ESR 2000 Data Protection

Data Protection

5.—(1) A certification-service-provider who issues a certificate to the public and to whom this paragraph applies in accordance with paragraph (6) below—

(a)shall not obtain personal data for the purpose of issuing or maintaining that certificate otherwise than directly from the data subject or after the explicit consent of the data subject, and

(b)shall not process the personal data referred to in sub-paragraph (a) above—

(i)to a greater extent than is necessary for the purpose of issuing or maintaining that certificate, or

(ii)to a greater extent than is necessary for any other purpose to which the data subject has explicitly consented,

unless the processing is necessary for compliance with any legal obligation, to which the certification-service-provider is subject, other than an obligation imposed by contract.

(2) The obligation to comply with paragraph (1) above shall be a duty owed to any data subject who may be affected by a contravention of paragraph (1).

(3) Where a duty is owed by virtue of paragraph (2) above to any data subject, any breach of that duty which causes that data subject to sustain loss or damage shall be actionable by him.

(4) Compliance with paragraph (1) above shall also be enforceable by civil proceedings brought by the Crown for an injunction or for an interdict or for any other appropriate relief or remedy.

 (5) Paragraph (4) above shall not prejudice any right that a data subject may have by virtue of paragraph (3) above to bring civil proceedings for the contravention or apprehended contravention of paragraph (1) above.

(6) Paragraph (1) above applies to a certification-service-provider in respect of personal data only if the certification-service-provider is established in the United Kingdom and the personal data are processed in the context of that establishment.

(7) For the purposes of paragraph (6) above, each of the following is to be treated as established in the United Kingdom—

(a)an individual who is ordinarily resident in the United Kingdom,

(b)a body incorporated under the law of, or in any part of, the United Kingdom,

(c)a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and

(d)any person who does not fall within sub-paragraph (a), (b) or (c) above but maintains in the United Kingdom—

(i)an office, branch or agency through which he carries on any activity, or

(ii)a regular practice.

(8) In this regulation—

“data subject” and “personal data” and “processing” shall have the same meanings as in section 1(1) of the Data Protection Act 1998(1), and

“obtain” shall bear the same interpretation as “obtaining” in section 1(2) of the Data Protection Act 1998.


About martin smith

A degree in Engineering Management ,who is just trying to make life a bit easier, for anyone who wishes to read these articles. View all posts by martin smith

2 responses to “ESR 2000 Data Protection

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: