General Data Protection Regulation (UK GDPR)
The UK GDPR is the implementation of the EU GDPR in the UK post-Brexit. It lays down rules relating to the protection of personal data and protects fundamental rights and freedoms of the individual.
The UK GDPR is the implementation of the EU GDPR in the UK post-Brexit. It lays down rules relating to the protection of personal data and protects fundamental rights and freedoms of the individual.
E-privacy legal framework in the UK, PECR 2003 (as amended) relates to the provision and use of electronic services.
PECR controls the way VisitScotland deploys electronic communication methods. It covers the use of telephone, email and messaging services for direct marketing purposes.
PECR makes sure that data protection and privacy safeguards have been put in place to support privacy respectful communication.
It also governs the way certain types of electronic tracking and measurement systems work.
To be clear, the legislation that controls the use of tracking systems such as cookies or pixels on websites and apps (and is the reason for the use of methods to manage the use of such trackers such as cookie banners) is PECR, not GDPR.
The primary legislation for data protection in the UK, it repealed and replaced the Data Protection Act 1998. It should be read alongside the UK GDPR.
The Freedom of Information (Scotland) Act 2002. This legislation gives access to information held by Scottish public sector authorities.
Data (Use and Access) Act 2025.
The UK GDPR (General Data Protection Regulation) gives you rights over how your personal data is used. VisitScotland respects your rights and our data protection officer is responsible for supporting you in the exercise of those rights.
You have the right to be informed about how VisitScotland will use your personal data. You will find a privacy notice is published wherever we collect personal data so you can make an informed decision about whether or not to share your data with us. We also make privacy notices and processing information available to you. Find out more about our privacy notices.
When we collect personal data directly from you we are obliged to be transparent about:
We must also ensure fair and transparent processing by telling you:
You have the right to access the information about you which is held by VisitScotland. You can do this by completing a data subject access request (DSAR) form.
Complete a data subject access request (DSAR) form.
Note that as the data controller, VisitScotland is obliged to verify your identity before we can share any information with you. This is an important part of respecting not just your right to privacy, but also the rights of other individuals about whom we keep personal data.
VisitScotland has a procedure for Data Subject Access Requests which we follow in all cases. This procedure verifies the nature of your request and your identity or, in the case of a representative acting on your behalf, their authority to do so.
The procedure is designed to provide you with a suitable response within one month of verifying your identity and the nature of your request.
If the personal data we hold about you is incorrect or contains an error, you have the right to have us correct our records. The data protection officer will assist you in this regard.
Under certain circumstances you have the right to erasure. This is sometimes referred to as the "right to be forgotten" and involves VisitScotland removing, at your request, all data referring to you as an individual from our records.
Note that this is not an absolute right and there are circumstances in which the right to erasure does not apply and we may decline such a request. If this is the case we will tell you why.
You have the right to ask us to "restrict processing". This means you can have us stop or cease a particular use of your personal data.
For example, you can use this right to prevent us from deleting personal data you might wish to be held as evidence, have us cease sending a particular type of communication, or prevent the use of your personal data until an error has been corrected.
In certain circumstances you have the right to have VisitScotland make your personal data available to you in a "machine readable format" for transfer to another service provider.
When the VisitScotland lawful reason for processing your personal data is based on either our Public Task / Official Authority or Legitimate Interest, you have the right, based on your own circumstances, to object to such processing.
When you object VisitScotland must stop processing your personal data unless compelling legitimate grounds to continue processing can be provided.
These grounds must be shown to override your interests, rights and freedoms as the data subject, or be for the establishment, exercise or defence of a legal claim.
You have the right not to be subject to a decision based solely on automated decision making, including profiling, which produces legal effects concerning you personally, or which would significantly affect you.
This right does not apply if the decision making is necessary for entering into a contract between you as the data subject and VisitScotland as the controller; is authorised by UK law, or; is based on your explicit consent.
Personal data must be processed lawfully, fairly and in a transparent manner.
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes.
Personal data collected must be adequate, relevant, and limited to what is necessary to achieve the purposes for which they are processed.
Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose of processing.
Personal data may be stored for longer periods if the processing is solely for archiving purposes in the public interest, scientific, or historical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
VisitScotland, as the controller shall be responsible for, and be able to demonstrate compliance with the data protection principles noted above.
The GDPR says that "personal data" "means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person* is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
*A natural person is a private individual as opposed to a legal person which is a company or organisation.
The data subject is the individual the data relates to or is about. This may be you. At VisitScotland, we keep a list of categories of data subject to help us be clear about the nature of the personal data we collect and use.
When we use personal data at VisitScotland we must always have an appropriate "lawful reason for processing". We will sometimes refer to this as the "legal basis". The UK GDPR provides for the following six lawful reasons for processing:
(UK GDPR Article 6/1/a)
The data subject has given consent to the processing of their personal data for one or more purposes. In order for such consent to be valid, information relating to it must be presented:
Further, consent must be:
(UK GDPR Article 6/1/b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
(UK GDPR Article 6/1/c)
Processing is necessary for compliance with a legal obligation to which the controller is subject.
In this regard, the UK GDPR respects the requirements of other laws. If a certain activity is necessary to comply with a law, VisitScotland will choose to use this lawful reason for processing.(UK GDPR Article 6/1/d)
Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
(UK GDPR Article 6/1/e)
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The official authority of VisitScotland in this regard is defined by the Development of Tourism Act 1969. Other Acts of Parliament (Scottish or UK) may provide additional authority for certain activities.
(UK GDPR Article 6/1/f)
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The UK GDPR prohibits the processing of personal data revealing:
The UK GDPR also prohibits the processing of:
Unless one of the following exemptions applies:
When VisitScotland shares your personal data with another party, we will always ensure an appropriate contract or data sharing agreement is in place between the parties before any personal data is shared.
The purpose of such an agreement is to define responsibilities and hold both parties accountable to uphold data protection principles and rights when processing the personal data involved.
The transfer of personal data outside the UK is known as a “restricted transfer”.
VisitScotland sometimes needs to make use of data processors or share personal data with other controllers who are not located in the UK or the EEA.
When this happens, the UK GDPR requires us to make sure that the personal data is processed to similar standards of protection, privacy and rights as are found in the UK.
In practice, this means that such transfers of personal data will only be carried out by VisitScotland if the transfer is subject to one of the following safeguards:
VisitScotland follows an established procedure to ensure that one of these safeguards will be in place prior to the restricted transfer taking place.
A Data Protection Impact Assessment is prepared by VisitScotland in situations where a proposed processing activity might result in harm to a data subject.
The purpose of this type of risk assessment is to identify how the proposed processing activity will work, to identify associated risks and the means to tackle, reduce or mitigate them.
Think of this as a “pre-flight check” for processing activities. All new processing activities are subject to a series of screening questions which help us to decide if a full DPIA is required.
A Legitimate Interest Assessment is prepared for all cases where VisitScotland intends to make use of the "Legitimate Interest" lawful reason for processing.
The completed LIA presents VisitScotland’s approach to the processing. The accompanying balancing test considers the position and expectations of the affected data subjects.
It is used to inform the decision whether to proceed with the use of the legal basis to support the processing activity. A copy is retained to demonstrate our accountability for the decision.
In the UK, the use of Artificial Intelligence (AI) and Generative AI (GenAI), in the context of any personal data involved and for the purposes of VisitScotland, is governed primarily by the UK GDPR.
This means that VisitScotland is responsible for the observation of the data protection principles and upholding the rights contained in the UK GDPR, whenever AI or Generative AI is used in the processing of personal data.
VisitScotland accountability for the use of AI with personal data extends to AI technologies which might be deployed by suppliers and vendors on our behalf.
VisitScotland maintains and regularly updates a list of vendors and suppliers who are contracted as processors to VisitScotland as the controller in terms of the UK GDPR.
Technical and organisational security measures (sometimes shortened to "TOMS") describe how VisitScotland controls the use of and access to systems and storage points containing personal data.
Sometimes when we explain our use of various technical or organisational measures we are obliged to be careful how we describe them. We don’t want to give too much detail away to the wrong people. After all, this is the security of your personal data we’re talking about.
Which means we might give a general or overall description, where you may be expecting a more detailed document. You will appreciate that in some circumstances there is only so much detail we can offer.