This article is more than 1 year old

Here's one obscure little EU data protection rule that would be good

Article 76 & Recital 112 of the GDPR should keep data controllers 'honest'

Those concerned with data protection and privacy have their work cut out in the UK.

On top of understanding what the General Data Protection Regulation (GDPR) and the Data Protection Directive in the field of law enforcement both mean in practice, this week saw the publication of:

  • the Investigative Powers Bill (which legitimises bulk personal data collection with, as far as I can see, little of the additional privacy protection demanded by two Parliamentary Committees);
  • proposals to allow general data sharing for the convenience of public bodies (often apparently without the consent of the data subject), and
  • PrivacyShield (an agreement which sounds like a deodorant and which aims to sanitise transfers of personal data to the USA).

I hope to comment on these proposals in due course, but ploughing through 250+ pages of surveillance legislation and 100+ pages of data sharing stuff is not going to be quick.

However, there is one proposal, lurking in the GDPR that should be implemented by the UK government as it does provide a real safeguard for data subjects. In my view, its implementation (or not) will be a litmus test as to how seriously all Member States (including the UK for the moment) want to protect the privacy of its citizens.

As I reported elsewhere, the minister responsible for GDPR implementation (Baroness Neville-Rolfe) has stated that the UK intends to use the maximum flexibility in order to minimise the impact of the GDPR on data controllers. I have counted 50+ provisions in the GDPR where Member States can implement such flexibility.

All I am saying is that if maximum flexibility is the official policy for data controllers then implementation of Article 76 and Recital 112 would be a necessary counter-balance for data subjects.

In further detail, Article 76(1) of the GDPR allows a data subject to enlist the help of an expert consumer/data subject rights organisation to help them with their case. Article 76(2) then states that:

Member States may provide that any body, organisation or association …. independently of a data subject's mandate, shall have in such Member State the right to lodge a complaint with the supervisory authority … if it considers that the rights of a data subject have been infringed as a result of the processing of personal data that is not in compliance with this Regulation.

This is augmented by Recital 112 which describes the “any body, organisation or association” as being of….:

“…non-profit making character, whose statutory objectives are in the public interest and which is active in the field of the protection of personal data and is constituted according to the law of a Member State”.

Recital 112 then adds:

“Member States may provide that such a body, organisation or association should have the right to lodge, independently of a data subject's mandate, in such Member State a complaint, and/or have the right to an effective judicial remedy where it has reasons to considers that the rights of a data subject have been infringed as a result of the processing of personal data which is not in compliance with this Regulation”.

Since Article 8(1) of the “Charter of Fundamental Rights of the European Union 2000” states that “Everyone has the right to the protection of personal data concerning him or her”, I think the rights in the GDPR relate to most of the GDPR. Compliance with the GDPR could be tested independently of a complaint from a data subject.

So will data controllers welcome the likes of Which?, Privacy International, Open Rights Group and Liberty etc independently taking action to protect the privacy rights of data subjects?

The reasons why this would not be welcome is exactly the reason why it should be implemented; especially as UK policy is to maximise flexibility to modify the impact of GDPR provisions.

As the headline says: Article 76 and Recital 112 should help keep data controllers "honest".


We also have a BCS DP Practitioner Qualification (starting in London on April 12 and in Edinburgh on April 25). BCS DP Foundation Certificate (starting in London on March 15-17).

We hold GDPR Regulation Workshops in London (May 23), Edinburgh (May 20) and Douglas (IoM; May 5); details of all our DP/FOI/CISMP courses in Leeds, London and Edinburgh are accessible by clicking the relevant buttons on the Amberhawk home page: (or from as we are upgrading our website). ®


Blog of 19/1/2016: “Data Protection Regulation Update: precise implementation depends on exceptions and Recitals”

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

More about


Send us news

Other stories you might like