is the original version (as it was originally made). This item of legislation is currently only available in its original format.
Statutory Instruments
DATA PROTECTION
Made
22nd January 2025
Laid before Parliament
27th January 2025
Coming into force
17th February 2025
The Secretary of State makes these Regulations in exercise of the powers conferred by sections 137(1) and 182(5) of the Data Protection Act 2018( 1).
The Secretary of State makes these Regulations—
having regard to the matters specified in section 137(4) of that Act, and
after consultation in accordance with sections 138(1) and 182(2) of that Act.
1.—(1) These Regulations may be cited as the Data Protection (Charges and Information) (Amendment) Regulations 2025 and come into force on 17th February 2025.
(2) These Regulations extend to England and Wales, Scotland and Northern Ireland.
(3) In these Regulations, “ the 2018 Regulations” means the Data Protection (Charges and Information) Regulations 2018( 2).
2. Regulation 3(1) of the 2018 Regulations is amended as follows—
(a) in sub-paragraph (a), for “£40” substitute “£52”;
(b) in sub-paragraph (b), for “£60” substitute “£78”;
(c) in sub-paragraph (c), for “£2,900” substitute “£3,763”.
3.—(1) Regulation 3(1) of the 2018 Regulations continues to have effect for a charge period without the amendments made by regulation 2 of these Regulations where—
(a) the charge period began within the period beginning with 18th February 2024 and ending immediately before these Regulations come into force, and
(b) the data controller has paid the charge to the Information Commissioner for that charge period.
(2) In paragraph (1), “ charge period” and “ data controller” have the same meanings as in the 2018 Regulations.
Chris Bryant
Minister of State
Department for Science, Innovation and Technology
22nd January 2025
(This note is not part of the Regulations)
The Data Protection (Charges and Information) Regulations 2018 ( S.I. 2018/480) (“ the 2018 Regulations”) set out the circumstances in which data controllers are required to pay a charge to the Information Commissioner. Regulation 2 of the 2018 Regulations requires a data controller to pay an annual charge to the Information Commissioner unless all of the processing by the data controller is exempt processing. Each annual period for which a charge must be paid is described as a “charge period”. Regulation 3 of the 2018 Regulations makes provision for the amount of the annual charge, prescribing three tiers of charges according to criteria relating to a data controller’s turnover and number of members of staff (or only members of staff, for a public authority). Charities and small occupational pension schemes are included in the lowest tier. The charge is reduced if a data controller pays the charge by direct debit.
These Regulations only make provision increasing the charges set out in the 2018 Regulations. The increases are less than the increase in the retail prices index since the 2018 Regulations were made.
Regulation 2 of these Regulations amends regulation 3(1) of the 2018 Regulations to increase the annual charges for each of the three tiers as described in regulation 3(2) of the 2018 Regulations. In particular—
(a) It increases the charge for tier 1 (micro organisations) from £40 to £52;
(b) It increases the charge for tier 2 (small and medium organisations) from £60 to £78;
(c) It increases the charge for tier 3 (large organisations) from £2,900 to £3,763.
Regulation 3 of these Regulations provides that the new charge does not apply for a charge period that is ongoing when these Regulations come into force if the data controller has already paid the fee for that charge period.
A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sector is foreseen.
S.I. 2018/480, amended by paragraph 421 of Schedule 19 to the Data Protection Act 2018 and S.I. 2019/478. The 2018 Regulations were made under sections 108(1) and (5) and 110(6) of the Digital Economy Act 2017 (c. 30). Those sections were subsequently repealed by paragraph 224 of Schedule 19 to the Data Protection Act 2018. The 2018 Regulations now have effect as if they were made under section 137 of the Data Protection Act 2018 (see paragraph 26 of Schedule 20 to that Act).