One of our clients recently asked this ‘easy’ question.
“We are a limited company but the firm is 100% owned by a holding company. We have received a letter from the ICO asking us to register the holding company.
Does the holding company need to register – it will not be controlling or processing data?”
While the question is undoubtedly easy, the answer is not so straightforward!
Whether the holding company needs to be registered or not depends entirely on whether they process personal information.
‘Processing’ means doing any of the following with the information:
- obtaining it;
- recording it;
- storing it;
- updating it; and
- sharing it
‘Personal information’ means any detail about a living individual that can be used on its own, or with other data, to identify them. So, in order to identify whether the firm needs to register, first it is necessary for the firm to assess whether it is in fact undertaking any of the processing actions listed above. If not then the holding company does not need to be registered but would certainly need to inform the ICO that they do not intend to register and on what grounds.
Why is the ICO writing to firms?
This all stems from a mass mailing exercise that the ICO embarked upon in December 2019. You can read about it here.
This page includes a link to a ‘form’ that enables companies to advise why they believe they are exempt. The exemptions are listed in the Data Protection Act 2018 schedule.
In the case of a holding company, clause 2f is the most likely candidate for justifying an exemption:
“subject to sub-paragraph (4), for the purposes of—
(i)keeping accounts, or records of purchases, sales or other transactions
(ii)deciding whether to accept any person as a customer or supplier, or
(iii)making financial or financial management forecasts, in relation to any activity carried on by the data controller”
The problem is that the ICO’s page says “if you hold personal information for business purposes on any electronic device…it is likely an annual fee payment is due”. It is not clear what this is based upon as it could be argued that it effectively negates many of the exemptions.
So the firm has two options:
- either inform the ICO that they are claiming exemption or
- pay the fee and be done with it
Many firms in a similar position might well decide to simply register and pay the fee. This could be a pragmatic and sensible response as failure to pay the fee in circumstances where no exemption applies can lead to a penalty of up to £4350.