Data Protection Act 2018

Corrective powers of Commission (Chapter 3)

127. (1) The Commission may, for the purposes of sections 124 (3) and 125 (3), do one or more than one of the following:

(a) issue a warning to the controller or processor that intended data processing is likely to infringe a relevant provision;

(b) issue a reprimand to the controller or processor where data processing by the controller or processor has infringed a relevant provision;

(c) order the controller or processor to comply with a data subject’s request to exercise his or her rights under a relevant provision;

(d) order the controller or processor to bring processing into compliance with a relevant provision, in a specified manner and within a specified period;

(e) order the controller to communicate a personal data breach to data subjects;

(f) impose a temporary or definitive limitation, including a ban on processing;

(g) impose a restriction on processing by the controller or processor;

(h) order the suspension of data transfers to a recipient in a third country or to an international organisation.

(2) Without prejudice to the generality of sections 124 (2)(b) and 125 (2)(b), the Commission may, for the purposes of exercising a power specified in subsection (1), serve on the controller or processor concerned an enforcement notice requiring it to take such steps as the Commission considers necessary for those purposes.