Regulation 9(4) of the Implementing Regulations requires "every controller and processor to which the applied GDPR applies to comply with the registration requirements in Schedule 7".
All controllers and processors must have an entry in the register maintained by the Commissioner if personal data is processed wholly or partly by automated means which includes, for example, where personal data is processed through the use of email, SMS, applications, websites, processing of documents, spreadsheets, CCTV or other surveillance equipment such as body-worn video, vehicle tracking, etc. There are only limited exemptions from the registration requirements.
In addition, where a controller or processor designates a data protection officer, the details of that person must be communicated to the Commissioner. There is no exemption from that obligation. It is unlikely that a controller or processor will be exempt from registration if a data protection officer is required and the details can, therefore, be communicated via the registration process.
|Find out if registration and/or a fee is required|
Validity of register entry
For an initial entry, controllers and processors must complete the "Application for inclusion in the register of controllers and processors".
An entry in the register can only be made when that application form has been submitted to the Commissioner together with the relevant application fee and will be valid for 12 months from the date of receipt.
Retention of register entry
Entries will only be retained in the register if the "Application for retention in the register of controllers and processors" is completed and submitted, together with the relevant retention fee, on or before the expiration date of the entry.
If the expiration date passes and there continues to be a registration requirement, the controller or processor must submit a new "Application for inclusion in the register of controllers and processors" together with the relevant application fee.
Completeness and accuracy of register entry
The information required for the register is known as the 'registrable particulars' and any changes to the registrable particulars must be notified to the Commissioner as soon as possible, but within 28 days of the change occurring.
Controllers and processors commit an offence if they contravene:
- Implementing Regulations, Paragraph 2 of Schedule 7 - Prohibition on processing without registration
- Implementing Regulations, Paragraph 12 of Schedule 7 - Duty to notify changes
These offences carry fines of up to £10,000. In addition, directors, etc. may also be personally liable for offences, by virtue of regulation 143 of the Implementing Regulations.