General Data Protection Regulation (UK GDPR)
The UK GDPR is the implementation of the EU GDPR in the UK post-Brexit. It lays down rules relating to the protection of personal data and protects fundamental rights and freedoms of the individual.
Privacy & Electronic Communications Regulations 2003 (PECR)
E-privacy legal framework in the UK, PECR 2003 (as amended) relates to the provision and use of electronic services.
PECR controls the way VisitScotland deploys electronic communication methods. It covers the use of telephone, email and messaging services for direct marketing purposes.
PECR makes sure that data protection and privacy safeguards have been put in place to support privacy respectful communication.
It also governs the way certain types of electronic tracking and measurement systems work.
To be clear, the legislation that controls the use of tracking systems such as cookies or pixels on websites and apps (and is the reason for the use of methods to manage the use of such trackers such as cookie banners) is PECR, not GDPR.
Data Protection Act 2018 (DPA)
The primary legislation for data protection in the UK, it repealed and replaced the Data Protection Act 1998. It should be read alongside the UK GDPR.
Freedom of Information (Scotland) Act 2002 (FOISA)
The Freedom of Information (Scotland) Act 2002. This legislation gives access to information held by Scottish public sector authorities.
Data Use & Access Act 2025
Data (Use and Access) Act 2025.
The UK GDPR (General Data Protection Regulation) gives you rights over how your personal data is used. VisitScotland respects your rights and our data protection officer is responsible for supporting you in the exercise of those rights.
The right to be informed
You have the right to be informed about how VisitScotland will use your personal data. You will find a privacy notice is published wherever we collect personal data so you can make an informed decision about whether or not to share your data with us. We also make privacy notices and processing information available to you. Find out more about our privacy notices.
When we collect personal data directly from you we are obliged to be transparent about:
- the identity of the data controller (whether or not the data controller is VisitScotland)
- the contact details of our data protection officer, for more information go to our contact our data protection and legal team page
- the purpose(s) of processing for which your personal data are intended
- the lawful basis of processing
- if we use “legitimate interest” as the lawful basis for processing, we must be clear about exactly what the legitimate interests pursued by VisitScotland or a third party are
- we must tell you about the recipients or categories of recipient of your personal data if we are sharing such data with another party
- we must tell you if we intend to transfer your personal data to a, “3rd country” or an international organisation, together with the existence of an “adequacy decision” or appropriate safeguards (This is known by the UK ICO as a “restricted transfer” of personal data). We must also tell you where you can obtain a copy of the adequacy decision or safeguards should you wish to inspect them.
We must also ensure fair and transparent processing by telling you:
- how long we intend to keep your personal data, or explain the criteria used to determine that period
- about the existence of your data protection rights, including the right to lodge a complaint with a statutory authority
- that where we use consent as the lawful reason for processing, you have the right to withdraw consent at any time. Further, when we use consent as the legal basis for processing, we must be clear about the consequences if you choose not to provide your consent. Note that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of a failure to do so
- about your rights with regard to any use on our part of automated decision-making or profiling. Including your right to access meaningful information about the logic involved, as well as the significance and envisaged consequences on you as the data subject.
- if VisitScotland intends to make further use of your personal data for a purpose other than that for which it was collected, we will provide you with information about that new purpose before we start the processing activity
- if we make use of your personal data which was not collected directly from you, we must tell you where it came from within a reasonable period after obtaining the personal data. This time period can be no later than one month after we obtained the personal data.
The right of access
You have the right to access the information about you which is held by VisitScotland. You can do this by completing a data subject access request (DSAR) form.
Complete a data subject access request (DSAR) form.
Note that as the data controller, VisitScotland is obliged to verify your identity before we can share any information with you. This is an important part of respecting not just your right to privacy, but also the rights of other individuals about whom we keep personal data.
VisitScotland has a procedure for Data Subject Access Requests which we follow in all cases. This procedure verifies the nature of your request and your identity or, in the case of a representative acting on your behalf, their authority to do so.
The procedure is designed to provide you with a suitable response within one month of verifying your identity and the nature of your request.
The right to rectification
If the personal data we hold about you is incorrect or contains an error, you have the right to have us correct our records. The data protection officer will assist you in this regard.
The right to erasure
Under certain circumstances you have the right to erasure. This is sometimes referred to as the "right to be forgotten" and involves VisitScotland removing, at your request, all data referring to you as an individual from our records.
Note that this is not an absolute right and there are circumstances in which the right to erasure does not apply and we may decline such a request. If this is the case we will tell you why.
The right to restrict processing
You have the right to ask us to "restrict processing". This means you can have us stop or cease a particular use of your personal data.
For example, you can use this right to prevent us from deleting personal data you might wish to be held as evidence, have us cease sending a particular type of communication, or prevent the use of your personal data until an error has been corrected.
The right to data portability
In certain circumstances you have the right to have VisitScotland make your personal data available to you in a "machine readable format" for transfer to another service provider.
The right to object
When the VisitScotland lawful reason for processing your personal data is based on either our Public Task / Official Authority or Legitimate Interest, you have the right, based on your own circumstances, to object to such processing.
When you object VisitScotland must stop processing your personal data unless compelling legitimate grounds to continue processing can be provided.
These grounds must be shown to override your interests, rights and freedoms as the data subject, or be for the establishment, exercise or defence of a legal claim.
Rights in relation to automated decision making and profiling
You have the right not to be subject to a decision based solely on automated decision making, including profiling, which produces legal effects concerning you personally, or which would significantly affect you.
This right does not apply if the decision making is necessary for entering into a contract between you as the data subject and VisitScotland as the controller; is authorised by UK law, or; is based on your explicit consent.
You also have rights to:
- make a complaint to a supervisory authority in the UK (the ICO) about the way we use your personal data
- an effective judicial remedy against a supervisory authority (the ICO in the UK)
- an effective judicial remedy against a controller or processor
- compensation and liability
Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly and in a transparent manner.
Purpose limitation
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes.
Data minimisation
Personal data collected must be adequate, relevant, and limited to what is necessary to achieve the purposes for which they are processed.
Accuracy
Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
Storage limitation
Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose of processing.
Personal data may be stored for longer periods if the processing is solely for archiving purposes in the public interest, scientific, or historical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability
VisitScotland, as the controller shall be responsible for, and be able to demonstrate compliance with the data protection principles noted above.
The GDPR says that "personal data" "means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person* is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
*A natural person is a private individual as opposed to a legal person which is a company or organisation.
The data subject is the individual the data relates to or is about. This may be you. At VisitScotland, we keep a list of categories of data subject to help us be clear about the nature of the personal data we collect and use.
When we use personal data at VisitScotland we must always have an appropriate "lawful reason for processing". We will sometimes refer to this as the "legal basis". The UK GDPR provides for the following six lawful reasons for processing:
Consent
(UK GDPR Article 6/1/a)
The data subject has given consent to the processing of their personal data for one or more purposes. In order for such consent to be valid, information relating to it must be presented:
- in a manner clearly distinguishable from other matters
- in an intelligible and easily accessible form
- using clear and plain language
Further, consent must be:
- freely given and that consent can be easily withdrawn at any time
Performance of a contract
(UK GDPR Article 6/1/b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Compliance with a legal obligation
(UK GDPR Article 6/1/c)
Processing is necessary for compliance with a legal obligation to which the controller is subject. In this regard, the UK GDPR respects the requirements of other laws. If a certain activity is necessary to comply with a law, VisitScotland will choose to use this lawful reason for processing.
To protect the vital interests of the data subject or another person
(UK GDPR Article 6/1/d)
Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller ("Public Task")
(UK GDPR Article 6/1/e)
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The official authority of VisitScotland in this regard is defined by the Development of Tourism Act 1969. Other Acts of Parliament (Scottish or UK) may provide additional authority for certain activities.
Legitimate interest
(UK GDPR Article 6/1/f)
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The UK GDPR prohibits the processing of personal data revealing:
- national or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
The UK GDPR also prohibits the processing of:
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health
- data concerning a natural person's sex life or sexual orientation
Unless one of the following exemptions applies:
- the data subject has given their explicit consent to the processing of their personal data for one or more specified purposes (UK GDPR Article 9/2/a)
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller, or of the data subject, in the field of employment and social security and social protection law (UK GDPR Article 9/2/b)
- processing is necessary to protect the vital interests of the data subject where they are physically or legally incapable of giving consent (UK GDPR Article 9/2/c)
- processing relates to personal data which are manifestly made public by the data subject (UK GDPR Article 9/2/d)
- processing is necessary for the establishment, exercise or defence of legal claims or wherever the courts are acting in their judicial capacity (UK GDPR Article 9/2/e)
- processing is necessary for reasons of substantial public interest (UK GDPR Article 9/2/f)
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care treatment or the management of health or social care systems (UK GDPR Article 9/2/g)
- processing is necessary for reasons of public interest in the area of public health (UK GDPR Article 9/2/h)
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices (UK GDPR Article 9/2/i)
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (UK GDPR Article 9/2/j)
When VisitScotland shares your personal data with another party, we will always ensure an appropriate contract or data sharing agreement is in place between the parties before any personal data is shared.
The purpose of such an agreement is to define responsibilities and hold both parties accountable to uphold data protection principles and rights when processing the personal data involved.
The transfer of personal data outside the UK is known as a “restricted transfer”.
VisitScotland sometimes needs to make use of data processors or share personal data with other controllers who are not located in the UK or the EEA.
When this happens, the UK GDPR requires us to make sure that the personal data is processed to similar standards of protection, privacy and rights as are found in the UK.
In practice, this means that such transfers of personal data will only be carried out by VisitScotland if the transfer is subject to one of the following safeguards:
- an "Adequacy" decision for the receiving country, granted by the EU
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
- EU/US Data Protection Framework (DPF) as modified for the UK
VisitScotland follows an established procedure to ensure that one of these safeguards will be in place prior to the restricted transfer taking place.
A Data Protection Impact Assessment is prepared by VisitScotland in situations where a proposed processing activity might result in harm to a data subject.
The purpose of this type of risk assessment is to identify how the proposed processing activity will work, to identify associated risks and the means to tackle, reduce or mitigate them.
Think of this as a “pre-flight check” for processing activities. All new processing activities are subject to a series of screening questions which help us to decide if a full DPIA is required.
A Legitimate Interest Assessment is prepared for all cases where VisitScotland intends to make use of the "Legitimate Interest" lawful reason for processing.
The completed LIA presents VisitScotland’s approach to the processing. The accompanying balancing test considers the position and expectations of the affected data subjects.
It is used to inform the decision whether to proceed with the use of the legal basis to support the processing activity. A copy is retained to demonstrate our accountability for the decision.
In the UK, the use of Artificial Intelligence (AI) and Generative AI (GenAI), in the context of any personal data involved and for the purposes of VisitScotland, is governed primarily by the UK GDPR.
This means that VisitScotland is responsible for the observation of the data protection principles and upholding the rights contained in the UK GDPR, whenever AI or Generative AI is used in the processing of personal data.
VisitScotland accountability for the use of AI with personal data extends to AI technologies which might be deployed by suppliers and vendors on our behalf.
VisitScotland maintains and regularly updates a list of vendors and suppliers who are contracted as processors to VisitScotland as the controller in terms of the UK GDPR.
Technical and organisational security measures (sometimes shortened to "TOMS") describe how VisitScotland controls the use of and access to systems and storage points containing personal data.
Sometimes when we explain our use of various technical or organisational measures we are obliged to be careful how we describe them. We don’t want to give too much detail away to the wrong people. After all, this is the security of your personal data we’re talking about.
Which means we might give a general or overall description, where you may be expecting a more detailed document. You will appreciate that in some circumstances there is only so much detail we can offer.