answer text |
<p>Organisations seeking to use cookies and similar technologies that track information
about people accessing online services have to comply with the Privacy and Electronic
Communications Regulations 2003 (PECR), the UK General Data Protection Regulation
(UK GDPR) and the Data Protection Act 2018 (DPA). Subject to relevant exemptions,
any use of cookies and similar technologies requires the provision of clear and comprehensive
information as well as the consent of the user or subscriber.</p><p>The legislation
does not expressly prohibit or permit the selling and sharing of people’s data, but
regulates the circumstances in which data sharing can take place. The ICO has published
a statutory Code of Practice on data sharing which contains practical guidance for
organisations on how to share data fairly and lawfully, and how to meet their accountability
obligations. The Code is available <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/data-sharing-a-code-of-practice/"
target="_blank">here</a>.</p><p>The ICO has a number of powers to tackle the unlawful
processing of personal data, including the power to serve enforcement notices requiring
organisations to stop the processing or to erase the data, and the power to serve
civil monetary penalties. The ICO can also investigate and prosecute criminal offences
under the DPA. Those guilty of such offences can be subject to unlimited fines in
the courts.</p>
|
|