"The Court ruled that a controller's data security duty applies to all personal data for which it acts as controller - irrespective of whether the information would constitute personal data in the hands of a third party (in this case, an attacker)."
"The Court of Appeal confirmed that a controller's duty to implement appropriate measures to protect personal data applies to data that is "personal" from the perspective of the controller -even if a third-party attacker could not identify individuals from the exfiltrated dataset."
"Whether data is "personal" can depend on the context, while a controller's obligations (such as transparency) must be assessed from the controller's perspective at the relevant time (which, for the transparency principle, is at the time of collection of the data)."
The UK Court of Appeal in DSG Retail Limited v The Information Commissioner established that controllers must protect personal data based on their own perspective, not on whether external parties like attackers could identify individuals from exfiltrated datasets. The ruling clarifies that data security obligations apply to information classified as personal data by the controller, even if third parties cannot identify subjects from that data. This decision aligns with established jurisprudence confirming that data classification depends on context and that controller obligations must be assessed from the controller's perspective at the relevant time.
#data-protection #personal-data-definition #data-security-obligations #uk-court-of-appeal #controller-responsibilities
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]