Visitor Levy Bill: data protection impact assessment

3. Data Controllers

Organisation

Local authority

Activities

The controller may collect and process personal data as part of a register of accommodation providers, used to assess liability of a VL, and for any enforcement actions relating to payment of a VL.

The controller may also collect and process personal data during its administration of any national and local exemptions to the levy.

Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?

Yes

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data

N/A – there is no requirement in the Bill for controllers to process special category data.

Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018

N/A

Legal gateway for any sharing of personal data between organisations

N/A - The Bill will create a power for a local authority to request information from accommodation providers, where that information is reasonably required for the purposes of checking liability for a VL. We do not expect this information to include personal data. Guidance developed with local government and the tourist industry will seek to establish proportionality and best practice in relation to the processing of personal data by local authorities.

Organisation

Accommodation Provider

Activities

Accommodation providers will already be data controllers in respect of their day to day record keeping activities by collecting and processing guests' data (name, address, contact details). However, there is no requirement for an accommodation provider to process or share personal data with a local authority for the purposes of collecting and remitting a VL.

The controller may also collect and process personal data in regard to any record keeping for any local exemptions to a VL, as designated by the local authority. This would be up to the local authority to determine.

Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?

No

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing

Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data

N/A – there is no requirement in the Bill for controllers to process special category data.

Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018

N/A

Legal gateway for any sharing of personal data between organisations

N/A - The Bill will create a power for local authorities to request information from accommodation providers, where that information is reasonably required for the purposes of checking liability for a VL. We do not expect this information to include personal data. Guidance developed with COSLA and the tourist industry will seek to establish proportionality and best practice in relation to the processing of personal data by local authorities.