7 Min Read

Data Protection: Scottish Courts consider interpretation of Schedule 2 of the DPA 2018

Read more

By Louise Gallagher & Katie Anderson


Published 23 March 2023


This recent decision of Courtney Timothy Riley v The Student Housing Company (ops) Limited saw the Scottish Courts being asked to interpret the exemptions to Articles 5(1)(a) and 5(1)(b) of the UK GDPR. The Pursuer (Claimant) alleged that there had been a breach of the Defender’s duty to process his personal data lawfully and fairly, and for specified and legitimate purposes. The Defender argued that the exemptions in Schedule 2 of the 2018 Act applied, as any disclosures it made were made in connection with legal proceedings and for the purpose of defending legal rights.

The facts

The facts of the case were rather unusual. The Pursuer had been an employee of the Defender. His contract of employment was terminated in December 2019. Another employee, Mr A, raised employment tribunal proceedings against the Defender. Mr A made a number of allegations of wrongdoing by the Defender, many of which concerned the Pursuer’s conduct towards him during the course of his employment, including the use of derogatory and discriminatory language.

Mr A’s case proceeding to an Employment Tribunal hearing and the decision of the Tribunal was reported in March 2022. Mr A’s claim was successful and he was awarded compensation. The Pursuer was named 162 times in the Tribunal’s decision. The decision was reported in the press, with the Pursuer being described as having made ‘vile jibes’ about Mr A. 

The Pursuer claimed that the Defender processed his personal data while defending the employment tribunal proceedings. He claimed that the Defender should have told him about the employment tribunal proceedings; provided him with copies of the tribunal bundles; asked him to comment on the allegations that had been made against him;  and invited him to provide a witness statement to be put to the employment tribunal. The Pursuer claimed that the Defender’s failure to take these steps constituted a breach of its duty to process his personal data fairly and transparently, in terms of Article 5(1)(a). The sum sued for was £75,000. He claimed for distress and anxiety under the 2018 Act, and also claimed that his employment prospects had been impacted.

Parties’ arguments

The Pursuer argued that the Defender had breached its duties under the UK GDPR. He argued that the exemption would only take effect if the data controller could not otherwise comply with the listed provisions.

The Defender argued that it was not necessary for a data controller to demonstrate that it was impossible to comply with the provisions to rely on the exemption, otherwise the exemption would serve no purpose.

The Court’s decision

The matter proceeded to a diet of debate on the legal arguments, with the Defender inviting the Court to strike out the Pursuer’s claim before proof (trial). The core issue for the Court was the interpretation of Paragraph 5(3) of Schedule 2, which states that the listed GDPR provisions do not apply: “to the extent that the application of those provisions would prevent the controller from making the disclosure.”

The Court observed that “The rationale for the exemption contained in Paragraph 5(3) of Schedule 2 appears to be that a party’s duties as a data controller should not fetter its discretion to conduct litigation as it sees fit in pursuance of the vindication of its legal rights, or impinge on its right to a fair trial in terms of Article 6 of ECHR. It is because of the potential for tension to arise between these considerations that the exemption is necessary.”

The Court accepted the Defender’s submissions and dismissed the Pursuer’s claim. The purpose of the exemption is to ensure that a litigant’s duties as a data controller do not impinge on its right to a fair trial.


There are a number of interesting takeaways from this decision:

  • Data controllers will be pleased to see the Court affirming that the effect of Paragraph 5(3) of Schedule 2, if it applies, is to exempt them from having to comply with the provisions of Articles 5(1)(a) and (b). Data controllers do not have to show that it is impossible to comply with the provisions for the exemption to apply. Had the Court decided with the Pursuer, this would have potentially had far reaching consequences, and put additional, onerous burdens on data controllers.
  • The Court determined that the Pursuer had not given enough specification in his written case as to what ‘personal data’ he said had been processed. He therefore could not prove that the Defender had breached its duties or that he had suffered damage as a result.
  • The Court was not referred to authority on the interpretation of Article 82 (right to compensation). The Court carried out its own exercise in interpretation, and held that it is for a Pursuer to prove causatione. the Pursuer must prove that the breach caused the anxiety and/or distress.
  • The Defender also argued that Mr A made the disclosures in the first instance, and placed them in the public domain. The Court accepted this argument and held that the Pursuer had failed to argue a relevant case on causation.
  • In relation to quantum, the Pursuer claimed for £75,000, but provided no breakdown or specification. The Court was critical of the Pursuer’s failure to specify the nature or severity of symptoms. The Court held that it may have been possible to advance a claim for loss of employability, but in the absence of detailed averments, any award would have been modest.

This is one of the few reported decisions of the Courts in Scotland on the interpretation of the UK GDPR. Had the case been decided in favour of the Pursuer, the consequences could have been significant and far reaching. This is a welcome decision for Data Controllers and gives some insight into the level of detail the Scottish Courts will expect to see in pleadings in such claims.

A link to the decision can be found here.