ON 19 February 2026, the UK Court of Appeal handed down its decision in DSG Retail Limited v The Information Commissioner, ruling that a controller’s data security duty applies to all personal data for which it acts as controller, irrespective of whether the information would constitute personal data in the hands of a third party. The case is set against the pre-GDPR context, with the legal framework provided by the UK Data Protection Act 1998, though the Court also considered more recent jurisprudence.
The Court of Appeal confirmed that a controller’s duty to implement appropriate measures to protect personal data extends to data that is “personal” from the controller’s perspective, even if a third-party attacker could not identify individuals from the exfiltrated dataset. This aligns with the SRB v EDPS clarification that whether data is “personal” can depend on the context, while a controller’s obligations, such as transparency, must be assessed from the controller’s viewpoint at the relevant time. According to Inside Privacy, the article notes these contextual considerations and the relevance to the transparency principle.