acthub.
In forceCurrent
PDF XML Source

Data Protection Act 2018

Sections936AmendmentsCases SoonExplanatory Notes Soon
Version
Compare with

Data Protection Act 2018

2018 c. 12

An Act to make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner's functions under certain regulations relating to information; to make provision for a direct marketing code of practice; and for connected purposes.

Enacted[23rd May 2018]
Be it enacted by the Queen's most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—C23C21C13C20C18C11C12C28

PART 1 Preliminary

I8751 Overview

1 This Act makes provision about the processing of personal data.
2 Most processing of personal data is subject to the UK GDPR.
3 Part 2 supplements the UK GDPR.
4 Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes F451....
5 Part 4 makes provision about the processing of personal data by the intelligence services (and certain processing carried out by competent authorities jointly with the intelligence services).
6 Part 5 makes provision about the Information Commissioner.
7 Part 6 makes provision about the enforcement of the data protection legislation.
8 Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.

I9542 Protection of personal data

1 The UK GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—
a requiring personal data to be processed lawfully and fairly, on the basis of the data subject's consent or another specified basis,
b conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and
c conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.
F1582 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

I8963 Terms relating to the processing of personal data

1 This section defines some terms used in this Act.
2 Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
3 Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to—
a an identifier such as a name, an identification number, location data or an online identifier, or
b one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
4 Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as—
a collection, recording, organisation, structuring or storage,
b adaptation or alteration,
c retrieval, consultation or use,
d disclosure by transmission, dissemination or otherwise making available,
e alignment or combination, or
f restriction, erasure or destruction,
(subject to subsection (14)(c) and sections 5(7), 29(2) and 82(3), which make provision about references to processing in the different Parts of this Act).
5 Data subject” means the identified or identifiable living individual to whom personal data relates.
6 “Controller” and “processor”, in relation to the processing of personal data to which F306... Part 2, Part 3 or Part 4 applies, have the same meaning as in that F306... Part (see sections 5, 6, 32 and 83 and see also subsection (14)(d)).
7 Filing system” means any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.
8 The Commissioner” means the Information Commissioner (see section 114).
8A The Commission” means the Information Commission (see section 114A).
9 The data protection legislation” means—
a the UK GDPR,
F11b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
c this Act, and
d regulations made under this Act or the UK GDPR, F231...
F231e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10 The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).
10A The EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it has effect in EU law.
F21011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12 The Law Enforcement Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
13 The Data Protection Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28 January 1981, as amended up to the day on which this Act is passed.
14 In Parts 5 to 7, except where otherwise provided—
a references to the UK GDPR are to the UK GDPR read with Part 2;
F598b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
c references to personal data, and the processing of personal data, are to personal data and processing to which F396... Part 2, Part 3 or Part 4 applies;
d references to a controller or processor are to a controller or processor in relation to the processing of personal data to which F410... Part 2, Part 3 or Part 4 applies.
15 There is an index of defined expressions in section 206.

PART 2 General processing

CHAPTER 1 Scope and definitions

I7814 Processing to which this Part applies

1 This Part is relevant to most processing of personal data.
2 This Part
a applies to the types of processing of personal data to which the UK GDPR applies by virtue of Article 2 of the UK GDPR, and
b supplements, and must be read with, the UK GDPR.
F1013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

I761C145 Definitions

1 Terms used in F115... this Part and in the UK GDPR have the same meaning in this Part as they have in the UK GDPR.
2 In subsection (1), the reference to a term's meaning in the UK GDPR is to its meaning in the UK GDPR read with any provision of this Part which modifies the term's meaning for the purposes of the UK GDPR.
3 Subsection (1) is subject to any provision in this Part which provides expressly for the term to have a different meaning and to section 204.
F4254 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F4255 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F4256 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 A reference in F355... this Part to the processing of personal data is to processing to which this Part applies.
8 Sections 3 and 205 include definitions of other expressions used in this Part.

CHAPTER 2  The UK GDPR

Meaning of certain terms used in the UK GDPR

I7746 Meaning of “controller”

1 The definition of “controller” in Article 4(1)(7) of the UK GDPR has effect subject to—
a subsection (2),
b section 209, and
c section 210.
2 For the purposes of the UK GDPR, where personal data is processed only—
a for purposes for which it is required by an enactment to be processed, and
b by means by which it is required by an enactment to be processed,
the person on whom the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.

I1I8617 Meaning of “public authority” and “public body”

1 For the purposes of the UK GDPR, the following (and only the following) are “public authorities” and “public bodies” F673...—
a a public authority as defined by the Freedom of Information Act 2000,
b a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13),
ba the Advanced Research and Invention Agency, and
c an authority or body specified or described by the Secretary of State in regulations,
subject to subsections (2), (3) and (4).
2 An authority or body that falls within subsection (1) is only a “public authority” or “public body” for the purposes of the UK GDPR when performing a task carried out in the public interest or in the exercise of official authority vested in it.
3 The references in subsection (1)(a) and (b) to public authorities and Scottish public authorities as defined by the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 (asp 13) do not include any of the following that fall within those definitions—
a a parish council in England;
b a community council in Wales;
c a community council in Scotland;
d a parish meeting constituted under section 13 of the Local Government Act 1972;
e a community meeting constituted under section 27 of that Act;
f charter trustees constituted—
i under section 246 of that Act,
ii under Part 1 of the Local Government and Public Involvement in Health Act 2007, or
iii by the Charter Trustees Regulations 1996 (S.I. 1996/263).
4 The Secretary of State may by regulations provide that a person specified or described in the regulations that is a public authority described or mentioned in subsection (1)(a), (b) or (ba) is not a “public authority” or “public body” for the purposes of the UK GDPR.
5 Regulations under this section are subject to the affirmative resolution procedure.

Lawfulness of processing

I8718 Lawfulness of processing: public interest etc

In Article 6(1) of the UK GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of F195... official authority includes processing of personal data that is necessary for—
a the administration of justice,
b the exercise of a function of either House of Parliament,
c the exercise of a function conferred on a person by an enactment or rule of law,
d the exercise of a function of the Crown, a Minister of the Crown or a government department, or
e an activity that supports or promotes democratic engagement.

F3769 Child's consent in relation to information society services

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Relevant international law

9A Processing in reliance on relevant international law

1 Processing of personal data meets the requirement in Article 6(3), 8A(3)(e), 9(2)(g) or 10(1) of the UK GDPR for a basis in, or authorisation by, relevant international law only if it meets a condition in Schedule A1.
2 A condition in Schedule A1 may be relied on for the purposes of any of those provisions, unless that Schedule provides otherwise.
3 The Secretary of State may by regulations amend Schedule A1 by adding, varying or omitting—
a conditions,
b provision about the purposes for which a condition may be relied on, and
c safeguards in connection with processing carried out in reliance on a condition in the Schedule.
4 Regulations under this section may only add a condition relating entirely or partly to a treaty ratified by the United Kingdom.
5 Regulations under this section are subject to the affirmative resolution procedure.
6 In this section, “treaty” and “ratified” have the same meaning as in Part 2 of the Constitutional Reform and Governance Act 2010 (see section 25 of that Act).

Special categories of personal data

I2I77510 Special categories of personal data and criminal convictions etc data

1 Subsections (2) and (3) make provision about the processing of personal data described in Article 9(1) of the UK GDPR (prohibition on processing of special categories of personal data) in reliance on an exception in one of the following points of Article 9(2)—
a point (b) (employment, social security and social protection);
b point (g) (substantial public interest);
c point (h) (health and social care);
d point (i) (public health);
e point (j) (archiving, research and statistics).
2 The processing meets the requirement in point (b), (h), (i) or (j) of Article 9(2) of the UK GDPR for authorisation by, or a basis in, the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1 of Schedule 1.
3 The processing meets the requirement in point (g) of Article 9(2) of the UK GDPR for a basis in the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 2 of Schedule 1.
4 Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.
5 The processing meets the requirement in Article 10(1) of the UK GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.
6 The Secretary of State may by regulations—
a amend Schedule 1—
i by adding or varying conditions or safeguards, and
ii by omitting conditions or safeguards added by regulations under this section, and
b consequentially amend this section.
7 Regulations under this section are subject to the affirmative resolution procedure.

I95811 Special categories of personal data etc: supplementary

1 For the purposes of Article 9(2)(h) of the UK GDPR (processing for health or social care purposes etc), the circumstances in which the processing of personal data is carried out subject to the conditions and safeguards referred to in Article 9(3) of the UK GDPR (obligation of secrecy) include circumstances in which it is carried out—
a by or under the responsibility of a health professional or a social work professional, or
b by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
2 In Article 10 of the UK GDPR and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to—
a the alleged commission of offences by the data subject, or
b proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

Rights of the data subject

I3I84112 Limits on fees that may be charged by controllers

1 The Secretary of State may by regulations specify limits on the fees that a controller may charge in reliance on—
a Article 12(5) of the UK GDPR (reasonable fees when responding to manifestly unfounded or excessive requests), or
b Article 15(3) of the UK GDPR (reasonable fees for provision of further copies).
2 The Secretary of State may by regulations—
a require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in reliance on those provisions, and
b specify what the guidance must include.
3 Regulations under this section are subject to the negative resolution procedure.

I83413 C27Obligations of credit reference agencies

1 This section applies where a controller is a credit reference agency (within the meaning of section 145(8) of the Consumer Credit Act 1974).
2 The controller's obligations under Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) are taken to apply only to personal data relating to the data subject's financial standing, unless the data subject has indicated a contrary intention.
3 Where the controller discloses personal data in pursuance of Article 15(1) to (3) of the UK GDPR, the disclosure must be accompanied by a statement informing the data subject of the data subject's rights under section 159 of the Consumer Credit Act 1974 (correction of wrong information).

C2913A Meaning of “relevant offence” for purpose of right to erasure

1 The Secretary of State may by regulations amend the table in Article 17(5) of the UK GDPR.
2 Regulations under this section are subject to the affirmative resolution procedure.

F32914 Automated decision-making authorised by law: safeguards

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exemptions etc

I80415 Exemptions etc

1 Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the UK GDPR.
2 In Schedule 2—
a Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the UK GDPR in specified circumstances (of a kind described in Article 6(3) and Article 23(1) of the UK GDPR);
b Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the UK GDPR in specified circumstances (of a kind described in Article 23(1) of the UK GDPR);
c Part 3 makes provision restricting the application of Article 15 of the UK GDPR where this is necessary to protect the rights of others (of a kind described in Article 23(1) of the UK GDPR);
d Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the UK GDPR in specified circumstances (of a kind described in Article 23(1) of the UK GDPR);
e Part 5 makes provision containing exemptions or derogations from Chapters II, III, IV and V of the UK GDPR for reasons relating to freedom of expression (of a kind described in Article 85(2) of the UK GDPR);
f Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the UK GDPR for scientific or historical research purposes, statistical purposes and archiving purposes F359....
3 Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the UK GDPR to health, social work, education and child abuse data (of a kind described in Article 23(1) of the UK GDPR).
4 Schedule 4 makes provision restricting the application of rules contained in Articles 13 to 21 of the UK GDPR to information the disclosure of which is prohibited or restricted by an enactment (of a kind described in Article 23(1) of the UK GDPR).
4A In connection with the manual unstructured processing of personal data held by an FOI public authority, see Chapter 3 of this Part (sections 21, 24 and 25).
5 In connection with the safeguarding of national security and with defence, see Chapter 3 of this Part (sections 26 to 28).

I4I83616 Power to make further exemptions etc by regulations

1 The following powers to make provision altering the application of the UK GDPR may be exercised by way of regulations made by the Secretary of State under this section—
a the power in Article 6(3) F247... to lay down a legal basis containing specific provisions to adapt the application of rules of the UK GDPR where processing is necessary for compliance with a legal obligation, for the performance of a task in the public interest or in the exercise of official authority;
b the power in Article 23(1) to make provision restricting the scope of the obligations and rights mentioned in that Article where necessary and proportionate to safeguard certain objectives of general public interest;
c the power in Article 85(2) to provide for exemptions or derogations from certain Chapters of the UK GDPR where necessary to reconcile the protection of personal data with the freedom of expression and information.
2 Regulations under this section may—
a amend Schedules 2 to 4—
i by adding or varying provisions, and
ii by omitting provisions added by regulations under this section, F167...
b consequentially amend section 15 , and
c consequentially amend the UK GDPR by adding, varying or omitting a reference to section 15, Schedule 2, 3 or 4, this section or regulations under this section.
3 Regulations under this section are subject to the affirmative resolution procedure.

Certification

I75717 Accreditation of certification providers

1 Accreditation of a person as a certification provider is only valid when carried out by—
a the Commissioner, or
b the UK national accreditation body.
2 The Commissioner may only accredit a person as a certification provider where the Commissioner—
a has published a statement that the Commissioner will carry out such accreditation, and
b has not published a notice withdrawing that statement.
3 The UK national accreditation body may only accredit a person as a certification provider where the Commissioner—
a has published a statement that the body may carry out such accreditation, and
b has not published a notice withdrawing that statement.
4 The publication of a notice under subsection (2)(b) or (3)(b) does not affect the validity of any accreditation carried out before its publication.
5 Schedule 5 makes provision about reviews of, and appeals from, a decision relating to accreditation of a person as a certification provider.
6 The UK national accreditation body may charge a reasonable fee in connection with, or incidental to, the carrying out of the body's functions under this section, Schedule 5 and Article 43 of the UK GDPR.
7 The UK national accreditation body must provide the Secretary of State with such information relating to its functions under this section, Schedule 5 and Article 43 of the UK GDPR as the Secretary of State may reasonably require.
8 In this section—
  • certification provider” means a person who issues certification for the purposes of Article 42 of the UK GDPR;
  • the UK national accreditation body” means the UK national accreditation body for the purposes of Article 4(1) of Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93.

F611...

F61117A Transfers based on adequacy regulations

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F31117B Transfers based on adequacy regulations: review etc

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F34317C Standard data protection clauses

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F44718 Transfers of personal data to third countries etc : public interest

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F85...

F8519 Processing for archiving, research and statistical purposes: safeguards

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Minor definition

F37420 Meaning of “court”

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C19CHAPTER 3 Exemptions for manual unstructured processing and for national security and defence purposes

Definitions

I78221 Definitions

F5391 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F5392 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F5393 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F5394 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5 In this Chapter, “FOI public authority” means—
a a public authority as defined in the Freedom of Information Act 2000, F103...
b a Scottish public authority as defined in the Freedom of Information (Scotland) Act 2002 (asp 13) , or
c the Advanced Research and Invention Agency.
6 References in this Chapter to personal data “held” by an FOI public authority are to be interpreted—
a in relation to England and Wales and Northern Ireland, in accordance with section 3(2) of the Freedom of Information Act 2000, and
b in relation to Scotland, in accordance with section 3(2), (4) and (5) of the Freedom of Information (Scotland) Act 2002 (asp 13),
but such references do not include information held by an intelligence service (as defined in section 82) on behalf of an FOI public authority.
7 But personal data is not to be treated as “held” by an FOI public authority for the purposes of this Chapter, where—
a section 7 of the Freedom of Information Act 2000 prevents Parts 1 to 5 of that Act from applying to the personal data, or
b section 7(1) of the Freedom of Information (Scotland) Act 2002 (asp 13) prevents that Act from applying to the personal data.
8 In relation to the Advanced Research and Invention Agency—
a for the purposes of subsection (6)(a)—
i section 3(2) of the Freedom of Information Act 2000 is to be read as if “public authority” included that Agency, and
ii section 3(2) of the Freedom of Information (Scotland) Act 2002 (asp 13) is to be read as if “authority” included that Agency, and
b subsection (7) does not apply.

F287...

F28722 Application of the GDPR to processing to which this Chapter applies

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F59023 Power to make provision in consequence of regulations related to the GDPR

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exemptions etc

I5I89924 C19Manual unstructured data held by FOI public authorities

1 The provisions of the UK GDPR and this Act listed in subsection (2) do not apply to personal data to which the UK GDPR applies by virtue of Article 2(1A) (manual unstructured personal data held by FOI public authorities).
2 Those provisions are—
a in Chapter II of the UK GDPR (principles)—
i Article 5(1)(a) to (c), (e) and (f) (principles relating to processing, other than the accuracy principle),
ii Article 6 (lawfulness),
iii Article 7 (conditions for consent),
iv Article 8(1) and (2) (child's consent),
v Article 9 (processing of special categories of personal data),
vi Article 10 (data relating to criminal convictions etc), and
vii Article 11(2) (processing not requiring identification);
b in Chapter III of the UK GDPR (rights of the data subject)—
i Article 13(1) to (3) (personal data collected from data subject: information to be provided),
ii Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),
iii Article 20 (right to data portability), and
iv Article 21(1) (objections to processing);
c in Chapter V of the UK GDPR, Articles 44A to 49A (transfers of personal data to third countries or international organisations);
F520ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cb in Part 5 of this Act, section 119A (standard clauses for transfers to third countries);
d in Part 7 of this Act, sections 170 and 171 (offences relating to personal data).
(see also paragraph 1(2) of Schedule 18).
3 In addition, the provisions of the UK GDPR listed in subsection (4) do not apply to personal data to which the UK GDPR applies by virtue of Article 2(1A) where the personal data relates to appointments, removals, pay, discipline, superannuation or other personnel matters in relation to—
a service in any of the armed forces of the Crown;
b service in any office or employment under the Crown or under any public authority;
c service in any office or employment, or under any contract for services, in respect of which power to take action, or to determine or approve the action taken, in such matters is vested in—
i Her Majesty,
ii a Minister of the Crown,
iii the National Assembly for Wales,
iv the Welsh Ministers,
v a Northern Ireland Minister (within the meaning of the Freedom of Information Act 2000), or
vi an FOI public authority.
4 Those provisions are—
a the remaining provisions of Chapters II and III (principles and rights of the data subject);
b Chapter IV (controller and processor);
ba Chapter 8A (safeguards for processing for research, archiving or statistical purposes);
c Chapter IX (specific processing situations).
5 A controller is not obliged to comply with Article 15(1) to (3) of the UK GDPR (right of access by the data subject) in relation to personal data to which the UK GDPR applies by virtue of Article 2(1A) if—
a the request under Article 15 does not contain a description of the personal data, or
b the controller estimates that the cost of complying with the request so far as relating to the personal data would exceed the appropriate maximum.
6 Subsection (5)(b) does not remove the controller's obligation to confirm whether or not personal data concerning the data subject is being processed unless the estimated cost of complying with that obligation alone in relation to the personal data would exceed the appropriate maximum.
7 An estimate for the purposes of this section must be made in accordance with regulations under section 12(5) of the Freedom of Information Act 2000.
8 In subsections (5) and (6), “the appropriate maximum” means the maximum amount specified by the Secretary of State by regulations.
9 Regulations under subsection (8) are subject to the negative resolution procedure.

I86025 C19Manual unstructured data used in longstanding historical research

1 The provisions of the UK GDPR listed in subsection (2) do not apply to personal data to which the UK GDPR applies by virtue of Article 2(1A) (manual unstructured personal data held by FOI public authorities) at any time when—
a the personal data—
i is subject to processing which was already underway immediately before 24 October 1998, and
ii is processed only for the purposes of historical research, and
b the processing is not carried out—
i for the purposes of measures or decisions with respect to a particular data subject, or
ii in a way that causes, or is likely to cause, substantial damage or substantial distress to a data subject.
2 Those provisions are—
a in Chapter II F131...(principles), Article 5(1)(d) (the accuracy principle), and
b in Chapter III F528... (rights of the data subject)—
i Article 16 (right to rectification), and
ii Article 17(1) and (2) (right to erasure).
3 The exemptions in this section apply in addition to the exemptions in section 24.

I91626 C19National security and defence exemption

1 A provision of the UK GDPR or this Act mentioned in subsection (2) does not apply to personal data to which the UK GDPR applies if exemption from the provision is required for—
a the purpose of safeguarding national security, or
b defence purposes.
2 The provisions are—
a Chapter II of the UK GDPR (principles) except for—
i Article 5(1)(a) (lawful, fair and transparent processing), so far as it requires processing of personal data to be lawful;
ii Article 6 (lawfulness of processing);
iii Article 9 (processing of special categories of personal data);
b Chapter III of the UK GDPR (rights of data subjects);
c in Chapter IV of the UK GDPR
i Article 33 (notification of personal data breach to the Commissioner);
ii Article 34 (communication of personal data breach to the data subject);
d Chapter V of the UK GDPR (transfers of personal data to third countries or international organisations);
e in Chapter VI of the UK GDPR
i Article 57(1)(a) and (h) (Commissioner's duties to monitor and enforce the UK GDPR and to conduct investigations);
ii Article 58 (investigative, corrective, authorisation and advisory powers of Commissioner);
f Chapter VIII of the UK GDPR (remedies, liabilities and penalties) except for—
ai Article 77 (right to lodge a complaint with the Commissioner);
i Article 83 (general conditions for imposing administrative fines);
ii Article 84 (penalties);
F508fa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
g in Part 5 of this Act—
i in section 115 (general functions of the Commissioner), subsections (3) and (8);
ii in section 115, subsection (9), so far as it relates to Article 58(2)(i) of the UK GDPR;
iii section 119 (inspection in accordance with international obligations);
iv section 119A (standard clauses for transfers to third countries);
h in Part 6 of this Act—
i sections 142 to 154 and Schedule 15 (Commissioner's notices and powers of entry and inspection);
ii sections 170 to 173 (offences relating to personal data);
i in Part 7 of this Act, section 187 (representation of data subjects).

I82127 C19National security: certificate

1 Subject to subsection (3), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions listed in section 26(2) is, or at any time was, required in relation to any personal data for the purpose of safeguarding national security is conclusive evidence of that fact.
2 A certificate under subsection (1)—
a may identify the personal data to which it applies by means of a general description, and
b may be expressed to have prospective effect.
3 Any person directly affected by a certificate under subsection (1) may appeal to the Tribunal against the certificate.
4 If, on an appeal under subsection (3), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing a certificate, the Tribunal may—
a allow the appeal, and
b quash the certificate.
5 Where, in any proceedings under or by virtue of the UK GDPR or this Act, it is claimed by a controller that a certificate under subsection (1) which identifies the personal data to which it applies by means of a general description applies to any personal data, another party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question.
6 But, subject to any determination under subsection (7), the certificate is to be conclusively presumed so to apply.
7 On an appeal under subsection (5), the Tribunal may determine that the certificate does not so apply.
8 A document purporting to be a certificate under subsection (1) is to be—
a received in evidence, and
b deemed to be such a certificate unless the contrary is proved.
9 A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (1) is—
a in any legal proceedings, evidence of that certificate;
b in any legal proceedings in Scotland, sufficient evidence of that certificate.
10 The power conferred by subsection (1) on a Minister of the Crown is exercisable only by—
a a Minister who is a member of the Cabinet, or
b the Attorney General or the Advocate General for Scotland.

I81728 C19National security and defence: modifications to Articles 9 and 32 of the UK GDPR

1 Article 9(1) of the UK GDPR (prohibition on processing of special categories of personal data) does not prohibit the processing of personal data to which the UK GDPR applies to the extent that the processing is carried out—
a for the purpose of safeguarding national security or for defence purposes, and
b with appropriate safeguards for the rights and freedoms of data subjects.
2 Article 32 of the UK GDPR (security of processing) does not apply to a controller or processor to the extent that the controller or the processor (as the case may be) is processing personal data to which the UK GDPR applies for—
a the purpose of safeguarding national security, or
b defence purposes.
3 Where Article 32 of the UK GDPR does not apply, the controller or the processor must implement security measures appropriate to the risks arising from the processing of the personal data.
4 For the purposes of subsection (3), where the processing of personal data is carried out wholly or partly by automated means, the controller or the processor must, following an evaluation of the risks, implement measures designed to—
a prevent unauthorised processing or unauthorised interference with the systems used in connection with the processing,
b ensure that it is possible to establish the precise details of any processing that takes place,
c ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and
d ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.
5 The functions conferred on the Commissioner in relation to the UK GDPR by Articles 57(1)(a), (d), (e), (h) and (u) and 58(1)(d) and (2)(a) to (d) of the UK GDPR (which are subject to safeguards set out in section 115) include functions in relation to subsection (3).

PART 3 Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

I90829 Processing to which this Part applies

1 This Part applies to—
a the processing by a competent authority of personal data wholly or partly by automated means, and
b the processing by a competent authority otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.
1A This Part does not apply to processing to which Part 4 applies by virtue of a designation notice (see section 82A).
2 Any reference in this Part to the processing of personal data is to processing to which this Part applies.
3 For the meaning of “competent authority”, see section 30.

Definitions

I6I94430 Meaning of “competent authority”

1 In this Part, “competent authority” means—
a a person specified or described in Schedule 7, and
b any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes.
2 But an intelligence service is not a competent authority within the meaning of this Part.
3 The Secretary of State may by regulations amend Schedule 7—
a so as to add or remove a person or description of person;
b so as to reflect any change in the name of a person specified in the Schedule.
4 Regulations under subsection (3) which make provision of the kind described in subsection (3)(a) may also make consequential amendments of section 73(4)(b).
5 Regulations under subsection (3) which make provision of the kind described in subsection (3)(a), or which make provision of that kind and of the kind described in subsection (3)(b), are subject to the affirmative resolution procedure.
6 Regulations under subsection (3) which make provision only of the kind described in subsection (3)(b) are subject to the negative resolution procedure.
7 In this section—
  • intelligence service” means—
    1. the Security Service;
    2. the Secret Intelligence Service;
    3. the Government Communications Headquarters;
  • statutory function” means a function under or by virtue of an enactment.

I88331 “The law enforcement purposes”

For the purposes of this Part, “the law enforcement purposes” are the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

I81432 Meaning of “controller” and “processor”

1 In this Part, “controller” means the competent authority which, alone or jointly with others—
a determines the purposes and means of the processing of personal data, or
b is the controller by virtue of subsection (2).
2 Where personal data is processed only—
a for purposes for which it is required by an enactment to be processed, and
b by means by which it is required by an enactment to be processed,
the competent authority on which the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.
3 In this Part, “processor” means any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller).

I95733 Other definitions

1 This section defines certain other expressions used in this Part.
2 Employee”, in relation to any person, includes an individual who holds a position (whether paid or unpaid) under the direction and control of that person.
3 Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
4 Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
5 Recipient”, in relation to any personal data, means any person to whom the data is disclosed, whether a third party or not, but it does not include a public authority to whom disclosure is or may be made in the framework of a particular inquiry in accordance with the law.
6 Restriction of processing” means the marking of stored personal data with the aim of limiting its processing for the future.
6A Sensitive processing” has the meaning given in section 35(8).
7 Third country” means a country or territory outside the United Kingdom.
8 Sections 3 and 205 include definitions of other expressions used in this Part.

CHAPTER 2 Principles

I90334 Overview and general duty of controller

1 This Chapter sets out the six data protection principles as follows—
a section 35(1) sets out the first data protection principle (requirement that processing be lawful and fair);
b section 36(1) sets out the second data protection principle (requirement that purposes of processing be specified, explicit and legitimate);
c section 37 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive);
d section 38(1) sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date);
e section 39(1) sets out the fifth data protection principle (requirement that personal data be kept for no longer than is necessary);
f section 40 sets out the sixth data protection principle (requirement that personal data be processed in a secure manner).
2 In addition—
a each of sections 35, 36, 38 and 39 makes provision to supplement the principle to which it relates, and
b sections 41 and 42 make provision about the safeguards that apply in relation to certain types of processing.
3 The controller in relation to personal data is responsible for, and must be able to demonstrate, compliance with this Chapter.

I7I95035 The first data protection principle

1 The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.
2 The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either—
a the data subject has given consent to the processing for that purpose, or
b the processing is necessary for the performance of a task carried out for that purpose by a competent authority.
3 In addition, where the processing for any of the law enforcement purposes is sensitive processing, the processing is permitted only in the two cases set out in subsections (4) and (5).
4 The first case is where—
a the data subject has given consent to the processing for the law enforcement purpose as mentioned in subsection (2)(a), and
b at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).
5 The second case is where—
a the processing is strictly necessary for the law enforcement purpose,
b the processing meets at least one of the conditions in Schedule 8, and
c at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).
6 The Secretary of State may by regulations amend Schedule 8—
a by adding conditions;
b by varying or omitting conditions added by regulations under paragraph (a).
7 Regulations under subsection (6) are subject to the affirmative resolution procedure.
8 In this Part, “sensitive processing” means—
a the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
b the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
c the processing of data concerning health;
d the processing of data concerning an individual's sex life or sexual orientation.

I86436 The second data protection principle

1 The second data protection principle is that—
a the law enforcement purpose for which personal data is collected (whether from the data subject or otherwise) must be specified, explicit and legitimate, and
b personal data so collected must not be processed by or on behalf of a controller in a manner that is incompatible with the purpose for which the controller collected it.
2 Paragraph (b) of the second data protection principle is subject to subsections (3) and (4).
3 Personal data collected for a law enforcement purpose may be processed for any other law enforcement purpose (whether by the controller that collected the data or by another controller) provided that—
a the controller is authorised by law to process the data for the other purpose, and
b the processing is necessary and proportionate to that other purpose.
4 Personal data collected for any of the law enforcement purposes may not be processed for a purpose that is not a law enforcement purpose unless the processing is authorised by law.

I97437 The third data protection principle

The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.

I88738 The fourth data protection principle

1 The fourth data protection principle is that—
a personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and
b every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.
2 In processing personal data for any of the law enforcement purposes, personal data based on facts must, so far as possible, be distinguished from personal data based on personal assessments.
3 In processing personal data for any of the law enforcement purposes, a clear distinction must, where relevant and as far as possible, be made between personal data relating to different categories of data subject, such as—
a persons suspected of having committed or being about to commit a criminal offence;
b persons convicted of a criminal offence;
c persons who are or may be victims of a criminal offence;
d witnesses or other persons with information about offences.
4 All reasonable steps must be taken to ensure that personal data which is inaccurate, incomplete or no longer up to date is not transmitted or made available for any of the law enforcement purposes.
5 For that purpose—
a the quality of personal data must be verified before it is transmitted or made available,
b in all transmissions of personal data, the necessary information enabling the recipient to assess the degree of accuracy, completeness and reliability of the data and the extent to which it is up to date must be included, and
c if, after personal data has been transmitted, it emerges that the data was incorrect or that the transmission was unlawful, the recipient must be notified without delay.

I90939 The fifth data protection principle

1 The fifth data protection principle is that personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed.
2 Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.

I92540 The sixth data protection principle

The sixth data protection principle is that personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).

I96141 Safeguards: archiving

1 This section applies in relation to the processing of personal data for a law enforcement purpose where the processing is carried out
a for archiving purposes in the public interest,
b for scientific or historical research purposes, or
c for statistical purposes.
2 The processing is not permitted if—
a it is carried out for the purposes of, or in connection with, measures or decisions with respect to a particular data subject, or
b it is likely to cause substantial damage or substantial distress to a data subject.

I79742 Safeguards: sensitive processing

1 This section applies for the purposes of section 35(4) and (5) (which require a controller to have an appropriate policy document in place when carrying out sensitive processing in reliance on the consent of the data subject or, as the case may be, in reliance on a condition specified in Schedule 8).
2 The controller has an appropriate policy document in place in relation to the sensitive processing if the controller has produced a document which—
a explains the controller's procedures for securing compliance with the data protection principles (see section 34(1)) in connection with sensitive processing in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, and
b explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, giving an indication of how long such personal data is likely to be retained.
3 Where personal data is processed on the basis that an appropriate policy document is in place, the controller must during the relevant period—
a retain the appropriate policy document,
b review and (if appropriate) update it from time to time, and
c make it available to the Commissioner, on request, without charge.
4 The record maintained by the controller under section 61(1) and, where the sensitive processing is carried out by a processor on behalf of the controller, the record maintained by the processor under section 61(3) must include the following information—
a whether the sensitive processing is carried out in reliance on the consent of the data subject or, if not, which condition in Schedule 8 is relied on,
b how the processing satisfies section 35 (lawfulness of processing), and
c whether the personal data is retained and erased in accordance with the policies described in subsection (2)(b) and, if it is not, the reasons for not following those policies.
5 In this section, “relevant period”, in relation to sensitive processing in reliance on the consent of the data subject or in reliance on a condition specified in Schedule 8, means a period which—
a begins when the controller starts to carry out the sensitive processing in reliance on the data subject's consent or (as the case may be) in reliance on that condition, and
b ends at the end of the period of 6 months beginning when the controller ceases to carry out the processing.

42A Further provision about sensitive processing

1 The Secretary of State may by regulations—
a make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part,
b make provision so that added processing is not sensitive processing for the purposes of this Part,
c make provision so that a protected condition in Schedule 8 may or may not be relied on in connection with added processing, and
d make provision varying such a condition as it relates to added processing.
2 In subsection (1)—
  • added processing” means a description of processing which is sensitive processing by virtue of provision made under subsection (1)(a);
  • protected condition in Schedule 8” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 35(6).
3 Regulations under this section may amend this Part and sections 205 and 206.
4 Regulations under this section are subject to the affirmative resolution procedure.

CHAPTER 3 Rights of the data subject

Overview and scope

I79843 Overview and scope

1 This Chapter—
a imposes general duties on the controller to make information available (see sections 44 and 45A);
b confers a right of access by the data subject (see sections 45 and 45A);
c confers rights on the data subject with respect to the rectification of personal data and the erasure of personal data or the restriction of its processing (see sections 46 to 48);
d regulates automated decision-making (see sections 50A to 50D);
e makes supplementary provision (see sections 51 to 54).
2 This Chapter applies only in relation to the processing of personal data for a law enforcement purpose.
3 But sections 44 to 48 do not apply in relation to the processing of relevant personal data in the course of a criminal investigation or criminal proceedings, including proceedings for the purpose of executing a criminal penalty.
4 In subsection (3), “relevant personal data” means personal data contained in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority.
5 In this Chapter, “the controller”, in relation to a data subject, means the controller in relation to personal data relating to the data subject.

Data subject’s rights to information

I96844 F459... Controller's general duties

1 The controller must make available to data subjects the following information (whether by making the information generally available to the public or in any other way)—
a the identity and the contact details of the controller;
b where applicable, the contact details of the data protection officer (see sections 69 to 71);
c the purposes for which the controller processes personal data;
d the existence of the rights of data subjects to request from the controller—
i access to personal data (see section 45),
ii rectification of personal data (see section 46), and
iii erasure of personal data or the restriction of its processing (see section 47);
e the existence of the right to lodge a complaint with the Commissioner and the contact details of the Commissioner.
2 The controller must also, in specific cases for the purpose of enabling the exercise of a data subject's rights under this Part, give the data subject the following—
a information about the legal basis for the processing;
b information about the period for which the personal data will be stored or, where that is not possible, about the criteria used to determine that period;
c where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations);
d such further information as is necessary to enable the exercise of the data subject's rights under this Part.
3 An example of where further information may be necessary as mentioned in subsection (2)(d) is where the personal data being processed was collected without the knowledge of the data subject.
4 The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (2) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—
a avoid obstructing an official or legal inquiry, investigation or procedure;
b avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
c protect public security;
F680d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
e protect the rights and freedoms of others.
5 Where the provision of information to a data subject under subsection (2) is restricted under subsection (4), wholly or partly, the controller must inform the data subject in writing without undue delay—
a that the provision of information has been restricted,
b of the reasons for the restriction,
c of the data subject's right to make a request to the Commissioner under section 51,
d of the data subject's right to lodge a complaint with the Commissioner, and
e of the data subject's right to apply to a court under section 167.
6 Subsection (5)(a) and (b) do not apply to the extent that complying with them would undermine the purpose of the restriction.
7 The controller must—
a record the reasons for a decision to restrict (whether wholly or partly) the provision of information to a data subject under subsection (2) in reliance on subsection (4), and
b if requested to do so by the Commissioner, make the record available to the Commissioner.

F62...

I83345 Right of access by the data subject

1 A data subject is entitled to obtain from the controller—
a confirmation as to whether or not personal data concerning him or her is being processed, and
b where that is the case, access to the personal data and the information set out in subsection (2).
2 That information is—
a the purposes of and legal basis for the processing;
b the categories of personal data concerned;
c the recipients or categories of recipients to whom the personal data has been disclosed (including recipients or categories of recipients in third countries or international organisations);
d the period for which it is envisaged that the personal data will be stored or, where that is not possible, the criteria used to determine that period;
e the existence of the data subject's rights to request from the controller—
i rectification of personal data (see section 46), and
ii erasure of personal data or the restriction of its processing (see section 47);
f the existence of the data subject's right to lodge a complaint with the Commissioner and the contact details of the Commissioner;
g communication of the personal data undergoing processing and of any available information as to its origin.
2A Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.
3 Where a data subject makes a request under subsection (1), the information to which the data subject is entitled must be provided in writing —
a without undue delay, and
b in any event, before the end of the applicable time period (as to which see section 54).
4 The controller may restrict, wholly or partly, the rights conferred by subsection (1) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—
a avoid obstructing an official or legal inquiry, investigation or procedure;
b avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
c protect public security;
F35d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
e protect the rights and freedoms of others.
5 Where the rights of a data subject under subsection (1) are restricted under subsection (4), wholly or partly, the controller must inform the data subject in writing without undue delay and in any event before the end of the applicable time period (as to which see section 54)
a that the rights of the data subject have been restricted,
b of the reasons for the restriction,
c of the data subject's right to make a request to the Commissioner under section 51,
d of the data subject's right to lodge a complaint with the Commissioner, and
e of the data subject's right to apply to a court under section 167.
6 Subsection (5)(a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.
7 The controller must—
a record the reasons for a decision to restrict (whether wholly or partly) the rights of a data subject under subsection (1) in reliance on subsection (4), and
b if requested to do so by the Commissioner, make the record available to the Commissioner.

45A Exemption from sections 44 and 45: legal professional privilege

1 Sections 44(2) and 45(1) do not require the controller to give the data subject—
a information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications could be maintained in legal proceedings, or
b information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.
2 A controller relying on the exemption in subsection (1) must inform the data subject in writing without undue delay of—
a the decision to rely on the exemption,
b the reason for the decision,
c the data subject’s right to make a request to the Commissioner under section 51,
d the data subject’s right to lodge a complaint with the Commissioner under section 165, and
e the data subject’s right to apply to a court under section 167.
3 Subsection (2)(a) and (b) do not apply to the extent that complying with them would—
a undermine a claim described in subsection (1)(a), or
b conflict with a duty described in subsection (1)(b).
4 The controller must—
a record the reason for a decision to rely on the exemption in subsection (1), and
b if requested to do so by the Commissioner, make the record available to the Commissioner.
5 The reference in subsection (1) to sections 44(2) and 45(1) includes sections 35 to 40 so far as their provisions correspond to the rights and obligations provided for in sections 44(2) and 45(1).

Data subject's rights to rectification or erasure etc

I90446 Right to rectification

1 The controller must, if so requested by a data subject, rectify without undue delay inaccurate personal data relating to the data subject.
2 Where personal data is inaccurate because it is incomplete, the controller must, if so requested by a data subject, complete it.
3 The duty under subsection (2) may, in appropriate cases, be fulfilled by the provision of a supplementary statement.
4 Where the controller would be required to rectify personal data under this section but the personal data must be maintained for the purposes of evidence, the controller must (instead of rectifying the personal data) restrict its processing.

I96747 Right to erasure or restriction of processing

1 The controller must erase personal data without undue delay where—
a the processing of the personal data would infringe section 35, 36(1) to (3), 37, 38(1), 39(1), 40, 41 or 42, or
b the controller has a legal obligation to erase the data.
2 Where the controller would be required to erase personal data under subsection (1) but the personal data must be maintained for the purposes of evidence, the controller must (instead of erasing the personal data) restrict its processing.
3 Where a data subject contests the accuracy of personal data (whether in making a request under this section or section 46 or in any other way), but it is not possible to ascertain whether it is accurate or not, the controller must restrict its processing.
4 A data subject may request the controller to erase personal data or to restrict its processing (but the duties of the controller under this section apply whether or not such a request is made).

I93048 Rights under section 46 or 47: supplementary

1 Where a data subject requests the rectification or erasure of personal data or the restriction of its processing, the controller must inform the data subject in writing—
a whether the request has been granted, and
b if it has been refused—
i of the reasons for the refusal,
ii of the data subject's right to make a request to the Commissioner under section 51,
iii of the data subject's right to lodge a complaint with the Commissioner, and
iv of the data subject's right to apply to a court under section 167.
2 The controller must comply with the duty under subsection (1)—
a without undue delay, and
b in any event, before the end of the applicable time period (see section 54).
3 The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (1)(b)(i) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—
a avoid obstructing an official or legal inquiry, investigation or procedure;
b avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
c protect public security;
F250d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
e protect the rights and freedoms of others.
4 Where the rights of a data subject under subsection (1)(b)(i) are restricted under subsection (3), wholly or partly, the controller must inform the data subject in writing without undue delay—
a that the rights of the data subject have been restricted,
b of the reasons for the restriction,
c of the data subject's right to lodge a complaint with the Commissioner, and
d of the data subject's right to apply to a court under section 167.
5 Subsection (4)(a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.
6 The controller must—
a record the reasons for a decision to restrict (whether wholly or partly) the provision of information to a data subject under subsection (1)(b)(i) in reliance on subsection (3), and
b if requested to do so by the Commissioner, make the record available to the Commissioner.
7 Where the controller rectifies personal data, it must notify the competent authority (if any) from which the inaccurate personal data originated.
F1658 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9 Where the controller rectifies, erases or restricts the processing of personal data which has been disclosed by the controller—
a the controller must notify the recipients, and
b the recipients must similarly rectify, erase or restrict the processing of the personal data (so far as they retain responsibility for it).
10 Where processing is restricted in accordance with section 47(3), the controller must inform the data subject before lifting the restriction.

Automated individual decision-making

F40949 Right not to be subject to automated decision-making

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F40950 Automated decision-making authorised by law: safeguards

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

50A Automated processing and significant decisions

1 For the purposes of sections 50B and 50C—
a a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and
b a decision is a significant decision, in relation to a data subject, if—
i it produces an adverse legal effect for the data subject, or
ii it has a similarly significant adverse effect for the data subject.
2 When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.

50B Restrictions on automated decision-making based on sensitive processing

1 A significant decision based entirely or partly on sensitive processing may not be taken based solely on automated processing, unless one of the following conditions is met.
2 The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.
3 The second condition is that the decision is required or authorised by law.

50C Safeguards for automated decision-making

1 Subject to subsection (3), where a significant decision taken by or on behalf of a controller in relation to a data subject is—
a based entirely or partly on personal data, and
b based solely on automated processing,
the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with subsection (2) and any regulations under section 50D(4).
2 The safeguards must consist of or include measures which—
a provide the data subject with information about decisions described in subsection (1) taken in relation to the data subject;
b enable the data subject to make representations about such decisions;
c enable the data subject to obtain human intervention on the part of the controller in relation to such decisions;
d enable the data subject to contest such decisions.
3 Subsections (1) and (2) do not apply in relation to a significant decision if—
a exemption from those provisions is required for a reason listed in subsection (4),
b the controller reconsiders the decision as soon as reasonably practicable, and
c there is meaningful human involvement in the reconsideration of the decision.
4 Those reasons are—
a to avoid obstructing an official or legal inquiry, investigation or procedure;
b to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
c to protect public security;
d to safeguard national security;
e to protect the rights and freedoms of others.
5 When considering whether there is meaningful human involvement in the reconsideration of a decision, a person must consider, among other things, the extent to which the conclusion reached on reconsideration is reached by means of profiling.

50D Further provision about automated decision-making

1 The Secretary of State may by regulations provide that, for the purposes of sections 50A(1)(a) and 50C(3)(c), there is, or is not, to be taken to be meaningful human involvement in the taking or reconsideration of a decision in cases described in the regulations.
2 The Secretary of State may by regulations provide that, for the purposes of section 50A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant adverse effect for the data subject.
3 Regulations under subsection (1) or (2) may amend section 50A.
4 The Secretary of State may by regulations make the following types of provision about the safeguards required under section 50C(1)—
a provision requiring the safeguards to include measures in addition to those described in section 50C(2),
b provision imposing requirements which supplement what section 50C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in section 50C(2) must be done or be capable of being done), and
c provision about measures which are not to be taken to satisfy one or more of paragraphs (a) to (d) of section 50C(2).
5 Regulations under this section are subject to the affirmative resolution procedure.

Supplementary

I86951 Exercise of rights through the Commissioner

1 This section applies where a controller—
a restricts under section 44(4) the information provided to the data subject under section 44(2) (duty of the controller to give the data subject additional information),
b restricts under section 45(4) the data subject's rights under section 45(1) (right of access),
ba relies on the exemption from sections 44(2) and 45(1) in section 45A (legal professional privilege), or
c refuses a request by the data subject for rectification under section 46 or for erasure or restriction of processing under section 47.
2 The data subject may—
a where subsection (1)(a) or (b) applies, request the Commissioner to check that the restriction imposed by the controller was lawful;
aa where subsection (1)(ba) applies, request the Commissioner to check that the controller was entitled to rely on the exemption;
b where subsection (1)(c) applies, request the Commissioner to check that the refusal of the data subject's request was lawful.
3 The Commissioner must take such steps as appear to the Commissioner to be appropriate to respond to a request under subsection (2) (which may include the exercise of any of the powers conferred by sections 142 and 146).
4 After taking those steps, the Commissioner must inform the data subject—
a where subsection (1)(a) or (b) applies, whether the Commissioner is satisfied that the restriction imposed by the controller was lawful;
aa where subsection (1)(ba) applies, whether the Commissioner is satisfied that the controller was entitled to rely on the exemption;
b where subsection (1)(c) applies, whether the Commissioner is satisfied that the controller's refusal of the data subject's request was lawful.
5 The Commissioner must also inform the data subject of the data subject's right to apply to a court under section 167.
6 Where the Commissioner is not satisfied as mentioned in subsection (4)(a) , (aa) or (b), the Commissioner may also inform the data subject of any further steps that the Commissioner is considering taking under Part 6 .

I87652 Form of provision of information etc

1 The controller must take reasonable steps to ensure that any information that is required by or under this Chapter to be provided to the data subject is provided in a concise, intelligible and easily accessible form, using clear and plain language.
2 Subject to subsection (3), the information may be provided in any form, including electronic form.
3 Where information is provided in response to a request made by the data subject under or by virtue of any of sections 45, 46, 47, 50C or 50D, the controller must provide the information in the same form as the request where it is practicable to do so.
4 Where the controller has reasonable doubts about the identity of an individual making a request under or by virtue of any of sections 45, 46, 47, 50C or 50D, the controller may—
a request the provision of additional information to enable the controller to confirm the identity, and
b delay dealing with the request until the identity is confirmed.
5 Subject to section 53, any information that is required by or under this Chapter to be provided to the data subject must be provided free of charge.
6 The controller must facilitate the exercise of the rights of the data subject arising under or by virtue of sections 45 to 50D.

I8I77253 Manifestly unfounded or excessive requests by the data subject

1 Where a request made by a data subject under or by virtue of any of sections 45, 46, 47, 50C or 50D is manifestly unfounded or excessive, the controller may—
a charge a reasonable fee for dealing with the request, or
b refuse to act on the request.
2 An example of a request that may be excessive is one that merely repeats the substance of previous requests.
3 In any proceedings where there is an issue as to whether a request described in subsection (1) is manifestly unfounded or excessive, it is for the controller to show that it is.
4 The Secretary of State may by regulations specify limits on the fees that a controller may charge in accordance with subsection (1)(a).
4A The Secretary of State may by regulations—
a require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in accordance with subsection (1)(a), and
b specify what the guidance must include.
5 Regulations under this section are subject to the negative resolution procedure.
6 If, in reliance on subsection (1)(b), the controller does not take action on the request, the controller must inform the data subject of—
a the reasons for not doing so, and
b the data subject’s right to lodge a complaint with the Commissioner.
7 The controller must comply with subsection (6)—
a without undue delay, and
b in any event, before the end of the applicable time period (as to which see section 54).

I9I93154 Meaning of “applicable time period”

1 This section defines “the applicable time period” for the purposes of sections 45(3)(b) and (5) , 48(2)(b) and 53(7).
2 The applicable time period” means the period of one month beginning with the relevant time , subject to subsection (3A).
3 The relevant time” means the latest of the following—
a when the controller receives the request in question;
b when the controller receives the information (if any) requested in connection with a request under section 52(4);
c when the fee (if any) charged in connection with the request under section 53 is paid.
3A The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—
a the complexity of requests made by the data subject, or
b the number of such requests.
3B A notice under subsection (3A) must—
a be given before the end of the period of one month beginning with the relevant time, and
b state the reasons for the delay.
3C Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under section 45(1) relates—
a the controller may ask the data subject to provide the further information, and
b the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards—
i the applicable time period, or
ii the period described in subsection (3B)(a).
3D An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.
F3714 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F3715 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F3716 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CHAPTER 4 Controller and processor

Overview and scope

I94855 Overview and scope

1 This Chapter—
a sets out the general obligations of controllers and processors (see sections 56 to 65);
b sets out specific obligations of controllers and processors with respect to security (see section 66);
c sets out specific obligations of controllers and processors with respect to personal data breaches (see sections 67 and 68);
d makes provision for the designation, position and tasks of data protection officers (see sections 69 to 71);
e makes provision about codes of conduct (see section 71A).
2 This Chapter applies only in relation to the processing of personal data for a law enforcement purpose.
3 Where a controller is required by any provision of this Chapter to implement appropriate technical and organisational measures, the controller must (in deciding what measures are appropriate) take into account—
a the latest developments in technology,
b the cost of implementation,
c the nature, scope, context and purposes of processing, and
d the risks for the rights and freedoms of individuals arising from the processing.

General obligations

I87756 General obligations of the controller

1 Each controller must implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that the processing of personal data complies with the requirements of this Part.
2 Where proportionate in relation to the processing, the measures implemented to comply with the duty under subsection (1) must include appropriate data protection policies.
3 The technical and organisational measures implemented under subsection (1) must be reviewed and updated where necessary.
4 Adherence to a code of conduct approved under section 71A may be used by a controller as a means of demonstrating compliance with the requirements of this Part.

I85257 Data protection by design and default

1 Each controller must implement appropriate technical and organisational measures which are designed—
a to implement the data protection principles in an effective manner, and
b to integrate into the processing itself the safeguards necessary for that purpose.
2 The duty under subsection (1) applies both at the time of the determination of the means of processing the data and at the time of the processing itself.
3 Each controller must implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed.
4 The duty under subsection (3) applies to—
a the amount of personal data collected,
b the extent of its processing,
c the period of its storage, and
d its accessibility.
5 In particular, the measures implemented to comply with the duty under subsection (3) must ensure that, by default, personal data is not made accessible to an indefinite number of people without an individual's intervention.

I96258 Joint controllers

1 Where two or more competent authorities jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.
2 Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.
3 The arrangement must designate the controller which is to be the contact point for data subjects.

I78859 Processors

1 This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.
2 The controller may use only a processor who provides guarantees to implement appropriate technical and organisational measures that are sufficient to secure that the processing will—
a meet the requirements of this Part, and
b ensure the protection of the rights of the data subject.
3 The processor used by the controller may not engage another processor (“a sub-processor”) without the prior written authorisation of the controller, which may be specific or general.
4 Where the controller gives a general written authorisation to a processor, the processor must inform the controller if the processor proposes to add to the number of sub-processors engaged by it or to replace any of them (so that the controller has the opportunity to object to the proposal).
5 The processing by the processor must be governed by a contract in writing between the controller and the processor setting out the following—
a the subject-matter and duration of the processing;
b the nature and purpose of the processing;
c the type of personal data and categories of data subjects involved;
d the obligations and rights of the controller and processor.
6 The contract must, in particular, provide that the processor must—
a act only on instructions from the controller,
b ensure that the persons authorised to process personal data are subject to an appropriate duty of confidentiality,
c assist the controller by any appropriate means to ensure compliance with the rights of the data subject under this Part,
d at the end of the provision of services by the processor to the controller—
i either delete or return to the controller (at the choice of the controller) the personal data to which the services relate, and
ii delete copies of the personal data unless subject to a legal obligation to store the copies,
e make available to the controller all information necessary to demonstrate compliance with this section, and
f comply with the requirements of this section for engaging sub-processors.
7 The terms included in the contract in accordance with subsection (6)(a) must provide that the processor may transfer personal data to a third country or international organisation only if instructed by the controller to make the particular transfer.
7A Adherence to a code of conduct approved under section 71A may be used by a processor as a means of demonstrating sufficient guarantees as described in subsection (2).
8 If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.

I92760 Processing under the authority of the controller or processor

A processor, and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—
a on instructions from the controller, or
b to comply with a legal obligation.

I85561 Records of processing activities

1 Each controller must maintain a record of all categories of processing activities for which the controller is responsible.
2 The controller's record must contain the following information—
a the name and contact details of the controller;
b where applicable, the name and contact details of the joint controller;
c where applicable, the name and contact details of the data protection officer;
d the purposes of the processing;
e the categories of recipients to whom personal data has been or will be disclosed (including recipients in third countries or international organisations);
f a description of the categories of—
i data subject, and
ii personal data;
g where applicable, details of the use of profiling;
h where applicable, the categories of transfers of personal data to a third country or an international organisation;
i an indication of the legal basis for the processing operations, including transfers, for which the personal data is intended;
j where possible, the envisaged time limits for erasure of the different categories of personal data;
k where possible, a general description of the technical and organisational security measures referred to in section 66.
3 Each processor must maintain a record of all categories of processing activities carried out on behalf of a controller.
4 The processor's record must contain the following information—
a the name and contact details of the processor and of any other processors engaged by the processor in accordance with section 59(3);
b the name and contact details of the controller on behalf of which the processor is acting;
c where applicable, the name and contact details of the data protection officer;
d the categories of processing carried out on behalf of the controller;
e where applicable, details of transfers of personal data to a third country or an international organisation where explicitly instructed to do so by the controller, including the identification of that third country or international organisation;
f where possible, a general description of the technical and organisational security measures referred to in section 66.
5 The controller and the processor must make the records kept under this section available to the Commissioner on request.

I84562 Logging

1 A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—
a collection;
b alteration;
c consultation;
d disclosure (including transfers);
e combination;
f erasure.
2 The logs of consultation must make it possible to establish—
a the justification for, and date and time of, the consultation, and
b so far as possible, the identity of the person who consulted the data.
3 The logs of disclosure must make it possible to establish—
a the justification for, and date and time of, the disclosure, and
b so far as possible—
i the identity of the person who disclosed the data, and
ii the identity of the recipients of the data.
4 The logs kept under subsection (1) may be used only for one or more of the following purposes—
a to verify the lawfulness of processing;
b to assist with self-monitoring by the controller or (as the case may be) the processor, including the conduct of internal disciplinary proceedings;
c to ensure the integrity and security of personal data;
d the purposes of criminal proceedings.
5 The controller or (as the case may be) the processor must make the logs available to the Commissioner on request.

I81663 Co-operation with the Commissioner

Each controller and each processor must co-operate, on request, with the Commissioner in the performance of the Commissioner's tasks.

I77964 Data protection impact assessment

1 Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out a data protection impact assessment.
2 A data protection impact assessment is an assessment of the impact of the envisaged processing operations on the protection of personal data.
3 A data protection impact assessment must include the following—
a a general description of the envisaged processing operations;
b an assessment of the risks to the rights and freedoms of data subjects;
c the measures envisaged to address those risks;
d safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Part, taking into account the rights and legitimate interests of the data subjects and other persons concerned.
4 In deciding whether a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must take into account the nature, scope, context and purposes of the processing.

I90765 Prior consultation with the Commissioner

1 This section applies where a controller intends to create a filing system and process personal data forming part of it.
2 The controller must consult the Commissioner prior to the processing if a data protection impact assessment prepared under section 64 indicates that the processing of the data would result in a high risk to the rights and freedoms of individuals (in the absence of measures to mitigate the risk).
3 Where the controller is required to consult the Commissioner under subsection (2), the controller must give the Commissioner—
a the data protection impact assessment prepared under section 64, and
b any other information requested by the Commissioner to enable the Commissioner to make an assessment of the compliance of the processing with the requirements of this Part.
4 Where the Commissioner is of the opinion that the intended processing referred to in subsection (1) would infringe any provision of this Part, the Commissioner must provide written advice to the controller and, where the controller is using a processor, to the processor.
5 The written advice must be provided before the end of the period of 6 weeks beginning with receipt of the request for consultation by the controller or the processor.
6 The Commissioner may extend the period of 6 weeks by a further period of 1 month, taking into account the complexity of the intended processing.
7 If the Commissioner extends the period of 6 weeks, the Commissioner must—
a inform the controller and, where applicable, the processor of any such extension before the end of the period of 1 month beginning with receipt of the request for consultation, and
b provide reasons for the delay.

Obligations relating to security

I91866 Security of processing

1 Each controller and each processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data.
2 In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to—
a prevent unauthorised processing or unauthorised interference with the systems used in connection with it,
b ensure that it is possible to establish the precise details of any processing that takes place,
c ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and
d ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.
3 Adherence to a code of conduct approved under section 71A may be used by a controller or processor as a means of demonstrating compliance with subsection (1).

Obligations relating to personal data breaches

I93667 Notification of a personal data breach to the Commissioner

1 If a controller becomes aware of a personal data breach in relation to personal data for which the controller is responsible, the controller must notify the breach to the Commissioner—
a without undue delay, and
b where feasible, not later than 72 hours after becoming aware of it.
2 Subsection (1) does not apply if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.
3 Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.
4 Subject to subsection (5), the notification must include—
a a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
b the name and contact details of the data protection officer or other contact point from whom more information can be obtained;
c a description of the likely consequences of the personal data breach;
d a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
5 Where and to the extent that it is not possible to provide all the information mentioned in subsection (4) at the same time, the information may be provided in phases without undue further delay.
6 The controller must record the following information in relation to a personal data breach—
a the facts relating to the breach,
b its effects, and
c the remedial action taken.
7 The information mentioned in subsection (6) must be recorded in such a way as to enable the Commissioner to verify compliance with this section.
F2588 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9 If a processor becomes aware of a personal data breach (in relation to personal data processed by the processor), the processor must notify the controller without undue delay.

I94068 Communication of a personal data breach to the data subject

1 Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must inform the data subject of the breach without undue delay.
2 The information given to the data subject must include the following—
a a description of the nature of the breach;
b the name and contact details of the data protection officer or other contact point from whom more information can be obtained;
c a description of the likely consequences of the personal data breach;
d a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
3 The duty under subsection (1) does not apply where—
a the controller has implemented appropriate technological and organisational protection measures which were applied to the personal data affected by the breach,
b the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in subsection (1) is no longer likely to materialise, or
c it would involve a disproportionate effort.
4 An example of a case which may fall within subsection (3)(a) is where measures that render personal data unintelligible to any person not authorised to access the data have been applied, such as encryption.
5 In a case falling within subsection (3)(c) (but not within subsection (3)(a) or (b)), the information mentioned in subsection (2) must be made available to the data subject in another equally effective way, for example, by means of a public communication.
6 Where the controller has not informed the data subject of the breach the Commissioner, on being notified under section 67 and after considering the likelihood of the breach resulting in a high risk, may—
a require the controller to notify the data subject of the breach, or
b decide that the controller is not required to do so because any of paragraphs (a) to (c) of subsection (3) applies.
7 The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (1) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—
a avoid obstructing an official or legal inquiry, investigation or procedure;
b avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
c protect public security;
F579d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
e protect the rights and freedoms of others.
8 Subsection (6) does not apply where the controller's decision not to inform the data subject of the breach was made in reliance on subsection (7).
9 The duties in section 52(1) and (2) apply in relation to information that the controller is required to provide to the data subject under this section as they apply in relation to information that the controller is required to provide to the data subject under Chapter 3 .

Data protection officers

I90569 Designation of a data protection officer

1 The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity.
2 When designating a data protection officer, the controller must have regard to the professional qualities of the proposed officer, in particular—
a the proposed officer's expert knowledge of data protection law and practice, and
b the ability of the proposed officer to perform the tasks mentioned in section 71.
3 The same person may be designated as a data protection officer by several controllers, taking account of their organisational structure and size.
4 The controller must publish the contact details of the data protection officer and communicate these to the Commissioner.

I91370 Position of data protection officer

1 The controller must ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
2 The controller must provide the data protection officer with the necessary resources and access to personal data and processing operations to enable the data protection officer to—
a perform the tasks mentioned in section 71, and
b maintain his or her expert knowledge of data protection law and practice.
3 The controller—
a must ensure that the data protection officer does not receive any instructions regarding the performance of the tasks mentioned in section 71;
b must ensure that the data protection officer does not perform a task or fulfil a duty other than those mentioned in this Part where such task or duty would result in a conflict of interests;
c must not dismiss or penalise the data protection officer for performing the tasks mentioned in section 71.
4 A data subject may contact the data protection officer with regard to all issues relating to—
a the processing of that data subject's personal data, or
b the exercise of that data subject's rights under this Part.
5 The data protection officer, in the performance of this role, must report to the highest management level of the controller.

I80571 Tasks of data protection officer

1 The controller must entrust the data protection officer with at least the following tasks—
a informing and advising the controller, any processor engaged by the controller, and any employee of the controller who carries out processing of personal data, of that person's obligations under this Part,
b providing advice on the carrying out of a data protection impact assessment under section 64 and monitoring compliance with that section,
c co-operating with the Commissioner,
d acting as the contact point for the Commissioner on issues relating to processing, including in relation to the consultation mentioned in section 65, and consulting with the Commissioner, where appropriate, in relation to any other matter,
e monitoring compliance with policies of the controller in relation to the protection of personal data, and
f monitoring compliance by the controller with this Part.
2 In relation to the policies mentioned in subsection (1)(e), the data protection officer's tasks include—
a assigning responsibilities under those policies,
b raising awareness of those policies,
c training staff involved in processing operations, and
d conducting audits required under those policies.
3 In performing the tasks set out in subsections (1) and (2), the data protection officer must have regard to the risks associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Codes of conduct

71A Codes of conduct

1 The Commissioner must encourage expert public bodies to produce codes of conduct intended to contribute to compliance with this Part.
2 Under subsection (1), the Commissioner must, among other things, encourage the production of codes which take account of the specific features of the various processing sectors.
3 For the purposes of this section—
a public body” means a body or other person whose functions are, or include, functions of a public nature, and
b a public body is “expert” if, in the Commissioner’s opinion, the body has the knowledge and experience needed to produce a code of conduct described in subsection (1).
4 A code of conduct described in subsection (1) may, for example, make provision with regard to—
a lawful and fair processing;
b the collection of personal data;
c the information provided to the public and to data subjects;
d the exercise of the rights of data subjects;
e the measures and procedures referred to in sections 56, 57 and 62;
f the notification of personal data breaches to the Commissioner and the communication of personal data breaches to data subjects;
g the transfer of personal data to third countries or international organisations;
h out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing.
5 The Commissioner must encourage expert public bodies to submit codes of conduct described in subsection (1) to the Commissioner in draft.
6 Where an expert public body does so, the Commissioner must—
a provide the body with an opinion on whether the code correctly reflects the requirements of this Part,
b decide whether to approve the code, and
c if the code is approved, register and publish the code.
7 Subsections (5) and (6) apply in relation to amendments of a code of conduct that is for the time being approved under this section as they apply in relation to a code.

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

I96072 Overview and interpretation

1 This Chapter deals with the transfer of personal data to third countries or international organisations, as follows—
a sections 73 to 76 set out the general conditions that apply;
b section 77 sets out additional conditions that apply in certain cases where the intended recipient of personal data is not a relevant authority in a third country or an international organisation (see section 73(4)(b));
c section 78 makes special provision about subsequent transfers of personal data.
2 In this Chapter, “relevant authority”, in relation to a third country, means any person based in a third country that has (in that country) functions comparable to those of a competent authority.

General principles for transfers

I75973 General principles for transfers of personal data

A1 This section applies in relation to a transfer of personal data to a third country or international organisation for a law enforcement purpose.
1 The controller in relation to the transfer must secure that the transfer takes place only if—
a the three conditions set out in subsections (2) to (4) are met, F693...
b in a case where the personal data was originally transmitted or otherwise made available to the controller or another competent authority by a member State F304..., that member State, or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State , and—
c the transfer is carried out in accordance with the other provisions of this Part.
2 Condition 1 is that the transfer is necessary for any of the law enforcement purposes.
3 Condition 2 is that the transfer—
a is approved by regulations under section 74AA that are in force at the time of the transfer,
b is made subject to appropriate safeguards (see section 75), or
c is based on special circumstances (see section 76).
4 Condition 3 is that—
a the intended recipient is a relevant authority in a third country or an international organisation that is a relevant international organisation,
aa the intended recipient is a person in a third country who—
i is not a person described in paragraph (a), but
ii is a processor whose processing, on behalf of the controller, of the personal data transferred is governed by, or authorised in accordance with, a contract with the controller that complies with section 59, or
b in a case where the controller is a competent authority specified in any of paragraphs 5 to 17, 21, 24 to 28, 34 to 51, 54 and 56 of Schedule 7—
i the intended recipient is a person in a third country who is not a person described in paragraph (a) or (aa), and
ii the additional conditions in section 77 are met.
5 Authorisation is not required as mentioned in subsection (1)(b) if—
a the transfer is necessary for the prevention of an immediate and serious threat to the public security, national security or essential interests of a third country or the United Kingdom, and
b the authorisation cannot be obtained in good time.
6 Where a transfer is made without the authorisation mentioned in subsection (1)(b), the authority in the member State which would have been responsible for deciding whether to authorise the transfer must be informed without delay.
7 In this section, “relevant international organisation” means an international organisation that carries out functions for any of the law enforcement purposes.

F59374 Transfers on the basis of an adequacy decision

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F8174A Transfers based on adequacy regulations

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

74AA Transfers approved by regulations

1 For the purposes of section 73, the Secretary of State may by regulations approve transfers of personal data to—
a a third country, or
b an international organisation.
2 The Secretary of State may only make regulations under this section approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see section 74AB).
3 In making regulations under this section, the Secretary of State may have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom.
4 Regulations under this section may, among other things—
a make provision by reference to a third country or international organisation specified in the regulations or a description of country or organisation;
b approve all transfers of personal data to a third country or international organisation or only transfers specified or described in the regulations;
c identify a transfer of personal data by any means, including by reference to—
i a sector or geographic area within a third country,
ii the controller or processor,
iii the recipient of the personal data,
iv the personal data transferred,
v the means by which the transfer is made, or
vi relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time;
d confer a discretion on a person.
5 Regulations under this section are subject to the negative resolution procedure.

74AB The data protection test

1 For the purposes of section 74AA, the data protection test is met in relation to transfers to a third country or international organisation if the standard of the protection provided for data subjects with regard to law enforcement processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under—
a this Part, and
b Parts 5 to 7, so far as relevant to law enforcement processing.
2 In considering whether the data protection test is met in relation to transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things—
a respect for the rule of law and for human rights in the country or by the organisation,
b the existence, and powers, of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation,
c arrangements for judicial or non-judicial redress for data subjects in connection with such processing,
d rules about the transfer of personal data from the country or by the organisation to other countries or international organisations,
e relevant international obligations of the country or organisation, and
f the constitution, traditions and culture of the country or organisation.
3 In subsections (1) and (2)—
a the references to the protection provided for data subjects are to that protection taken as a whole,
b the references to law enforcement processing are to processing by a competent authority for any of the law enforcement purposes or equivalent types of processing in the third country or by the international organisation (as appropriate), and
c the references to processing of personal data in the third country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Act applies as described in section 207(2).
4 When the data protection test is applied only to certain transfers to a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with section 74AA(4)(b))—
a the references in subsections (1) to (3) to personal data are to be read as references only to personal data likely to be the subject of such transfers, and
b the reference in subsection (2)(d) to transfer to other countries or international organisations is to be read as including transfer within the third country or international organisation.

74B Transfers approved by regulations: monitoring

F7151 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F7152 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations giving approval under section 74AA or to amend or revoke such regulations.
4 Where the Secretary of State becomes aware that the data protection test is no longer met in relation to transfers approved, or of a description approved, in regulations under section 74AA, the Secretary of State must, to the extent necessary, amend or revoke the regulations.
5 Where regulations under section 74AA are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to improving the protection provided to data subjects with regard to the processing of personal data in the country or by the organisation.
6 The Secretary of State must publish—
a a list of the third countries F233... and international organisations, and the descriptions of such countries F728... and organisations, which are for the time being approved by regulations under section 74AA as places or persons to which personal data may be transferred, and
b a list of the third countries F554... and international organisations, and the descriptions of such countries F647... and organisations, which have been but are no longer approved by such regulations.
7 In the case of regulations under section 74AA which approve only certain transfers to a third country or international organisation that are specified or described in the regulations (in accordance with section 74AA(4)(b))
F553a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
b the lists published under subsection (6) must specify or describe the relevant transfers.

I86875 Transfers subject to appropriate safeguards

F2811 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1A A transfer of personal data to a third country or an international organisation is made subject to appropriate safeguards only if—
a an appropriate legal instrument binds the intended recipient of the data (see subsection (4)), or
b the controller, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see subsection (5)).
2 The controller must inform the Commissioner about the categories of data transfers that take place in reliance on subsection (1A)(b) but not in reliance on section 73(4)(aa) (transfer to processor).
3 Where a transfer of data takes place in reliance on this section but not in reliance on section 73(4)(aa) (transfer to processor)
a the transfer must be documented,
b the documentation must be provided to the Commissioner on request, and
c the documentation must include, in particular—
i the date and time of the transfer,
ii the name of and any other pertinent information about the recipient,
iii the justification for the transfer, and
iv a description of the personal data transferred.
4 For the purposes of this section, a legal instrument is “appropriate”, in relation to a transfer of personal data, if—
a the instrument is intended to be relied on in connection with the transfer or that type of transfer,
b at least one competent authority is a party to the instrument, and
c each competent authority that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see subsection (5)).
5 For the purposes of this section, the data protection test is met in relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data, whether by a binding legal instrument or by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under—
a this Part, and
b Parts 5 to 7, so far as they relate to processing by a competent authority for any of the law enforcement purposes.
6 For the purposes of subsections (1A)(b) and (4)(c), what is reasonable and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred.
7 In this section, references to the protection provided for the data subject are to that protection taken as a whole.
8 For provision about standard data protection clauses which the Commissioner considers are capable of securing that the data protection test in this section is met, see section 119A.

I91176 Transfers based on special circumstances

A1 A transfer of personal data to a third country or international organisation is based on special circumstances where—
a it is made in the absence of approval by regulations under section 74AA and of compliance with section 75 (appropriate safeguards), and
b it is necessary for a special purpose.
1 A transfer of personal data is necessary for a special purpose if it is necessary—
a to protect the vital interests of the data subject or another person,
b to safeguard the legitimate interests of the data subject,
c for the prevention of an immediate and serious threat to the public security or national security of F422... a third country or the United Kingdom,
d in particular circumstances, for any of the law enforcement purposes, or
e in particular circumstances, for a legal purpose.
2 But a transfer of personal data is not necessary for a special purpose by virtue of subsection (1)(d) or (e) if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer.
2A In accordance with the third data protection principle, the amount of personal data transferred in reliance on this section must not be excessive in relation to the special purpose relied on.
3 Where a transfer of data takes place in reliance on this section
a the transfer must be documented,
b the documentation must be provided to the Commissioner on request, and
c the documentation must include, in particular—
i the date and time of the transfer,
ii the name of and any other pertinent information about the recipient,
iii the justification for the transfer, and
iv a description of the personal data transferred.
4 For the purposes of this section, a transfer is necessary for a legal purpose if—
a it is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings) relating to any of the law enforcement purposes,
b it is necessary for the purpose of obtaining legal advice in relation to any of the law enforcement purposes, or
c it is otherwise necessary for the purposes of establishing, exercising or defending legal rights in relation to any of the law enforcement purposes.

Additional conditions

I92177 Additional conditions for transfers in reliance on section 73(4)(b)

1 The additional conditions referred to in section 73(4)(b)(ii) are the following four conditions.
2 Condition 1 is that the transfer is strictly necessary in a specific case for the performance of a task of the transferring controller as provided by law for any of the law enforcement purposes.
3 Condition 2 is that the transferring controller has determined that there are no fundamental rights and freedoms of the data subject concerned that override the public interest necessitating the transfer.
4 Condition 3 is that the transferring controller considers that the transfer of the personal data to a relevant authority in the third country would be ineffective or inappropriate (for example, where the transfer could not be made in sufficient time to enable its purpose to be fulfilled).
5 Condition 4 is that the transferring controller informs the intended recipient of the specific purpose or purposes for which the personal data may, so far as necessary, be processed.
6 Where personal data is transferred to a person in a third country in reliance on section 73(4)(b), the transferring controller must inform a relevant authority in that third country without undue delay of the transfer, unless this would be ineffective or inappropriate.
7 The transferring controller must—
a document any transfer to a recipient in a third country that takes place in reliance on section 73(4)(b), and
b inform the Commissioner about the transfer.
8 This section does not affect the operation of any international agreement in force between the United Kingdom and third countries in the field of judicial co-operation in criminal matters and police co-operation.

Subsequent transfers

I76678 Subsequent transfers

A1 Subsections (1) to (6) apply where a transfer to which section 73 applies takes place otherwise than in reliance on section 73(4)(aa) (transfer to processor).
1 F10... The transferring controller must make it a condition of the transfer
a that the personal data is not to be further transferred to a third country or international organisation without the authorisation of the transferring controller or another competent authority (the “UK authoriser”), or
b that—
i the personal data is not to be so transferred without such authorisation except where subsection (1A) applies, and
ii where a transfer is made without such authorisation, the UK authoriser must be informed without delay.
1A This subsection applies if—
a the transfer is necessary for the prevention of an immediate and serious threat to the public security or national security of a third country or the United Kingdom, and
b authorisation from the UK authoriser cannot be obtained in good time.
2 The UK authoriser may give an authorisation for the purposes of a condition described in subsection (1) only where the further transfer is necessary for a law enforcement purpose.
3 In deciding whether to give the authorisation, the UK authoriser must take into account (among any other relevant factors)—
a the seriousness of the circumstances leading to the request for authorisation,
b the purpose for which the personal data was originally transferred, and
c the standards for the protection of personal data that apply in the third country or international organisation to which the personal data would be transferred.
4 In a case where the personal data was originally transmitted or otherwise made available to the transferring controller or another competent authority by a member State F249..., the UK authoriser may not give an authorisation for the purposes of a condition described in subsection (1) unless that member State, or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State.
5 Authorisation is not required as mentioned in subsection (4) if—
a the transfer is necessary for the prevention of an immediate and serious threat to the public security, national security or essential interests of a third country or the United Kingdom, and
b the authorisation cannot be obtained in good time.
6 Where a transfer is made in a case described in subsection (4) without the authorisation mentioned in that subsection (whether made with or without authorisation from the UK authoriser), the UK authoriser must, without delay, inform, the authority in the member State which would have been responsible for deciding whether to authorise the transfer F622....
7 Where a transfer takes place in reliance on section 73(4)(aa) (transfer to processor), the transferring controller must make it a condition of the transfer that the data is only to be further transferred to a third country or international organisation where—
a the terms of any relevant contract entered into, or authorisation given, by the transferring controller in accordance with section 59 are complied with, and
b the further transfer satisfies the requirements in section 73(1).

CHAPTER 6 Supplementary

78A National security exemption

1 A provision mentioned in subsection (2) does not apply to personal data processed for law enforcement purposes if exemption from the provision is required for the purposes of safeguarding national security.
2 The provisions are—
a Chapter 2 of this Part (principles), except for the provisions listed in subsection (3);
b Chapter 3 of this Part (rights of the data subject);
c in Chapter 4 of this Part—
i section 67 (notification of personal data breach to the Commissioner);
ii section 68 (communication of personal data breach to the data subject);
d Chapter 5 of this Part (transfers of personal data to third countries etc), except for the provisions listed in subsection (4);
e in Part 5—
i section 119 (inspection in accordance with international obligations);
ia section 119A (standard clauses for transfers to third countries);
ii in Schedule 13 (other general functions of the Commissioner), paragraphs 1(1)(a) and (g) and 2;
f in Part 6—
i sections 142 to 154 and Schedule 15 (Commissioner’s notices and powers of entry and inspection);
ii sections 170 to 173 (offences relating to personal data);
g in Part 7, section 187 (representation of data subjects).
3 The provisions of Chapter 2 of this Part (principles) which are excepted from the list in subsection (2) are—
a section 35(1) (the first data protection principle) so far as it requires processing of personal data to be lawful;
b section 35(2) to (5) (lawfulness of processing and restrictions on sensitive processing);
c section 42 (safeguards: sensitive processing);
d Schedule 8 (conditions for sensitive processing).
4 The provisions of Chapter 5 of this Part (transfers of personal data to third countries etc) which are excepted from the list in subsection (2) are—
a the following provisions of section 73—
i subsection (1)(a) (conditions for transfer), so far as it relates to the condition in subsection (2) of that section, and subsection (2) (transfer must be necessary for a law enforcement purpose);
ii subsections (1)(b), (5) and (6) (conditions for transfer of personal data originally made available by a member State);
b section 78 (subsequent transfers).

I96479 National security: certificate

F5221 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F5222 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F5223 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3A Subject to subsection (5), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions listed in section 78A(2) is, or at any time was, required in relation to any personal data for the purposes of safeguarding national security is conclusive evidence of that fact.
4 A certificate issued under subsection (3A)—
a may identify the personal data to which it applies by means of a general description, and
b may be expressed to have prospective effect.
5 Any person directly affected by the issuing of a certificate under subsection (3A) may appeal to the Tribunal against the certificate.
6 If, on an appeal under subsection (5), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may —
a allow the appeal, and
b quash the certificate.
7 Where in any proceedings under or by virtue of this Act, it is claimed by a controller that a certificate under subsection (3A) which identifies the personal data to which it applies by means of a general description applies to any personal data, any other party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question.
8 But, subject to any determination under subsection (9), the certificate is to be conclusively presumed so to apply.
9 On an appeal under subsection (7), the Tribunal may determine that the certificate does not so apply.
10 A document purporting to be a certificate under subsection (3A) is to be—
a received in evidence, and
b deemed to be such a certificate unless the contrary is proved.
11 A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (3A) is—
a in any legal proceedings, evidence of that certificate, and
b in any legal proceedings in Scotland, sufficient evidence of that certificate.
12 The power conferred by subsection (3A) on a Minister of the Crown is exercisable only by—
a a Minister who is a member of the Cabinet, or
b the Attorney General or the Advocate General for Scotland.
F38313 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

I97580 Special processing restrictions

1 Subsections (3) and (4) apply where, for a law enforcement purpose, a controller transmits or otherwise makes available personal data to a non-UK recipient.
2 In this section—
  • F419...
  • non-UK recipient” means—
    1. a recipient in a third country, or
    2. an international organisation.
3 The controller must consider whether, if the personal data had instead been transmitted or otherwise made available within the United Kingdom to another competent authority, processing of the data by the other competent authority would have been subject to any restrictions by virtue of any enactment or rule of law.
4 Where that would be the case, the controller must inform the non-UK recipient that the data is transmitted or otherwise made available subject to compliance by that person with the same restrictions (which must be set out in the information given to that person).
F2995 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F2996 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F2997 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

I86381 Reporting of infringements

1 Each controller must implement effective mechanisms to encourage the reporting of an infringement of this Part.
2 The mechanisms implemented under subsection (1) must provide that an infringement may be reported to any of the following persons—
a the controller;
b the Commissioner.
3 The mechanisms implemented under subsection (1) must include—
a raising awareness of the protections provided by Part 4A of the Employment Rights Act 1996 and Part 5A of the Employment Rights (Northern Ireland) Order 1996 (S.I. 1996/1919 (N.I. 16)), and
b such other protections for a person who reports an infringement of this Part as the controller considers appropriate.
4 A person who reports an infringement of this Part does not breach—
a an obligation of confidence owed by the person, or
b any other restriction on the disclosure of information (however imposed).
5 Subsection (4) does not apply if or to the extent that the report includes a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
6 Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (5) has effect as if it included a reference to that Part.

PART 4 Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

I86582 Processing to which this Part applies

A1 This Part—
a applies to processing of personal data by an intelligence service, and
b applies to processing of personal data by a qualifying competent authority where the processing is the subject of a designation notice that is for the time being in force (see sections 82A to 82E).
1 This Part applies only to—
a processing of personal data wholly or partly by automated means, and
b processing otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.
2 In this Part, “intelligence service” means—
a the Security Service;
b the Secret Intelligence Service;
c the Government Communications Headquarters.
2A In this Part—
  • competent authority” has the same meaning as in Part 3;
  • qualifying competent authority” means a competent authority specified or described in regulations made by the Secretary of State.
3 A reference in this Part to the processing of personal data is to processing to which this Part applies.
4 Regulations under this section are subject to the affirmative resolution procedure.

82A Designation of processing by a qualifying competent authority

1 For the purposes of this Part, the Secretary of State may give a notice designating processing of personal data by a qualifying competent authority (a “designation notice”) where—
a an application for designation of the processing is made in accordance with this section, and
b the Secretary of State considers that designation of the processing is required for the purposes of safeguarding national security.
2 The Secretary of State may only designate processing by a qualifying competent authority that is carried out by the authority as a joint controller with at least one intelligence service.
3 The Secretary of State may not designate processing by a qualifying competent authority that consists of the transfer of personal data to—
a a country or territory outside the United Kingdom, or
b an international organisation.
4 A designation notice must—
a specify or describe the processing and qualifying competent authority that are designated, and
b be given to the applicants for the designation (and see also section 82D).
5 An application for designation of processing of personal data by a qualifying competent authority must be made jointly by—
a the qualifying competent authority, and
b the intelligence service with which the processing is to be carried out.
6 An application may be made in respect of more than one qualifying competent authority and in respect of processing with more than one intelligence service.
7 The application must—
a describe the processing, including the intended purposes and means of processing, and
b explain why the applicants consider that designation is required for the purposes of safeguarding national security.
8 Before giving a designation notice, the Secretary of State must consult the Commissioner.
9 In this section, “joint controller”, in relation to processing of personal data, means a controller whose responsibilities for compliance with this Part in relation to the processing are determined in an arrangement under section 104.

82B Duration of designation notice

1 A designation notice must state when it comes into force.
2 A designation notice ceases to be in force at the earliest of the following times—
a at the end of the period of 5 years beginning when the notice comes into force;
b (if relevant) at the end of a shorter period specified in the notice;
c when the notice is withdrawn under section 82C.
3 The Secretary of State may give a further designation notice in respect of processing that is, or has been, the subject of a previous designation notice.

82C Review and withdrawal of designation notice

1 Subsections (2) to (4) apply where processing is the subject of a designation notice for the time being in force.
2 A person who applied for the designation of the processing must notify the Secretary of State without undue delay if the person considers that the designation is no longer required for the purposes of safeguarding national security.
3 A person who applied for the designation of the processing must, on a request from the Secretary of State, provide—
a a description of the processing that is being, or is intended to be, carried out in reliance on the notice, and
b an explanation of why the person considers that designation of the processing continues to be required for the purposes of safeguarding national security.
4 The Secretary of State must at least annually—
a review each designation notice that is for the time being in force, and
b consider whether designation of the processing which is the subject of the notice continues to be required for the purposes of safeguarding national security.
5 The Secretary of State—
a may withdraw a designation notice by giving a further notice (a “withdrawal notice”) to the persons who applied for the designation, and
b must give a withdrawal notice if the Secretary of State considers that designation of some or all of the processing to which the notice applies is no longer required for the purposes of safeguarding national security (whether as a result of a review required under subsection (4) or otherwise).
6 A withdrawal notice must—
a withdraw the designation notice completely, and
b state when it comes into force.
7 In determining when a withdrawal notice required under subsection (5)(b) comes into force, the Secretary of State must consider—
a the desirability of the processing ceasing to be designated as soon as possible, and
b where relevant, the time needed to effect an orderly transition to new arrangements for the processing of personal data.

82D Records of designation notices

1 Where the Secretary of State gives a designation notice—
a the Secretary of State must send a copy of the notice to the Commissioner, and
b the Commissioner must publish a record of the notice.
2 The record must contain—
a the Secretary of State’s name,
b the date on which the notice was given,
c the date on which the notice ceases to have effect (if not previously withdrawn), and
d subject to subsection (3), the rest of the text of the notice.
3 The Commissioner must not publish the text, or a part of the text, of the notice if—
a the Secretary of State has determined that publishing the text or that part of the text—
i would be against the interests of national security,
ii would be contrary to the public interest, or
iii might jeopardise the safety of any person, and
b the Secretary of State has notified the Commissioner of that determination.
4 The Commissioner must keep the record of the notice available to the public while the notice is in force.
5 Where the Secretary of State gives a withdrawal notice, the Secretary of State must send a copy of the notice to the Commissioner.

82E Appeal against designation notice

1 A person directly affected by a designation notice may appeal to the Tribunal against the notice.
2 If, on an appeal under this section, the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Secretary of State did not have reasonable grounds for giving the notice, the Tribunal may—
a allow the appeal, and
b quash the notice.

Definitions

I81383 Meaning of “controller” and “processor”

A1 For the purposes of this Part—
a an intelligence service is the “controller” in relation to the processing of personal data if it satisfies subsection (1) alone or jointly with others, and
b a qualifying competent authority is the “controller” in relation to the processing of personal data that is the subject of a designation notice that is for the time being in force if the authority satisfies subsection (1) jointly with others.
1 This subsection is satisfied by a person who—
a determines the purposes and means of the processing of personal data, or
b is the controller by virtue of subsection (2).
2 Where personal data is processed only—
a for purposes for which it is required by an enactment to be processed, and
b by means by which it is required by an enactment to be processed,
the person on whom the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.
3 In this Part, “processor” means any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller).

I83884 Other definitions

1 This section defines other expressions used in this Part.
2 Consent”, in relation to the processing of personal data relating to an individual, means a freely given, specific, informed and unambiguous indication of the individual's wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data.
2A Designation notice” has the meaning given in section 82A.
3 Employee”, in relation to any person, includes an individual who holds a position (whether paid or unpaid) under the direction and control of that person.
4 Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
5 Recipient”, in relation to any personal data, means any person to whom the data is disclosed, whether a third party or not, but it does not include a person to whom disclosure is or may be made in the framework of a particular inquiry in accordance with the law.
6 Restriction of processing” means the marking of stored personal data with the aim of limiting its processing for the future.
6A Sensitive processing” has the meaning given in section 86(7).
6B Withdrawal notice” has the meaning given in section 82C.
7 Sections 3 and 205 include definitions of other expressions used in this Part.

CHAPTER 2 Principles

Overview

I88985 Overview

1 This Chapter sets out the six data protection principles as follows—
a section 86 sets out the first data protection principle (requirement that processing be lawful, fair and transparent);
b section 87 sets out the second data protection principle (requirement that the purposes of processing be specified, explicit and legitimate);
c section 88 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive);
d section 89 sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date);
e section 90 sets out the fifth data protection principle (requirement that personal data be kept for no longer than is necessary);
f section 91 sets out the sixth data protection principle (requirement that personal data be processed in a secure manner).
2 Each of sections 86, 87 and 91 makes provision to supplement the principle to which it relates.

The data protection principles

I10I85986 The first data protection principle

1 The first data protection principle is that the processing of personal data must be—
a lawful, and
b fair and transparent.
2 The processing of personal data is lawful only if and to the extent that—
a at least one of the conditions in Schedule 9 is met, and
b in the case of sensitive processing, at least one of the conditions in Schedule 10 is also met.
3 The Secretary of State may by regulations amend Schedule 10—
a by adding conditions;
b by varying or omitting conditions added by regulations under paragraph (a).
4 Regulations under subsection (3) are subject to the affirmative resolution procedure.
5 In determining whether the processing of personal data is fair and transparent, regard is to be had to the method by which it is obtained.
6 For the purposes of subsection (5), data is to be treated as obtained fairly and transparently if it consists of information obtained from a person who—
a is authorised by an enactment to supply it, or
b is required to supply it by an enactment or by an international obligation of the United Kingdom.
7 In this Part, “sensitive processing” means—
a the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
b the processing of genetic data for the purpose of uniquely identifying an individual;
c the processing of biometric data for the purpose of uniquely identifying an individual;
d the processing of data concerning health;
e the processing of data concerning an individual's sex life or sexual orientation;
f the processing of personal data as to—
i the commission or alleged commission of an offence by an individual, or
ii proceedings for an offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of a court in such proceedings.

I76887 The second data protection principle

1 The second data protection principle is that—
a the purpose for which personal data is collected (whether from the data subject or otherwise) must be specified, explicit and legitimate, and
b personal data so collected must not be processed by or on behalf of a controller in a manner that is incompatible with the purpose for which the controller collected it.
2 Paragraph (b) of the second data protection principle is subject to subsections (3) and (4).
3 Personal data collected by a controller for one purpose may be processed for any other purpose of the controller that collected the data or any purpose of another controller provided that—
a the controller is authorised by law to process the data for that purpose, and
b the processing is necessary and proportionate to that other purpose.
4 Processing of personal data is to be regarded as compatible with the purpose for which it is collected if the processing—
a consists of—
i processing for archiving purposes in the public interest,
ii processing for the purposes of scientific or historical research, or
iii processing for statistical purposes, and
b is subject to appropriate safeguards for the rights and freedoms of the data subject.

I85188 The third data protection principle

The third data protection principle is that personal data must be adequate, relevant and not excessive in relation to the purpose for which it is processed.

I92689 The fourth data protection principle

The fourth data protection principle is that personal data undergoing processing must be accurate and, where necessary, kept up to date.

I82290 The fifth data protection principle

The fifth data protection principle is that personal data must be kept for no longer than is necessary for the purpose for which it is processed.

I96991 The sixth data protection principle

1 The sixth data protection principle is that personal data must be processed in a manner that includes taking appropriate security measures as regards risks that arise from processing personal data.
2 The risks referred to in subsection (1) include (but are not limited to) accidental or unauthorised access to, or destruction, loss, use, modification or disclosure of, personal data.

91A Further provision about sensitive processing

1 The Secretary of State may by regulations—
a make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part,
b make provision so that added processing is not sensitive processing for the purposes of this Part,
c make provision so that a protected condition in Schedule 10 may or may not be relied on in connection with added processing, and
d make provision varying such a condition as it relates to added processing.
2 In subsection (1)—
  • added processing” means a description of processing which is sensitive processing by virtue of provision made under subsection (1)(a);
  • protected condition in Schedule 10” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 86(3).
3 Regulations under this section may amend this Part and sections 205 and 206.
4 Regulations under this section are subject to the affirmative resolution procedure.

CHAPTER 3 Rights of the data subject

Overview

I76092 Overview

1 This Chapter sets out the rights of the data subject as follows—
a section 93 deals with the information to be made available to the data subject;
b sections 94 and 95 deal with the right of access by the data subject;
c sections 96 and 97 deal with rights in relation to automated processing;
d section 98 deals with the right to information about decision-making;
e section 99 deals with the right to object to processing;
f section 100 deals with rights to rectification and erasure of personal data.
2 In this Chapter, “the controller”, in relation to a data subject, means the controller in relation to personal data relating to the data subject.

Rights

I55693 Right to information

1 The controller must give a data subject the following information—
a the identity and the contact details of the controller;
b the legal basis on which, and the purposes for which, the controller processes personal data;
c the categories of personal data relating to the data subject that are being processed;
d the recipients or the categories of recipients of the personal data (if applicable);
e the right to lodge a complaint with the Commissioner and the contact details of the Commissioner;
f how to exercise rights under this Chapter;
g any other information needed to secure that the personal data is processed fairly and transparently.
2 The controller may comply with subsection (1) by making information generally available, where the controller considers it appropriate to do so.
3 The controller is not required under subsection (1) to give a data subject information that the data subject already has.
4 Where personal data relating to a data subject is collected by or on behalf of the controller from a person other than the data subject, the requirement in subsection (1) has effect, in relation to the personal data so collected, with the following exceptions—
a the requirement does not apply in relation to processing that is authorised by an enactment;
b the requirement does not apply in relation to the data subject if giving the information to the data subject would be impossible or involve disproportionate effort.

I11I89394 Right of access

1 An individual is entitled to obtain from a controller—
a confirmation as to whether or not personal data concerning the individual is being processed, and
b where that is the case—
i communication, in intelligible form, of the personal data of which that individual is the data subject, and
ii the information set out in subsection (2).
2 That information is—
a the purposes of and legal basis for the processing;
b the categories of personal data concerned;
c the recipients or categories of recipients to whom the personal data has been disclosed;
d the period for which the personal data is to be preserved;
e the existence of a data subject's rights to rectification and erasure of personal data (see section 100);
f the right to lodge a complaint with the Commissioner and the contact details of the Commissioner;
g any information about the origin of the personal data concerned.
2A Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.
3 A controller is not obliged to provide information under this section unless the controller has received such reasonable fee as the controller may require, subject to subsection (4).
4 The Secretary of State may by regulations—
a specify cases in which a controller may not charge a fee;
b specify the maximum amount of a fee.
5 Where a controller—
a reasonably requires further information—
i in order that the controller be satisfied as to the identity of the individual making a request under subsection (1), or
ii to locate the information which that individual seeks, and
b has informed that individual of that requirement,
the controller is not obliged to comply with the request unless the controller is supplied with that further information.
6 Where a controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, the controller is not obliged to comply with the request unless—
a the other individual has consented to the disclosure of the information to the individual making the request, or
b it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
7 In subsection (6), the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request.
8 Subsection (6) is not to be construed as excusing a controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
9 In determining for the purposes of subsection (6)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard must be had, in particular, to—
a any duty of confidentiality owed to the other individual,
b any steps taken by the controller with a view to seeking the consent of the other individual,
c whether the other individual is capable of giving consent, and
d any express refusal of consent by the other individual.
10 Subject to subsections (3), (5) and (6), a controller must comply with a request under subsection (1)—
a promptly, and
b in any event before the end of the applicable time period.
11 If a court is satisfied on the application of an individual who has made a request under subsection (1) that the controller in question has failed to comply with the request in contravention of this section, the court may order the controller to comply with the request.
12 A court may make an order under subsection (11) in relation to a joint controller whose responsibilities are determined in an arrangement under section 104 only if the controller is responsible for compliance with the obligation to which the order relates.
13 The jurisdiction conferred on a court by this section is exercisable by the High Court or, in Scotland, by the Court of Session.
14 In this section—
  • the applicable time period” means the period of one month beginning with the relevant time, subject to subsection (14A);
  • the relevant time”, in relation to a request under subsection (1), means the latest of the following—
    1. when the controller receives the request,
    2. when the fee (if any) is paid, and
    3. when the controller receives the information (if any) required under subsection (5) in connection with the request.
14A The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—
a the complexity of requests made by the data subject, or
b the number of such requests.
14B A notice under subsection (14A) must—
a be given before the end of the period of one month beginning with the relevant time, and
b state the reasons for the delay.
15 Regulations under this section are subject to the negative resolution procedure.

I80395 Right of access: supplementary

1 The controller must comply with the obligation imposed by section 94(1)(b)(i) by supplying the data subject with a copy of the information in writing unless—
a the supply of such a copy is not possible or would involve disproportionate effort, or
b the data subject agrees otherwise;
and where any of the information referred to in section 94(1)(b)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.
2 Where a controller has previously complied with a request made under section 94 by an individual, the controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
3 In determining for the purposes of subsection (2) whether requests under section 94 are made at reasonable intervals, regard must be had to—
a the nature of the data,
b the purpose for which the data is processed, and
c the frequency with which the data is altered.
4 The information to be supplied pursuant to a request under section 94 must be supplied by reference to the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.
5 For the purposes of section 94(6) to (8), an individual can be identified from information to be disclosed to a data subject by a controller if the individual can be identified from—
a that information, or
b that and any other information that the controller reasonably believes the data subject making the request is likely to possess or obtain.

I95296 Right not to be subject to automated decision-making

1 The controller may not take a decision significantly affecting a data subject that is based on entirely automated processing of personal data relating to the data subject.
2 Subsection (1) does not prevent such a decision being made on that basis if—
a the decision is required or authorised by law,
b the data subject has given consent to the decision being made on that basis, or
c the decision is a decision taken in the course of steps taken—
i for the purpose of considering whether to enter into a contract with the data subject,
ii with a view to entering into such a contract, or
iii in the course of performing such a contract.
3 For the purposes of this section and section 97, a decision that has legal effects as regards an individual is to be regarded as significantly affecting the individual.
4 For the purposes of this section and section 97, a decision is based on entirely automated processing if the decision-making process does not include an opportunity for a human being to accept, reject or influence the decision.

I89297 Right to intervene in automated decision-making

1 This section applies where—
a the controller takes a decision significantly affecting a data subject that is based on entirely automated processing of personal data relating to the data subject, and
b the decision is required or authorised by law.
2 This section does not apply to such a decision if—
a the data subject has given consent to the decision being made on that basis, or
b the decision is a decision taken in the course of steps taken—
i for the purpose of considering whether to enter into a contract with the data subject,
ii with a view to entering into such a contract, or
iii in the course of performing such a contract.
3 The controller must as soon as reasonably practicable notify the data subject that such a decision has been made.
4 The data subject may, before the end of the period of 1 month beginning with receipt of the notification, request the controller—
a to reconsider the decision, or
b to take a new decision that is not based on entirely automated processing.
5 If a request is made to the controller under subsection (4), the controller must, before the end of the period of 1 month beginning with receipt of the request—
a consider the request, including any information provided by the data subject that is relevant to it, and
b by notice in writing inform the data subject of the outcome of that consideration.
F6216 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

I92898 Right to information about decision-making

1 Where—
a the controller processes personal data relating to a data subject, and
b results produced by the processing are applied to the data subject,
the data subject is entitled to obtain from the controller, on request, knowledge of the reasoning underlying the processing.
2 Where the data subject makes a request under subsection (1), the controller must comply with the request without undue delay.

I97399 Right to object to processing

1 A data subject is entitled at any time, by notice given to the controller, to require the controller—
a not to process personal data relating to the data subject, or
b not to process such data for a specified purpose or in a specified manner,
on the ground that, for specified reasons relating to the situation of the data subject, the processing in question is an unwarranted interference with the interests or rights of the data subject.
2 Where the controller—
a reasonably requires further information—
i in order that the controller be satisfied as to the identity of the individual giving notice under subsection (1), or
ii to locate the data to which the notice relates, and
b has informed that individual of that requirement,
the controller is not obliged to comply with the notice unless the controller is supplied with that further information.
3 The controller must, before the end of 21 days beginning with the relevant time, give a notice to the data subject—
a stating that the controller has complied or intends to comply with the notice under subsection (1), or
b stating the controller's reasons for not complying with the notice to any extent and the extent (if any) to which the controller has complied or intends to comply with the notice under subsection (1).
4 If the controller does not comply with a notice under subsection (1) to any extent, the data subject may apply to a court for an order that the controller take steps for complying with the notice.
5 If the court is satisfied that the controller should comply with the notice (or should comply to any extent), the court may order the controller to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.
6 A court may make an order under subsection (5) in relation to a joint controller whose responsibilities are determined in an arrangement under section 104 only if the controller is responsible for compliance with the obligation to which the order relates.
7 The jurisdiction conferred on a court by this section is exercisable by the High Court or, in Scotland, by the Court of Session.
8 In this section, “the relevant time”, in relation to a notice under subsection (1), means—
a when the controller receives the notice, or
b if later, when the controller receives the information (if any) required under subsection (2) in connection with the notice.

I789100 Rights to rectification and erasure

1 If a court is satisfied on the application of a data subject that personal data relating to the data subject is inaccurate, the court may order the controller to rectify that data without undue delay.
2 If a court is satisfied on the application of a data subject that the processing of personal data relating to the data subject would infringe any of sections 86 to 91, the court may order the controller to erase that data without undue delay.
3 If personal data relating to the data subject must be maintained for the purposes of evidence, the court may (instead of ordering the controller to rectify or erase the personal data) order the controller to restrict its processing without undue delay.
4 If—
a the data subject contests the accuracy of personal data, and
b the court is satisfied that the controller is not able to ascertain whether the data is accurate or not,
the court may (instead of ordering the controller to rectify or erase the personal data) order the controller to restrict its processing without undue delay.
5 A court may make an order under this section in relation to a joint controller whose responsibilities are determined in an arrangement under section 104 only if the controller is responsible for carrying out the rectification, erasure or restriction of processing that the court proposes to order.
6 The jurisdiction conferred on a court by this section is exercisable by the High Court or, in Scotland, by the Court of Session.

CHAPTER 4 Controller and processor

Overview

I858101 Overview

This Chapter sets out—
a the general obligations of controllers and processors (see sections 102 to 106);
b specific obligations of controllers and processors with respect to security (see section 107);
c specific obligations of controllers and processors with respect to personal data breaches (see section 108).

General obligations

I363102 General obligations of the controller

Each controller must implement appropriate measures—
a to ensure, and
b to be able to demonstrate, in particular to the Commissioner,
that the processing of personal data complies with the requirements of this Part.

I34103 Data protection by design

1 Where a controller proposes that a particular type of processing of personal data be carried out by or on behalf of the controller, the controller must, prior to the processing, consider the impact of the proposed processing on the rights and freedoms of data subjects.
2 A controller must implement appropriate technical and organisational measures which are designed to ensure that—
a the data protection principles are implemented, and
b risks to the rights and freedoms of data subjects are minimised.

I482104 Joint controllers

1 Where two or more controllers jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.
2 Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.
3 The arrangement must designate the controller which is to be the contact point for data subjects.

I684105 Processors

1 This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.
2 The controller may use only a processor who undertakes—
a to implement appropriate measures that are sufficient to secure that the processing complies with this Part;
b to provide to the controller such information as is necessary for demonstrating that the processing complies with this Part.
3 If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.

I853106 Processing under the authority of the controller or processor

A processor, and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—
a on instructions from the controller, or
b to comply with a legal obligation.

Obligations relating to security

I955107 Security of processing

1 Each controller and each processor must implement security measures appropriate to the risks arising from the processing of personal data.
2 In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to—
a prevent unauthorised processing or unauthorised interference with the systems used in connection with it,
b ensure that it is possible to establish the precise details of any processing that takes place,
c ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and
d ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.

Obligations relating to personal data breaches

I457108 Communication of a personal data breach

1 If a controller becomes aware of a serious personal data breach in relation to personal data for which the controller is responsible, the controller must notify the Commissioner of the breach without undue delay.
2 Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.
3 Subject to subsection (4), the notification must include—
a a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
b the name and contact details of the contact point from whom more information can be obtained;
c a description of the likely consequences of the personal data breach;
d a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
4 Where and to the extent that it is not possible to provide all the information mentioned in subsection (3) at the same time, the information may be provided in phases without undue further delay.
5 If a processor becomes aware of a personal data breach (in relation to data processed by the processor), the processor must notify the controller without undue delay.
6 Subsection (1) does not apply in relation to a personal data breach if the breach also constitutes a relevant error within the meaning given by section 231(9) of the Investigatory Powers Act 2016.
7 For the purposes of this section, a personal data breach is serious if the breach seriously interferes with the rights and freedoms of a data subject.

CHAPTER 5 Transfers of personal data outside the United Kingdom

I667109 Transfers of personal data outside the United Kingdom

1 A controller may not transfer personal data to—
a a country or territory outside the United Kingdom, or
b an international organisation,
unless the transfer falls within subsection (2).
2 A transfer of personal data falls within this subsection if the transfer is a necessary and proportionate measure carried out—
a for the purposes of the controller's statutory functions, or
b for other purposes provided for, in relation to the controller, in section 2(2)(a) of the Security Service Act 1989 or section 2(2)(a) or 4(2)(a) of the Intelligence Services Act 1994.

CHAPTER 6 Exemptions

I154110 National security

1 A provision mentioned in subsection (2) does not apply to personal data to which this Part applies if exemption from the provision is required for the purpose of safeguarding national security.
2 The provisions are—
a Chapter 2 of this Part (the data protection principles), except section 86(1)(a) and (2) and Schedules 9 and 10;
b Chapter 3 of this Part (rights of data subjects);
c in Chapter 4 of this Part, section 108 (communication of a personal data breach to the Commissioner);
d in Part 5—
i section 119 (inspection in accordance with international obligations);
ii in Schedule 13 (other general functions of the Commissioner), paragraphs 1(a) and (g) and 2;
e in Part 6—
i sections 142 to 154 and Schedule 15 (Commissioner's notices and powers of entry and inspection);
ii sections 170 to 173 (offences relating to personal data);
iii sections 174 to 176 (provision relating to the special purposes).

I659111 National security: certificate

1 Subject to subsection (3), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions mentioned in section 110(2) is, or at any time was, required for the purpose of safeguarding national security in respect of any personal data is conclusive evidence of that fact.
2 A certificate under subsection (1)—
a may identify the personal data to which it applies by means of a general description, and
b may be expressed to have prospective effect.
3 Any person directly affected by the issuing of a certificate under subsection (1) may appeal to the Tribunal against the certificate.
4 If on an appeal under subsection (3), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may—
a allow the appeal, and
b quash the certificate.
5 Where, in any proceedings under or by virtue of this Act, it is claimed by a controller that a certificate under subsection (1) which identifies the personal data to which it applies by means of a general description applies to any personal data, another party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question.
6 But, subject to any determination under subsection (7), the certificate is to be conclusively presumed so to apply.
7 On an appeal under subsection (5), the Tribunal may determine that the certificate does not so apply.
8 A document purporting to be a certificate under subsection (1) is to be—
a received in evidence, and
b deemed to be such a certificate unless the contrary is proved.
9 A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (1) is—
a in any legal proceedings, evidence of that certificate, and
b in any legal proceedings in Scotland, sufficient evidence of that certificate.
10 The power conferred by subsection (1) on a Minister of the Crown is exercisable only by—
a a Minister who is a member of the Cabinet, or
b the Attorney General or the Advocate General for Scotland.

I151112 Other exemptions

Schedule 11 provides for further exemptions.

I12I679113 Power to make further exemptions

1 The Secretary of State may by regulations amend Schedule 11—
a by adding exemptions from any provision of this Part;
b by omitting exemptions added by regulations under paragraph (a).
2 Regulations under this section are subject to the affirmative resolution procedure.

C5C24PART 5 The Information Commissioner

The Commissioner

I823114 The Information Commissioner

1 There is to continue to be an Information Commissioner.
2 Schedule 12 makes provision about the Commissioner.

The Information Commission

114A The Information Commission

1 A body corporate called the Information Commission is established.
2 Schedule 12A makes further provision about the Commission.

General functions

I888115 General functions under the UK GDPR and safeguards

F3871 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 General functions are conferred on the Commissioner by—
a Article 57 of the UK GDPR (tasks), and
b Article 58 of the UK GDPR (powers),
(and see also the Commissioner's duty under section 2 and section 28(5)).
3 The Commissioner's functions in relation to the processing of personal data to which the UK GDPR applies include—
a a duty to advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to the processing of personal data, and
b a power to issue, on the Commissioner's own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.
4 The Commissioner's functions under Article 58 of the UK GDPR are subject to the safeguards in subsections (5) to (9).
5 The Commissioner's power under Article 58(1)(a) of the UK GDPR (power to require a controller or processor to provide information that the Commissioner requires for the performance of the Commissioner's tasks under the UK GDPR) is exercisable only by giving an information notice under section 142.
6 The Commissioner's power under Article 58(1)(b) of the UK GDPR (power to carry out data protection audits) is exercisable only in accordance with section 146.
7 The Commissioner's powers under Article 58(1)(e) and (f) of the UK GDPR (power to obtain information from controllers and processors and access to their premises) are exercisable only—
a in accordance with Schedule 15 (see section 154), or
b to the extent that they are exercised in conjunction with the power under Article 58(1)(b) of the UK GDPR, in accordance with section 146.
8 The following powers are exercisable only by giving an enforcement notice under section 149—
a the Commissioner's powers under Article 58(2)(c) to (g) and (j) of the UK GDPR (certain corrective powers);
b the Commissioner's powers under Article 58(2)(h) to order a certification body to withdraw, or not to issue, a certification under Articles 42 and 43 of the UK GDPR.
9 The Commissioner's powers under Articles 58(2)(i) and 83 of the UK GDPR (administrative fines) are exercisable only by giving a penalty notice under section 155.
10 This section is without prejudice to other functions conferred on the Commissioner, whether by the UK GDPR, this Act or otherwise.

I857116 Other general functions

A1 The Commissioner is responsible for monitoring the application of Part 3 of this Act, in order to protect the fundamental rights and freedoms of individuals in relation to processing by a competent authority for any of the law enforcement purposes (as defined in Part 3) and to facilitate the free flow of personal data.
1 The Commissioner—
F729a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
b is to continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Data Protection Convention.
2 Schedule 13 confers general functions on the Commissioner in connection with processing to which the UK GDPR does not apply (and see also the Commissioner's duty under section 2).
3 This section and Schedule 13 are without prejudice to other functions conferred on the Commissioner, whether by this Act or otherwise.

I901117 Competence in relation to courts etc

Nothing in this Act or the UK GDPR permits or requires the Commissioner to exercise functions in relation to the processing of personal data by—
a an individual acting in a judicial capacity, or
b a court or tribunal acting in its judicial capacity F192...
F192....

International role

I885118 Co-operation between parties to the Data Protection Convention

F5131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F5132 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F5133 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F5134 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5 Part 2 of Schedule 14 makes provision as to the functions to be carried out by the Commissioner for the purposes of Article 13 of the Data Protection Convention (co-operation between parties).

I932119 Inspection of personal data in accordance with international obligations

1 The Commissioner may inspect personal data where the inspection is necessary in order to discharge an international obligation of the United Kingdom, subject to the restriction in subsection (2).
2 The power under subsection (1) is exercisable only if the personal data—
a is processed wholly or partly by automated means, or
b is processed otherwise than by automated means and forms part of a filing system or is intended to form part of a filing system.
3 The power under subsection (1) includes power to inspect, operate and test equipment which is used for the processing of personal data.
4 Before exercising the power under subsection (1), the Commissioner must by written notice inform the controller and any processor that the Commissioner intends to do so.
5 Subsection (4) does not apply if the Commissioner considers that the case is urgent.
6 It is an offence—
a intentionally to obstruct a person exercising the power under subsection (1), or
b to fail without reasonable excuse to give a person exercising that power any assistance the person may reasonably require.
7 Paragraphs (c) and (d) of section 3(14) do not apply to references in this section to personal data, the processing of personal data, a controller or a processor.

119A Standard clauses for transfers to third countries etc

1 The Commissioner may issue a document specifying standard data protection clauses which the Commissioner considers are capable of securing that the data protection test set out in Article 46 of the UK GDPR or section 75 of this Act (or both) is met in relation to transfers of personal data.
2 The Commissioner may issue a document that amends or withdraws a document issued under subsection (1).
3 A document issued under this section—
a must specify when it comes into force,
aa may make provision generally or in relation to types of transfer described in the document,
b may make different provision for different purposes, and
c may include transitional provision or savings.
4 Before issuing a document under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—
a trade associations;
b data subjects;
c persons who appear to the Commissioner to represent the interests of data subjects.
5 After a document is issued under this section—
a the Commissioner must send a copy to the Secretary of State, and
b the Secretary of State must lay it before Parliament.
6 If, within the 40-day period, either House of Parliament resolves not to approve the document then, with effect from the end of the day on which the resolution is passed, the document is to be treated as not having been issued under this section (so that the document, and any amendment or withdrawal made by the document, is to be disregarded for the purposes of Article 46(2)(d) of the UK GDPR).
7 Nothing in subsection (6)—
a affects any transfer of personal data previously made in reliance on the document, or
b prevents a further document being laid before Parliament.
8 The Commissioner must publish—
a a document issued under this section, and
b a notice identifying any document which, under subsection (6), is treated as not having been issued under this section.
9 The Commissioner must keep under review the clauses specified in a document issued under this section for the time being in force.
10 In this section, “the 40-day period” means—
a if the document is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or
b if the document is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.
11 In calculating the 40-day period, no account is to be taken of any whole days that fall within a period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.
12 In this section, “trade association” includes a body representing controllers or processors.

I847120 Further international role

1 The Commissioner must, in relation to third countries and international organisations, take appropriate steps to—
a develop international co-operation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
b provide international mutual assistance in the enforcement of legislation for the protection of personal data, subject to appropriate safeguards for the protection of personal data and F340... fundamental rights and freedoms;
c engage relevant stakeholders in discussion and activities aimed at furthering international co-operation in the enforcement of legislation for the protection of personal data;
d promote the exchange and documentation of legislation and practice for the protection of personal data, including legislation and practice relating to jurisdictional conflicts with third countries.
2 Subsection (1) applies only in connection with the processing of personal data to which the UK GDPR does not apply; for the equivalent duty in connection with the processing of personal data to which the UK GDPR applies, see Article 50 of the UK GDPR (international co-operation for the protection of personal data).
2A The Commissioner may contribute to the activities of international organisations with data protection functions.
3 The Commissioner must carry out data protection functions which the Secretary of State directs the Commissioner to carry out for the purpose of enabling Her Majesty's Government in the United Kingdom to give effect to an international obligation of the United Kingdom.
4 The Commissioner may provide an authority carrying out data protection functions under the law of a British overseas territory with assistance in carrying out those functions.
5 The Secretary of State may direct that assistance under subsection (4) is to be provided on terms, including terms as to payment, specified or approved by the Secretary of State.
6 In this section—
  • data protection functions” means functions relating to the protection of individuals with respect to the processing of personal data;
  • mutual assistance in the enforcement of legislation for the protection of personal data” includes assistance in the form of notification, complaint referral, investigative assistance and information exchange;
  • third country” means a country or territory outside the United Kingdom.
7 Section 3(14)(c) does not apply to references to personal data and the processing of personal data in this section.

Duties in carrying out functions

120A Principal objective

It is the principal objective of the Commissioner, in carrying out functions under the data protection legislation—
a to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and
b to promote public trust and confidence in the processing of personal data.

120B Duties in relation to functions under the data protection legislation

In carrying out functions under the data protection legislation, the Commissioner must have regard to such of the following as appear to the Commissioner to be relevant in the circumstances—
a the desirability of promoting innovation;
b the desirability of promoting competition;
c the importance of the prevention, investigation, detection and prosecution of criminal offences;
d the need to safeguard public security and national security;
e the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.

120C Strategy

1 The Commissioner must prepare a strategy for carrying out the Commissioner’s functions under the data protection legislation in accordance with the Commissioner’s duties under—
a sections 120A and 120B,
b section 108 of the Deregulation Act 2015 (exercise of regulatory functions: economic growth), and
c section 21 of the Legislative and Regulatory Reform Act 2006 (exercise of regulatory functions: principles).
2 The Commissioner must—
a review the strategy from time to time, and
b revise the strategy as appropriate.
3 The Commissioner must publish the strategy and any revised strategy.

120D Duty to consult other regulators

1 The Commissioner must, at such times as the Commissioner considers appropriate, consult the persons mentioned in subsection (2) about how the manner in which the Commissioner exercises functions under the data protection legislation may affect economic growth, innovation and competition.
2 The persons are—
a such persons exercising regulatory functions as the Commissioner considers appropriate;
b such other persons as the Commissioner considers appropriate.
3 In this section, “regulatory function” has the meaning given by section 111 of the Deregulation Act 2015.

Codes of practice

I897121 Data-sharing code

1 The Commissioner must prepare a code of practice which contains—
a practical guidance in relation to the sharing of personal data in accordance with the requirements of the data protection legislation, and
b such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data.
2 Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.
3 Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—
a trade associations;
b data subjects;
c persons who appear to the Commissioner to represent the interests of data subjects.
4 A code under this section may include transitional provision or savings.
5 In this section—
  • good practice in the sharing of personal data” means such practice in the sharing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation;
  • the sharing of personal data” means the disclosure of personal data by transmission, dissemination or otherwise making it available;
  • trade association” includes a body representing controllers or processors.

I843122 Direct marketing code

1 The Commissioner must prepare a code of practice which contains—
a practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426), and
b such other guidance as the Commissioner considers appropriate to promote good practice in direct marketing.
2 Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.
3 Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—
a trade associations;
b data subjects;
c persons who appear to the Commissioner to represent the interests of data subjects.
4 A code under this section may include transitional provision or savings.
5 In this section—
  • direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals;
  • good practice in direct marketing” means such practice in direct marketing as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements mentioned in subsection (1)(a);
  • trade association” includes a body representing controllers or processors.

I213123 Age-appropriate design code

1 The Commissioner must prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children.
2 Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.
3 Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such other persons as the Commissioner considers appropriate, including—
a children,
b parents,
c persons who appear to the Commissioner to represent the interests of children,
d child development experts, and
e trade associations.
4 In preparing a code or amendments under this section, the Commissioner must have regard—
a to the fact that children have different needs at different ages, and
b to the United Kingdom's obligations under the United Nations Convention on the Rights of the Child.
5 A code under this section may include transitional provision or savings.
6 Any transitional provision included in the first code under this section must cease to have effect before the end of the period of 12 months beginning when the code comes into force.
7 In this section—
  • age-appropriate design” means the design of services so that they are appropriate for use by, and meet the development needs of, children;
  • information society services” has the same meaning as in the UK GDPR, but does not include preventive or counselling services;
  • relevant information society services” means information society services which involve the processing of personal data to which the UK GDPR applies;
  • standards of age-appropriate design of relevant information society services” means such standards of age-appropriate design of such services as appear to the Commissioner to be desirable having regard to the best interests of children;
  • trade association” includes a body representing controllers or processors;
  • the United Nations Convention on the Rights of the Child” means the Convention on the Rights of the Child adopted by the General Assembly of the United Nations on 20 November 1989 (including any Protocols to that Convention which are in force in relation to the United Kingdom), subject to any reservations, objections or interpretative declarations by the United Kingdom for the time being in force.

I873124 Data protection and journalism code

1 The Commissioner must prepare a code of practice which contains—
a practical guidance in relation to the processing of personal data for the purposes of journalism in accordance with the requirements of the data protection legislation, and
b such other guidance as the Commissioner considers appropriate to promote good practice in the processing of personal data for the purposes of journalism.
2 Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.
3 Before preparing a code or amendments under this section, the Commissioner must consult such of the following as the Commissioner considers appropriate—
a trade associations;
b data subjects;
c persons who appear to the Commissioner to represent the interests of data subjects.
4 A code under this section may include transitional provision or savings.
5 In this section—
  • good practice in the processing of personal data for the purposes of journalism” means such practice in the processing of personal data for those purposes as appears to the Commissioner to be desirable having regard to—
    1. the interests of data subjects and others F2..., and
    2. the special importance of the public interest in the freedom of expression and information;
      and includes compliance with the requirements of the data protection legislation;
  • trade association” includes a body representing controllers or processors.

124A Other codes of practice

1 The Commissioner must prepare appropriate codes of practice giving guidance as to good practice in the processing of personal data if required to do so by regulations made by the Secretary of State.
2 Regulations under this section—
a must describe the personal data or processing to which the code of practice is to relate, and
b may describe the persons or classes of person to whom it is to relate.
3 Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.
4 Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—
a trade associations;
b data subjects;
c persons who appear to the Commissioner to represent the interests of data subjects.
5 A code under this section may include transitional provision or savings.
6 Regulations under this section are subject to the negative resolution procedure.
7 In this section—
  • good practice in the processing of personal data” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation;
  • trade association” includes a body representing controllers or processors.

124B  Panels to consider codes of practice

1 This section applies where a code is prepared under section 121, 122, 123, 124 or 124A, subject to subsection (11).
2 The Commissioner must establish a panel of individuals to consider the code.
3 The panel must consist of—
a individuals the Commissioner considers have expertise in the subject matter of the code, and
b individuals the Commissioner considers—
i are likely to be affected by the code, or
ii represent persons likely to be affected by the code.
4 Before the panel begins to consider the code, the Commissioner must—
a publish the code in draft, and
b publish a statement that—
i states that a panel has been established to consider the code,
ii identifies the members of the panel,
iii explains the process by which they were selected, and
iv explains the reasons for their selection.
5 Where at any time it appears to the Commissioner that a member of the panel is not willing or able to serve as a member of the panel, the Commissioner may select another individual to be a member of the panel.
6 Where the Commissioner selects an individual to be a member of the panel under subsection (5), the Commissioner must publish a statement that—
a identifies the member of the panel,
b explains the process by which the member was selected, and
c explains the reasons for the member’s selection.
7 The Commissioner must make arrangements—
a for the members of the panel to consider the code with one another (whether in person or otherwise), and
b for the panel to prepare and submit to the Commissioner a report on the code within such reasonable period as is determined by the Commissioner.
8 If the panel submits to the Commissioner a report on the code within the period determined by the Commissioner, the Commissioner must as soon as reasonably practicable—
a make any alterations to the code that the Commissioner considers appropriate in the light of the report, and
b publish—
i the code in draft,
ii the report or a summary of it, and
iii in a case where a recommendation in the report to alter the code has not been accepted by the Commissioner, an explanation of why it has not been accepted.
9 The Commissioner may pay remuneration and expenses to the members of the panel.
10 This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections, subject to subsection (11).
11 The Secretary of State may by regulations provide that this section does not apply, or applies with modifications, in the case of—
a a code prepared under section 124A, or
b an amendment of such a code,
that is specified or described in the regulations.
12 Regulations under this section are subject to the negative resolution procedure.

124C Impact assessments for codes of practice

1 Where a code is prepared under section 121, 122, 123, 124 or 124A, the Commissioner must carry out and publish an assessment of—
a who would be likely to be affected by the code, and
b the effect the code would be likely to have on them.
2 This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections.

I30I196125 Approval of codes prepared under sections 121 to 124A

1 When a code is prepared under section 121, 122, 123 , 124 or 124A
a the Commissioner must submit the final version to the Secretary of State, and
b the Secretary of State must lay the code before Parliament.
F7192 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 If, within the 40-day period, either House of Parliament resolves not to approve a code prepared under section 121, 122, 123 , 124 or 124A, the Commissioner must not issue the code.
4 If no such resolution is made within that period—
a the Commissioner must issue the code, and
b the code comes into force at the end of the period of 21 days beginning with the day on which it is issued.
5 If the Commissioner is prevented by subsection (3) from issuing a code that is not a replacement code, the Commissioner must prepare another version of the code.
6 Nothing in subsection (3) prevents another version of the code being laid before Parliament.
7 In this section, “the 40-day period” means—
a if the code is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or
b if the code is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.
8 In calculating the 40-day period, no account is to be taken of any whole days that fall within a period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.
9 This section, other than subsection (5), applies in relation to amendments prepared under section 121, 122, 123 , 124 or 124A as it applies in relation to codes prepared under those sections.

I31I424126 Publication and review of codes issued under section 125(4)

1 The Commissioner must publish a code issued under section 125(4).
2 Where an amendment of a code is issued under section 125(4), the Commissioner must publish—
a the amendment, or
b the code as amended by it.
3 The Commissioner must keep under review each code issued under section 125(4) for the time being in force.
4 Where the Commissioner becomes aware that the terms of such a code could result in a breach of an international obligation of the United Kingdom, the Commissioner must exercise the power under section 121(2), 122(2), 123(2) , 124(2) or 124A(3) with a view to remedying the situation.

I32I227127 Effect of codes issued under section 125(4)

1 A failure by a person to act in accordance with a provision of a code issued under section 125(4) does not of itself make that person liable to legal proceedings in a court or tribunal.
2 A code issued under section 125(4), including an amendment or replacement code, is admissible in evidence in legal proceedings.
3 In any proceedings before a court or tribunal, the court or tribunal must take into account a provision of a code issued under section 125(4) in determining a question arising in the proceedings if—
a the question relates to a time when the provision was in force, and
b the provision appears to the court or tribunal to be relevant to the question.
4 Where the Commissioner is carrying out a function described in subsection (5), the Commissioner must take into account a provision of a code issued under section 125(4) in determining a question arising in connection with the carrying out of the function if—
a the question relates to a time when the provision was in force, and
b the provision appears to the Commissioner to be relevant to the question.
5 Those functions are functions under—
a the data protection legislation, or
b the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426).

F120128 Other codes of practice

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Consensual audits

I867129 Consensual audits

1 The Commissioner's functions under Article 58(1) of the UK GDPR and paragraph 1 of Schedule 13 include power, with the consent of a controller or processor, to carry out an assessment of whether the controller or processor is complying with good practice in the processing of personal data.
2 The Commissioner must inform the controller or processor of the results of such an assessment.
3 In this section, “good practice in the processing of personal data” has the same meaning as in section 124A.

Records of national security certificates

I900130 Records of national security certificates

1 A Minister of the Crown who issues a certificate under section 27, 79 or 111 must send a copy of the certificate to the Commissioner.
2 If the Commissioner receives a copy of a certificate under subsection (1), the Commissioner must publish a record of the certificate.
3 The record must contain—
a the name of the Minister who issued the certificate,
b the date on which the certificate was issued, and
c subject to subsection (4), the text of the certificate.
4 The Commissioner must not publish the text, or a part of the text, of the certificate if—
a the Minister determines that publishing the text or that part of the text—
i would be against the interests of national security,
ii would be contrary to the public interest, or
iii might jeopardise the safety of any person, and
b the Minister has notified the Commissioner of that determination.
5 The Commissioner must keep the record of the certificate available to the public while the certificate is in force.
6 If a Minister of the Crown revokes a certificate issued under section 27, 79 or 111, the Minister must notify the Commissioner.

Information provided to the Commissioner

I825131 Disclosure of information to the Commissioner

1 No enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the Commissioner with information necessary for the discharge of the Commissioner's functions.
2 But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
3 Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.

I769132 Confidentiality of information

1 A person who is or has been the Commissioner, or a member of the Commissioner's staff or an agent of the Commissioner, must not disclose information which—
a has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner's functions,
b relates to an identified or identifiable individual or business, and
c is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,
unless the disclosure is made with lawful authority.
2 For the purposes of subsection (1), a disclosure is made with lawful authority only if and to the extent that—
a the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,
b the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),
c the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner's functions,
F640d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
e the disclosure was made for the purposes of criminal or civil proceedings, however arising, or
f having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.
3 It is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).

I971133 Guidance about privileged communications

1 The Commissioner must produce and publish guidance about—
a how the Commissioner proposes to secure that privileged communications which the Commissioner obtains or has access to in the course of carrying out the Commissioner's functions are used or disclosed only so far as necessary for carrying out those functions, and
b how the Commissioner proposes to comply with restrictions and prohibitions on obtaining or having access to privileged communications which are imposed by an enactment.
2 The Commissioner—
a may alter or replace the guidance, and
b must publish any altered or replacement guidance.
3 The Commissioner must consult the Secretary of State before publishing guidance under this section (including altered or replacement guidance).
4 The Commissioner must arrange for guidance under this section (including altered or replacement guidance) to be laid before Parliament.
5 In this section, “privileged communications” means—
a communications made—
i between a professional legal adviser and the adviser's client, and
ii in connection with the giving of legal advice to the client with respect to legal obligations, liabilities or rights, and
b communications made—
i between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
ii in connection with or in contemplation of legal proceedings, and
iii for the purposes of such proceedings.
6 In subsection (5)—
a references to the client of a professional legal adviser include references to a person acting on behalf of the client, and
b references to a communication include—
i a copy or other record of the communication, and
ii anything enclosed with or referred to in the communication if made as described in subsection (5)(a)(ii) or in subsection (5)(b)(ii) and (iii).

Fees

I881134 Fees for services

The Commissioner may require a person other than a data subject or a data protection officer to pay a reasonable fee for a service provided to the person, or at the person's request, which the Commissioner is required or authorised to provide under the data protection legislation.

I886135 Manifestly unfounded or excessive requests by data subjects etc

A1 This section makes provision about cases in which a request made to the Commissioner, to which the Commissioner is required or authorised to respond under the data protection legislation, is manifestly unfounded or excessive.
1 F458... The Commissioner may—
a charge a reasonable fee for dealing with the request, or
b refuse to act on the request.
1A In subsection (1)—
a the reference in paragraph (a) to charging a reasonable fee is, in a case in which section 134 is relevant, a reference to doing so under that section, and
b paragraph (b) is not to be read as implying anything about whether the Commissioner may refuse to act on requests that are neither manifestly unfounded nor excessive.
2 An example of a request that may be excessive is one that merely repeats the substance of previous requests.
3 In any proceedings where there is an issue as to whether a request described in subsection (A1) is manifestly unfounded or excessive, it is for the Commissioner to show that it is.
F6254 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5 Article 57(3) of the UK GDPR (performance of Commissioner’s tasks generally to be free of charge for data subject) has effect subject to this section.

I784136 Guidance about fees

1 The Commissioner must produce and publish guidance about the fees the Commissioner proposes to charge in accordance with—
a section 134 or 135, F20...
F20b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Before publishing the guidance, the Commissioner must consult the Secretary of State.

Charges

I13I811137 Charges payable to the Commissioner by controllers

1 The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner.
2 Regulations under subsection (1) may require a controller to pay a charge regardless of whether the Commissioner has provided, or proposes to provide, a service to the controller.
3 Regulations under subsection (1) may—
a make provision about the time or times at which, or period or periods within which, a charge must be paid;
b make provision for cases in which a discounted charge is payable;
c make provision for cases in which no charge is payable;
d make provision for cases in which a charge which has been paid is to be refunded.
4 In making regulations under subsection (1), the Secretary of State must have regard to the desirability of securing that the charges payable to the Commissioner under such regulations are sufficient to offset—
a expenses incurred by the Commissioner in discharging the Commissioner's functions—
i under the data protection legislation,
ii under the Data Protection Act 1998,
iii under or by virtue of sections 108 and 109 of the Digital Economy Act 2017, and
iv under or by virtue of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426),
b any expenses of the Secretary of State in respect of the Commissioner so far as attributable to those functions,
c to the extent that the Secretary of State considers appropriate, any deficit previously incurred (whether before or after the passing of this Act) in respect of the expenses mentioned in paragraph (a), and
d to the extent that the Secretary of State considers appropriate, expenses incurred by the Secretary of State in respect of the inclusion of any officers or staff of the Commissioner in any scheme under section 1 of the Superannuation Act 1972 or section 1 of the Public Service Pensions Act 2013.
5 The Secretary of State may from time to time require the Commissioner to provide information about the expenses referred to in subsection (4)(a).
6 The Secretary of State may by regulations make provision—
a requiring a controller to provide information to the Commissioner, or
b enabling the Commissioner to require a controller to provide information to the Commissioner,
for either or both of the purposes mentioned in subsection (7).
7 Those purposes are—
a determining whether a charge is payable by the controller under regulations under subsection (1);
b determining the amount of a charge payable by the controller.
8 The provision that may be made under subsection (6)(a) includes provision requiring a controller to notify the Commissioner of a change in the controller's circumstances of a kind specified in the regulations.

I14I758138 Regulations under section 137: supplementary

1 Before making regulations under section 137(1) or (6), the Secretary of State must consult such representatives of persons likely to be affected by the regulations as the Secretary of State thinks appropriate (and see also section 182).
2 The Commissioner—
a must keep under review the working of regulations under section 137(1) or (6), and
b may from time to time submit proposals to the Secretary of State for amendments to be made to the regulations.
3 The Secretary of State must review the working of regulations under section 137(1) or (6)—
a at the end of the period of 5 years beginning with the making of the first set of regulations under section 108 of the Digital Economy Act 2017, and
b at the end of each subsequent 5 year period.
4 Regulations under section 137(1) are subject to the negative resolution procedure if—
a they only make provision increasing a charge for which provision is made by previous regulations under section 137(1) or section 108(1) of the Digital Economy Act 2017, and
b they do so to take account of an increase in the retail prices index since the previous regulations were made.
5 Subject to subsection (4), regulations under section 137(1) or (6) are subject to the affirmative resolution procedure.
6 In subsection (4), “the retail prices index” means—
a the general index of retail prices (for all items) published by the Statistics Board, or
b where that index is not published for a month, any substitute index or figures published by the Board.
7 Regulations under section 137(1) or (6) may not apply to—
a Her Majesty in her private capacity,
b Her Majesty in right of the Duchy of Lancaster, or
c the Duke of Cornwall.

Reports etc

I872139 Reporting to Parliament

1 The Commissioner must—
a produce a general report on the carrying out of the Commissioner's functions annually,
b arrange for it to be laid before Parliament, and
c publish it.
1A In connection with the Commissioner’s functions under the data protection legislation, the report must contain (among other things)—
a a review of what the Commissioner has done during the reporting period to comply with the duties under—
i sections 120A and 120B,
ii section 108 of the Deregulation Act 2015, and
iii section 21 of the Legislative and Regulatory Reform Act 2006,
including a review of the operation of the strategy prepared and published under section 120C;
b a review of what the Commissioner has done during the reporting period to comply with the duty under section 120D.
1B In subsection (1A), “the reporting period” means the period to which the report relates.
F5412 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2A The report under this section may include the annual report under section 161A.
3 The Commissioner may produce other reports relating to the carrying out of the Commissioner's functions and arrange for them to be laid before Parliament.

139A Analysis of performance

1 The Commissioner must prepare and publish an analysis of the Commissioner’s performance using key performance indicators.
2 The analysis must be prepared and published at least annually.
3 In this section, “key performance indicators” means factors by reference to which the Commissioner’s performance can be measured most effectively.

Documents and notices

I970140 Publication by the Commissioner

A duty under this Act for the Commissioner to publish a document is a duty for the Commissioner to publish it, or to arrange for it to be published, in such form and manner as the Commissioner considers appropriate.

I765141 Notices from the Commissioner

1 This section applies in relation to a notice authorised or required by this Act to be given to a person by the Commissioner.
2 The notice may be given to an individual—
a by delivering it to the individual,
b by sending it to the individual by post addressed to the individual at his or her usual or last-known place of residence or business, or
c by leaving it for the individual at that place.
3 The notice may be given to a body corporate or unincorporate—
a by sending it by post to the proper officer of the body at its principal office, or
b by addressing it to the proper officer of the body and leaving it at that office.
4 The notice may be given to a partnership in Scotland—
a by sending it by post to the principal office of the partnership, or
b by addressing it to that partnership and leaving it at that office.
5 The notice may be given to the person by other means, including by electronic means, with the person's consent.
6 In this section—
  • principal office”, in relation to a registered company, means its registered office;
  • proper officer”, in relation to any body, means the secretary or other executive officer charged with the conduct of its general affairs;
  • registered company” means a company registered under the enactments relating to companies for the time being in force in the United Kingdom.
7 This section is without prejudice to any other lawful method of giving a notice.

C26C5PART 6 Enforcement

Information notices

I870142 Information notices

1 The Commissioner may, by written notice (an “information notice”)—
a require a controller or processor to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of carrying out the Commissioner's functions under the data protection legislation, or
b require any person to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of—
i investigating a suspected failure of a type described in section 149(2) or a suspected offence under this Act, or
ii determining whether the processing of personal data is carried out by an individual in the course of a purely personal or household activity.
2 An information notice must state—
a whether it is given under subsection (1)(a), (b)(i) or (b)(ii), and
b why the Commissioner requires the information.
3 An information notice—
a may specify or describe particular information or a category of information;
b may specify the form in which the information must be provided;
c may specify the time at which, or the period within which, the information must be provided;
d may specify the place where the information must be provided;
(but see the restrictions in subsections (5) to (7)).
4 An information notice must provide information about—
a the consequences of failure to comply with it, and
b the rights under sections 162 and 164 (appeals etc).
5 An information notice may not require a person to provide information before the end of the period within which an appeal can be brought against the notice.
6 If an appeal is brought against an information notice, the information need not be provided pending the determination or withdrawal of the appeal.
7 If an information notice—
a states that, in the Commissioner's opinion, the information is required urgently, and
b gives the Commissioner's reasons for reaching that opinion,
subsections (5) and (6) do not apply but the notice must not require the information to be provided before the end of the period of 24 hours beginning when the notice is given.
8 The Commissioner may cancel an information notice by written notice to the person to whom it was given.
9 In subsection (1), in relation to a person who is a controller or processor for the purposes of the UK GDPR, the reference to a controller or processor includes a representative of a controller or processor designated under Article 27 of the UK GDPR (representatives of controllers or processors not established in the United Kingdom).
10 Section 3(14)(c) does not apply to the reference to the processing of personal data in subsection (1)(b).

I835143 Information notices: restrictions

1 The Commissioner may not give an information notice with respect to the processing of personal data for the special purposes unless—
a a determination under section 174 with respect to the data or the processing has taken effect, or
b the Commissioner—
i has reasonable grounds for suspecting that such a determination could be made, and
ii the information is required for the purposes of making such a determination.
2 An information notice does not require a person to give the Commissioner information to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament.
3 An information notice does not require a person to give the Commissioner information in respect of a communication which is made—
a between a professional legal adviser and the adviser's client, and
b in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
4 An information notice does not require a person to give the Commissioner information in respect of a communication which is made—
a between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
b in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
c for the purposes of such proceedings.
5 In subsections (3) and (4), references to the client of a professional legal adviser include references to a person acting on behalf of the client.
6 An information notice does not require a person to provide the Commissioner with information if doing so would, by revealing evidence of the commission of an offence expose the person to proceedings for that offence.
7 The reference to an offence in subsection (6) does not include an offence under—
a this Act;
b section 5 of the Perjury Act 1911 (false statements made otherwise than on oath);
c section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath);
d Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
8 An oral or written statement provided by a person in response to an information notice may not be used in evidence against that person on a prosecution for an offence under this Act (other than an offence under section 144) unless in the proceedings—
a in giving evidence the person provides information inconsistent with the statement, and
b evidence relating to the statement is adduced, or a question relating to it is asked, by that person or on that person's behalf.
9 In subsection (6), in relation to an information notice given to a representative of a controller or processor designated under Article 27 of the UK GDPR, the reference to the person providing the information being exposed to proceedings for an offence includes a reference to the controller or processor being exposed to such proceedings.

I306144 False statements made in response to information notices

It is an offence for a person, in response to an information notice—
a to make a statement which the person knows to be false in a material respect, or
b recklessly to make a statement which is false in a material respect.

I445145 Information orders

1 This section applies if, on an application by the Commissioner, a court is satisfied that a person has failed to comply with a requirement of an information notice.
2 The court may make an order requiring the person to provide to the Commissioner some or all of the following—
a information referred to in the information notice;
b other information which the court is satisfied the Commissioner requires, having regard to the statement included in the notice in accordance with section 142(2)(b).
3 The order—
a may specify the form in which the information must be provided,
b must specify the time at which, or the period within which, the information must be provided, and
c may specify the place where the information must be provided.

Assessment notices

I359146 Assessment notices

1 The Commissioner may by written notice (an “assessment notice”) require a controller or processor to permit the Commissioner to carry out an assessment of whether the controller or processor has complied or is complying with the data protection legislation.
2 An assessment notice may require the controller or processor to do any of the following—
a permit the Commissioner to enter specified premises;
b direct the Commissioner to documents on the premises that are of a specified description;
c assist the Commissioner to view information of a specified description that is capable of being viewed using equipment on the premises;
d comply with a request from the Commissioner for a copy (in such form as may be requested) of—
i the documents to which the Commissioner is directed;
ii the information which the Commissioner is assisted to view;
e direct the Commissioner to equipment or other material on the premises which is of a specified description;
f permit the Commissioner to inspect or examine the documents, information, equipment or material to which the Commissioner is directed or which the Commissioner is assisted to view;
g provide the Commissioner with an explanation of such documents, information, equipment or material;
h permit the Commissioner to observe the processing of personal data that takes place on the premises;
i make available for interview by the Commissioner a specified number of people of a specified description who process personal data on behalf of the controller, not exceeding the number who are willing to be interviewed;
j make arrangements for an approved person to prepare a report on a specified matter;
k provide to the Commissioner a report prepared in pursuance of such arrangements.
3 In subsection (2), references to the Commissioner include references to the Commissioner's officers and staff.
3A An assessment notice that requires a controller or processor to make arrangements for an approved person to prepare a report may require the arrangements to include specified terms as to—
a the preparation of the report;
b the contents of the report;
c the form in which the report is to be provided;
d the date by which the report is to be completed.
4 An assessment notice must, in relation to each requirement imposed by the notice, specify the time or times at which, or period or periods within which, the requirement must be complied with (but see the restrictions in subsections (6) to (9)).
5 An assessment notice must provide information about—
a the consequences of failure to comply with it, and
b the rights under sections 162 and 164 (appeals etc).
6 An assessment notice may not require a person to do anything before the end of the period within which an appeal can be brought against the notice.
7 If an appeal is brought against an assessment notice, the controller or processor need not comply with a requirement in the notice pending the determination or withdrawal of the appeal.
8 If an assessment notice—
a states that, in the Commissioner's opinion, it is necessary for the controller or processor to comply with a requirement in the notice urgently,
b gives the Commissioner's reasons for reaching that opinion, and
c does not meet the conditions in subsection (9)(a) to (d),
subsections (6) and (7) do not apply but the notice must not require the controller or processor to comply with the requirement before the end of the period of 7 days beginning when the notice is given.
9 If an assessment notice—
a states that, in the Commissioner's opinion, there are reasonable grounds for suspecting that a controller or processor has failed or is failing as described in section 149(2) or that an offence under this Act has been or is being committed,
b indicates the nature of the suspected failure or offence,
c does not specify domestic premises,
d states that, in the Commissioner's opinion, it is necessary for the controller or processor to comply with a requirement in the notice in less than 7 days, and
e gives the Commissioner's reasons for reaching that opinion,
subsections (6) and (7) do not apply.
10 The Commissioner may cancel an assessment notice by written notice to the controller or processor to whom it was given.
11 Where the Commissioner gives an assessment notice to a processor, the Commissioner must, so far as reasonably practicable, give a copy of the notice to each controller for whom the processor processes personal data.
11A Where the Commissioner gives an assessment notice that requires the controller or processor to make arrangements for an approved person to prepare a report, the controller or processor is liable for the payment of the approved person’s remuneration and expenses under the arrangements.
12 In this section—
  • approved person”, in relation to a report, means a person approved to prepare the report in accordance with section 146A;
  • domestic premises” means premises, or a part of premises, used as a dwelling;
  • specified” means specified in an assessment notice.

146A Assessment notices: approval of person to prepare report etc

1 This section applies where an assessment notice requires a controller or processor to make arrangements for an approved person to prepare a report.
2 The controller or processor must, within such period as is specified in the assessment notice, nominate to the Commissioner a person to prepare the report.
3 If the Commissioner is satisfied that the nominated person is a suitable person to prepare the report, the Commissioner must by written notice to the controller or processor approve the nominated person to prepare the report.
4 If the Commissioner is not satisfied that the nominated person is a suitable person to prepare the report, the Commissioner must by written notice to the controller or processor—
a inform the controller or processor that the Commissioner has decided not to approve the nominated person to prepare the report,
b inform the controller or processor of the reasons for that decision, and
c approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so.
5 If the controller or processor does not nominate a person within the period specified in the assessment notice, the Commissioner must by written notice to the controller or processor approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so.
6 It is the duty of the controller or processor to give the person approved to prepare the report all such assistance as the person may reasonably require to prepare the report.

I688147 Assessment notices: restrictions

1 An assessment notice does not require a person to do something to the extent that requiring the person to do it would involve an infringement of the privileges of either House of Parliament.
2 An assessment notice does not have effect so far as compliance would result in the disclosure of a communication which is made—
a between a professional legal adviser and the adviser's client, and
b in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
3 An assessment notice does not have effect so far as compliance would result in the disclosure of a communication which is made—
a between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
b in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
c for the purposes of such proceedings.
4 In subsections (2) and (3)—
a references to the client of a professional legal adviser include references to a person acting on behalf of such a client, and
b references to a communication include—
i a copy or other record of the communication, and
ii anything enclosed with or referred to in the communication if made as described in subsection (2)(b) or in subsection (3)(b) and (c).
5 The Commissioner may not give a controller or processor an assessment notice with respect to the processing of personal data for the special purposes.
6 The Commissioner may not give an assessment notice to—
a a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters), F570...
F570b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Information notices and assessment notices: destruction of documents etc

I286148 Destroying or falsifying information and documents etc

1 This section applies where a person—
a has been given an information notice requiring the person to provide the Commissioner with information, or
b has been given an assessment notice requiring the person to direct the Commissioner to a document, equipment or other material or to assist the Commissioner to view information.
2 It is an offence for the person—
a to destroy or otherwise dispose of, conceal, block or (where relevant) falsify all or part of the information, document, equipment or material, or
b to cause or permit the destruction, disposal, concealment, blocking or (where relevant) falsification of all or part of the information, document, equipment or material,
with the intention of preventing the Commissioner from viewing, or being provided with or directed to, all or part of the information, document, equipment or material.
3 It is a defence for a person charged with an offence under subsection (2) to prove that the destruction, disposal, concealment, blocking or falsification would have occurred in the absence of the person being given the notice.

Interview notices

148A Interview notices

1 This section applies where the Commissioner suspects that a controller or processor—
a has failed or is failing as described in section 149(2), or
b has committed or is committing an offence under this Act.
2 For the purpose of investigating the suspected failure or offence, the Commissioner may, by written notice (an “interview notice”), require an individual within subsection (3) to—
a attend at a place specified in the notice, and
b answer questions with respect to any matter relevant to the investigation.
3 An individual is within this subsection if the individual—
a is the controller or processor,
b is or was at any time employed by, or otherwise working for, the controller or processor, or
c is or was at any time concerned in the management or control of the controller or processor.
4 An interview notice must specify the time at which the individual must attend at the specified place and answer questions (but see the restrictions in subsections (6) and (7)).
5 An interview notice must—
a indicate the nature of the suspected failure or offence that is the subject of the investigation,
b provide information about the consequences of failure to comply with the notice, and
c provide information about the rights under sections 162 and 164 (appeals etc).
6 An interview notice may not require an individual to attend at the specified place and answer questions before the end of the period within which an appeal can be brought against the notice.
7 If an appeal is brought against an interview notice, the individual to whom the notice is given need not attend at the specified place and answer questions pending the determination or withdrawal of the appeal.
8 If an interview notice—
a states that, in the Commissioner’s opinion, it is necessary for the individual to attend at the specified place and answer questions urgently, and
b gives the Commissioner’s reasons for reaching that opinion,
subsections (6) and (7) do not apply but the notice must not require the individual to attend at the specified place and answer questions before the end of the period of 24 hours beginning when the notice is given.
9 The Commissioner may cancel or vary an interview notice by written notice to the individual to whom it was given.

148B Interview notices: restrictions

1 An interview notice does not require an individual to answer questions to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament.
2 An interview notice does not require an individual to answer questions in respect of a communication which is made—
a between a professional legal adviser and the adviser’s client, and
b in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
3 An interview notice does not require an individual to answer questions in respect of a communication which is made—
a between a professional legal adviser and the adviser’s client or between such an adviser or client and another person,
b in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
c for the purposes of such proceedings.
4 In subsections (2) and (3), references to the client of a professional legal adviser include references to a person acting on behalf of the client.
5 An interview notice does not require an individual to answer questions if doing so would, by revealing evidence of the commission of an offence, expose the individual to proceedings for that offence.
6 The reference to an offence in subsection (5) does not include an offence under—
a this Act;
b section 5 of the Perjury Act 1911 (false statements made otherwise than on oath);
c section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath);
d Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
7 A statement made by an individual in response to an interview notice may not be used in evidence against that individual on a prosecution for an offence under this Act (other than an offence under section 148C) unless in the proceedings—
a in giving evidence the individual provides information inconsistent with the statement, and
b evidence relating to the statement is adduced, or a question relating to it is asked, by that individual or on that individual’s behalf.
8 The Commissioner may not give an interview notice with respect to the processing of personal data for the special purposes.
9 The Commissioner may not give an interview notice to an individual for the purpose of investigating a suspected failure or offence if the controller or processor suspected of the failure or offence is a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters).

148C False statements made in response to interview notices

It is an offence for an individual, in response to an interview notice—
a to make a statement which the individual knows to be false in a material respect, or
b recklessly to make a statement which is false in a material respect.

Enforcement notices

I15I770149 Enforcement notices

1 Where the Commissioner is satisfied that a person has failed, or is failing, as described in subsection (2), (3), (4) or (5), the Commissioner may give the person a written notice (an “enforcement notice”) which requires the person—
a to take steps specified in the notice, or
b to refrain from taking steps specified in the notice,
or both (and see also sections 150 and 151).
2 The first type of failure is where a controller or processor has failed, or is failing, to comply with any of the following—
a a provision of Chapter II of the UK GDPR or Chapter 2 of Part 3 or Chapter 2 of Part 4 of this Act (principles of processing);
b a provision of or made under Articles 12 to 22D of the UK GDPR or Part 3 or 4 of this Act conferring rights on a data subject;
c a provision of Articles 25 to 39 of the UK GDPR or section 64 or 65 of this Act (obligations of controllers and processors);
d a requirement to communicate a personal data breach to the Commissioner or a data subject under section 67, 68 or 108 of this Act;
e the principles for transfers of personal data to third countries, non-Convention countries and international organisations in Articles 44A to 49A of the UK GDPR or in sections 73 to 78 or 109 of this Act.
3 The second type of failure is where a monitoring body has failed, or is failing, to comply with an obligation under Article 41 of the UK GDPR (monitoring of approved codes of conduct).
4 The third type of failure is where a person who is a certification provider—
a does not meet the requirements for accreditation,
b has failed, or is failing, to comply with an obligation under Article 42 or 43 of the UK GDPR (certification of controllers and processors), or
c has failed, or is failing, to comply with any other provision of the UK GDPR (whether in the person's capacity as a certification provider or otherwise).
5 The fourth type of failure is where a controller has failed, or is failing, to comply with regulations under section 137.
6 An enforcement notice given in reliance on subsection (2), (3) or (5) may only impose requirements which the Commissioner considers appropriate for the purpose of remedying the failure.
7 An enforcement notice given in reliance on subsection (4) may only impose requirements which the Commissioner considers appropriate having regard to the failure (whether or not for the purpose of remedying the failure).
8 The Secretary of State may by regulations confer power on the Commissioner to give an enforcement notice in respect of other failures to comply with the data protection legislation.
9 Regulations under this section—
a may make provision about the giving of an enforcement notice in respect of the failure, including by amending this section and sections 150 to 152,
b may make provision about the giving of an information notice, an assessment notice , an interview notice or a penalty notice, or about powers of entry and inspection, in connection with the failure, including by amending sections 142, 143, 146, 147 , 148A, 148B and 155 to 157 and Schedules 15 and 16, and
c are subject to the affirmative resolution procedure.

I815150 Enforcement notices: supplementary

1 An enforcement notice must—
a state what the person has failed or is failing to do, and
b give the Commissioner's reasons for reaching that opinion.
2 In deciding whether to give an enforcement notice in reliance on section 149(2), the Commissioner must consider whether the failure has caused or is likely to cause any person damage or distress.
3 In relation to an enforcement notice given in reliance on section 149(2), the Commissioner's power under section 149(1)(b) to require a person to refrain from taking specified steps includes power—
a to impose a ban relating to all processing of personal data, or
b to impose a ban relating only to a specified description of processing of personal data, including by specifying one or more of the following—
i a description of personal data;
ii the purpose or manner of the processing;
iii the time when the processing takes place.
4 An enforcement notice may specify the time or times at which, or period or periods within which, a requirement imposed by the notice must be complied with (but see the restrictions in subsections (6) to (8)).
5 An enforcement notice must provide information about—
a the consequences of failure to comply with it, and
b the rights under sections 162 and 164 (appeals etc).
6 An enforcement notice must not specify a time for compliance with a requirement in the notice which falls before the end of the period within which an appeal can be brought against the notice.
7 If an appeal is brought against an enforcement notice, a requirement in the notice need not be complied with pending the determination or withdrawal of the appeal.
8 If an enforcement notice—
a states that, in the Commissioner's opinion, it is necessary for a requirement to be complied with urgently, and
b gives the Commissioner's reasons for reaching that opinion,
subsections (6) and (7) do not apply but the notice must not require the requirement to be complied with before the end of the period of 24 hours beginning when the notice is given.
9 In this section, “specified” means specified in an enforcement notice.

I819151 Enforcement notices: rectification and erasure of personal data etc

1 Subsections (2) and (3) apply where an enforcement notice is given in respect of a failure by a controller or processor—
a to comply with a data protection principle relating to accuracy, or
b to comply with a data subject's request to exercise rights under Article 16, 17 or 18 of the UK GDPR (right to rectification, erasure or restriction on processing) or section 46, 47 or 100 of this Act.
2 If the enforcement notice requires the controller or processor to rectify or erase inaccurate personal data, it may also require the controller or processor to rectify or erase any other data which—
a is held by the controller or processor, and
b contains an expression of opinion which appears to the Commissioner to be based on the inaccurate personal data.
3 Where a controller or processor has accurately recorded personal data provided by the data subject or a third party but the data is inaccurate, the enforcement notice may require the controller or processor—
a to take steps specified in the notice to ensure the accuracy of the data,
b if relevant, to secure that the data indicates the data subject's view that the data is inaccurate, and
c to supplement the data with a statement of the true facts relating to the matters dealt with by the data that is approved by the Commissioner,
(as well as imposing requirements under subsection (2)).
4 When deciding what steps it is reasonable to specify under subsection (3)(a), the Commissioner must have regard to the purpose for which the data was obtained and further processed.
5 Subsections (6) and (7) apply where—
a an enforcement notice requires a controller or processor to rectify or erase personal data, or
b the Commissioner is satisfied that the processing of personal data which has been rectified or erased by the controller or processor involved a failure described in subsection (1).
6 An enforcement notice may, if reasonably practicable, require the controller or processor to notify third parties to whom the data has been disclosed of the rectification or erasure.
7 In determining whether it is reasonably practicable to require such notification, the Commissioner must have regard, in particular, to the number of people who would have to be notified.
8 In this section, “data protection principle relating to accuracy” means the principle in—
a Article 5(1)(d) of the UK GDPR,
b section 38(1) of this Act, or
c section 89 of this Act.

I785152 Enforcement notices: restrictions

1 The Commissioner may not give a controller or processor an enforcement notice in reliance on section 149(2) with respect to the processing of personal data for the special purposes unless—
a a determination under section 174 with respect to the data or the processing has taken effect, and
b a court has granted leave for the notice to be given.
2 A court must not grant leave for the purposes of subsection (1)(b) unless it is satisfied that—
a the Commissioner has reason to suspect a failure described in section 149(2) which is of substantial public importance, and
b the controller or processor has been given notice of the application for leave in accordance with rules of court or the case is urgent.
3 An enforcement notice does not require a person to do something to the extent that requiring the person to do it would involve an infringement of the privileges of either House of Parliament.
4 In the case of a joint controller in respect of the processing of personal data to which Part 3 or 4 applies whose responsibilities for compliance with that Part are determined in an arrangement under section 58 or 104, the Commissioner may only give the controller an enforcement notice in reliance on section 149(2) if the controller is responsible for compliance with the provision, requirement or principle in question.

I771153 Enforcement notices: cancellation and variation

1 The Commissioner may cancel or vary an enforcement notice by giving written notice to the person to whom it was given.
2 A person to whom an enforcement notice is given may apply in writing to the Commissioner for the cancellation or variation of the notice.
3 An application under subsection (2) may be made only—
a after the end of the period within which an appeal can be brought against the notice, and
b on the ground that, by reason of a change of circumstances, one or more of the provisions of that notice need not be complied with in order to remedy the failure identified in the notice.

Powers of entry and inspection

I172154 Powers of entry and inspection

Schedule 15 makes provision about powers of entry and inspection.

Penalties

I16I874155 Penalty notices

1 If the Commissioner is satisfied that a person—
a has failed or is failing as described in section 149(2), (3), (4) or (5), F175...
b has failed to comply with an information notice, an assessment notice , an interview notice or an enforcement notice , or
c has failed to comply with a duty imposed on the person by section 146A(6).
the Commissioner may, by written notice (a “penalty notice”), require the person to pay to the Commissioner an amount in sterling specified in the notice.
2 Subject to subsection (4), when deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commissioner must have regard to the following, so far as relevant—
a to the extent that the notice concerns a matter to which the UK GDPR applies, the matters listed in Article 83(1) and (2) of the UK GDPR;
b to the extent that the notice concerns another matter, the matters listed in subsection (3).
3 Those matters are—
a the nature, gravity and duration of the failure;
b the intentional or negligent character of the failure;
c any action taken by the controller or processor to mitigate the damage or distress suffered by data subjects;
d the degree of responsibility of the controller or processor, taking into account technical and organisational measures implemented by the controller or processor in accordance with section 57, 66, 103 or 107;
e any relevant previous failures by the controller or processor;
f the degree of co-operation with the Commissioner, in order to remedy the failure and mitigate the possible adverse effects of the failure;
g the categories of personal data affected by the failure;
h the manner in which the infringement became known to the Commissioner, including whether, and if so to what extent, the controller or processor notified the Commissioner of the failure;
i the extent to which the controller or processor has complied with previous enforcement notices or penalty notices;
j adherence to approved codes of conduct or certification mechanisms;
k any other aggravating or mitigating factor applicable to the case, including financial benefits gained, or losses avoided, as a result of the failure (whether directly or indirectly);
l whether the penalty would be effective, proportionate and dissuasive.
4 Subsections (2) and (3) do not apply in the case of a decision or determination relating to a failure described in section 149(5).
5 Schedule 16 makes further provision about penalty notices, including provision requiring the Commissioner to give a notice of intent to impose a penalty and provision about payment, variation, cancellation and enforcement.
6 The Secretary of State may by regulations—
a confer power on the Commissioner to give a penalty notice in respect of other failures to comply with the data protection legislation, and
b provide for the maximum penalty that may be imposed in relation to such failures to be either the standard maximum amount or the higher maximum amount.
7 Regulations under this section—
a may make provision about the giving of penalty notices in respect of the failure,
b may amend this section and sections 156 to 158, and
c are subject to the affirmative resolution procedure.
8 In this section, “higher maximum amount” and “standard maximum amount” have the same meaning as in section 157.

I796156 Penalty notices: restrictions

1 The Commissioner may not give a controller or processor a penalty notice in reliance on section 149(2) with respect to the processing of personal data for the special purposes unless—
a a determination under section 174 with respect to the data or the processing has taken effect, and
b a court has granted leave for the notice to be given.
2 A court must not grant leave for the purposes of subsection (1)(b) unless it is satisfied that—
a the Commissioner has reason to suspect a failure described in section 149(2) which is of substantial public importance, and
b the controller or processor has been given notice of the application for leave in accordance with rules of court or the case is urgent.
3 The Commissioner may not give a controller or processor a penalty notice with respect to the processing of personal data where the purposes and manner of the processing are determined by or on behalf of either House of Parliament.
4 The Commissioner may not give a penalty notice to—
a the Crown Estate Commissioners, or
b a person who is a controller by virtue of section 209(4) (controller for the Royal Household etc).
5 In the case of a joint controller in respect of the processing of personal data to which Part 3 or 4 applies whose responsibilities for compliance with that Part are determined in an arrangement under section 58 or 104, the Commissioner may only give the controller a penalty notice in reliance on section 149(2) if the controller is responsible for compliance with the provision, requirement or principle in question.

I878157 Maximum amount of penalty

1 In relation to an infringement of a provision of the UK GDPR, the maximum amount of the penalty that may be imposed by a penalty notice is—
a the amount specified in Article 83 of the UK GDPR, or
b if an amount is not specified there, the standard maximum amount.
2 In relation to an infringement of a provision of Part 3 of this Act, the maximum amount of the penalty that may be imposed by a penalty notice is—
a in relation to a failure to comply with section 35, 36, 37, 38(1), 39(1), 40, 44, 45, 46, 47, 48, 50B, 50C, 52, 53, 73, F305... 75, 76, 77 or 78, the higher maximum amount, and
b otherwise, the standard maximum amount.
3 In relation to an infringement of a provision of Part 4 of this Act, the maximum amount of the penalty that may be imposed by a penalty notice is—
a in relation to a failure to comply with section 86, 87, 88, 89, 90, 91, 93, 94, 100 or 109, the higher maximum amount, and
b otherwise, the standard maximum amount.
4 In relation to a failure to comply with an information notice, an assessment notice , an interview notice or an enforcement notice, the maximum amount of the penalty that may be imposed by a penalty notice is the higher maximum amount.
5 The “higher maximum amount” is—
a in the case of an undertaking, £17,500,000 or 4% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher, or
b in any other case, £17,500,000.
6 The “standard maximum amount” is—
a in the case of an undertaking, £8,700,000 or 2% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher, or
b in any other case, £8,700,000.
F4877 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

I128158 Fixed penalties for non-compliance with charges regulations

1 The Commissioner must produce and publish a document specifying the amount of the penalty for a failure to comply with regulations made under section 137.
2 The Commissioner may specify different amounts for different types of failure.
3 The maximum amount that may be specified is 150% of the highest charge payable by a controller in respect of a financial year in accordance with the regulations, disregarding any discount available under the regulations.
4 The Commissioner—
a may alter or replace the document, and
b must publish any altered or replacement document.
5 Before publishing a document under this section (including any altered or replacement document), the Commissioner must consult—
a the Secretary of State, and
b such other persons as the Commissioner considers appropriate.
6 The Commissioner must arrange for a document published under this section (including any altered or replacement document) to be laid before Parliament.

I17I890159 Amount of penalties: supplementary

1 For the purposes of Article 83 of the UK GDPR and section 157, the Secretary of State may by regulations—
a provide that a person of a description specified in the regulations is or is not an undertaking, and
b make provision about how an undertaking's turnover is to be determined.
2 For the purposes of Article 83 of the UK GDPR, section 157 and section 158, the Secretary of State may by regulations provide that a period is or is not a financial year.
3 Regulations under this section are subject to the affirmative resolution procedure.

Guidance and report

I505160 Guidance about regulatory action

1 The Commissioner must produce and publish guidance about how the Commissioner proposes to exercise the Commissioner's functions in connection with—
a information notices,
b assessment notices,
ba interview notices,
c enforcement notices, and
d penalty notices.
2 The Commissioner may produce and publish guidance about how the Commissioner proposes to exercise the Commissioner's other functions under this Part.
3 In relation to information notices, the guidance must include—
a provision specifying factors to be considered in determining the time at which, or the period within which, information is to be required to be provided;
b provision about the circumstances in which the Commissioner would consider it appropriate to give an information notice to a person in reliance on section 142(7) (urgent cases);
c provision about how the Commissioner will determine how to proceed if a person does not comply with an information notice.
4 In relation to assessment notices, the guidance must include—
a provision specifying factors to be considered in determining whether to give an assessment notice to a person;
aa provision specifying factors to be considered in determining whether to give an assessment notice to a person that imposes a requirement of a sort mentioned in section 146(2)(j);
ab provision about the factors the Commissioner may take into account when determining the suitability of a person to prepare a report of a sort mentioned in section 146(2)(j);
b provision about the circumstances in which the Commissioner would consider it appropriate to give an assessment notice in reliance on section 146(8) or (9) (urgent cases);
c provision specifying descriptions of documents or information that—
i are not to be examined or inspected in accordance with an assessment notice, or
ii are to be so examined or inspected only by a person of a description specified in the guidance;
d provision about the nature of inspections and examinations carried out in accordance with an assessment notice;
e provision about the nature of interviews carried out in accordance with an assessment notice;
f provision about the preparation, issuing and publication by the Commissioner of assessment reports in respect of controllers and processors that have been given assessment notices;
g provision about how the Commissioner will determine how to proceed if a person does not comply with an assessment notice.
5 The guidance produced in accordance with subsection (4)(c) must include provisions that relate to—
a documents and information concerning an individual's physical or mental health;
b documents and information concerning the provision of social care for an individual.
5A In relation to interview notices, the guidance must include—
a provision specifying factors to be considered in determining whether to give an interview notice to an individual;
b provision about the circumstances in which the Commissioner would consider it appropriate to give an interview notice to an individual in reliance on section 148A(8) (urgent cases);
c provision about the circumstances in which the Commissioner would consider it appropriate to vary the place or time specified in an interview notice at the request of the individual to whom the notice is given;
d provision about the nature of interviews carried out in accordance with an interview notice;
e provision about how the Commissioner will determine how to proceed if an individual does not comply with an interview notice.
6 In relation to enforcement notices, the guidance must include—
a provision specifying factors to be considered in determining whether to give an enforcement notice to a person;
b provision about the circumstances in which the Commissioner would consider it appropriate to give an enforcement notice to a person in reliance on section 150(8) (urgent cases);
c provision about how the Commissioner will determine how to proceed if a person does not comply with an enforcement notice.
7 In relation to penalty notices, the guidance must include—
a provision about the circumstances in which the Commissioner would consider it appropriate to issue a penalty notice;
b provision about the circumstances in which the Commissioner would consider it appropriate to allow a person to make oral representations about the Commissioner's intention to give the person a penalty notice;
c provision explaining how the Commissioner will determine the amount of penalties;
d provision about how the Commissioner will determine how to proceed if a person does not comply with a penalty notice.
e provision about the circumstances in which the Commissioner would consider it necessary to comply with the duty in paragraph 4(A2) of Schedule 16 after the period of 6 months mentioned in that paragraph.
8 The Commissioner—
a may alter or replace guidance produced under this section, and
b must publish any altered or replacement guidance.
9 Before producing guidance under this section (including any altered or replacement guidance), the Commissioner must consult—
a the Secretary of State, and
b such other persons as the Commissioner considers appropriate.
10 Section 161 applies in relation to the first guidance under subsection (1).
11 The Commissioner must arrange for other guidance under this section (including any altered or replacement guidance) to be laid before Parliament.
12 In this section, “social care” has the same meaning as in Part 1 of the Health and Social Care Act 2008 (see section 9(3) of that Act).

I162161 Approval of first guidance about regulatory action

1 When the first guidance is produced under section 160(1)—
a the Commissioner must submit the final version to the Secretary of State, and
b the Secretary of State must lay the guidance before Parliament.
2 If, within the 40-day period, either House of Parliament resolves not to approve the guidance—
a the Commissioner must not issue the guidance, and
b the Commissioner must produce another version of the guidance (and this section applies to that version).
3 If, within the 40-day period, no such resolution is made—
a the Commissioner must issue the guidance, and
b the guidance comes into force at the end of the period of 21 days beginning with the day on which it is issued.
4 Nothing in subsection (2)(a) prevents another version of the guidance being laid before Parliament.
5 In this section, “the 40-day period” means—
a if the guidance is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or
b if the guidance is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.
6 In calculating the 40-day period, no account is to be taken of any whole days that fall within a period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.

161A Annual report on regulatory action

1 The Commissioner must produce and publish an annual report containing the information described in subsections (2) to (5).
2 The report must include the following information about UK GDPR investigations—
a the number of investigations begun, continued or completed by the Commissioner during the reporting period,
b the different types of act and omission that were the subject matter of the investigations,
c the enforcement powers exercised by the Commissioner in the reporting period in connection with the investigations,
d the duration of investigations that ended in the reporting period, and
e the different types of outcome in investigations that ended in that period.
3 The report must include information about the enforcement powers exercised by the Commissioner in the reporting period in connection with—
a processing of personal data by a competent authority for any of the law enforcement purposes, and
b processing of personal data to which Part 4 applies.
4 The information included in the report in accordance with subsections (2) and (3) must include information about—
a the number of penalty notices given in the reporting period that were given more than 6 months after the notice of intent was given under paragraph 2 of Schedule 16, and
b the reasons why that happened.
5 The report must include a review of how the Commissioner had regard to the guidance published under section 160 when exercising the Commissioner’s enforcement powers as described in subsections (2)(c) and (3).
6 In this section—
  • enforcement powers” means the powers under—
    1. Article 58(1)(c) and (d) and (2)(a) and (b) of the UK GDPR,
    2. sections 142 to 159 of this Act,
    3. paragraph 2(a), (b) and (c) of Schedule 13 to this Act, and
    4. Schedules 15 and 16 to this Act;
  • the law enforcement purposes” has the meaning given in section 31 of this Act;
  • the reporting period” means the period to which the report relates;
  • UK GDPR investigation” means an investigation required under Article 57(1)(h) of the UK GDPR (investigations on the application of the UK GDPR).

Appeals etc

I597162 Rights of appeal

1 A person who is given any of the following notices may appeal to the Tribunal—
a an information notice;
b an assessment notice;
ba an interview notice;
c an enforcement notice;
d a penalty notice;
e a penalty variation notice.
2 A person who is given an enforcement notice may appeal to the Tribunal against the refusal of an application under section 153 for the cancellation or variation of the notice.
3 A person who is given a penalty notice or a penalty variation notice may appeal to the Tribunal against the amount of the penalty specified in the notice, whether or not the person appeals against the notice.
4 Where a determination is made under section 174 in respect of the processing of personal data, the controller or processor may appeal to the Tribunal against the determination.

I184163 Determination of appeals

1 Subsections (2) to (4) apply where a person appeals to the Tribunal under section 162(1) or (3).
2 The Tribunal may review any determination of fact on which the notice or decision against which the appeal is brought was based.
3 If the Tribunal considers—
a that the notice or decision against which the appeal is brought is not in accordance with the law, or
b to the extent that the notice or decision involved an exercise of discretion by the Commissioner, that the Commissioner ought to have exercised the discretion differently,
the Tribunal must allow the appeal or substitute another notice or decision which the Commissioner could have given or made.
4 Otherwise, the Tribunal must dismiss the appeal.
5 On an appeal under section 162(2), if the Tribunal considers that the enforcement notice ought to be cancelled or varied by reason of a change in circumstances, the Tribunal must cancel or vary the notice.
6 On an appeal under section 162(4), the Tribunal may cancel the Commissioner's determination.

I508164 Applications in respect of urgent notices

1 This section applies where an information notice, an assessment notice , an interview notice or an enforcement notice given to a person contains an urgency statement.
2 The person may apply to the court for either or both of the following—
a the disapplication of the urgency statement in relation to some or all of the requirements of the notice;
b a change to the time at which, or the period within which, a requirement of the notice must be complied with.
3 On an application under subsection (2), the court may do any of the following—
a direct that the notice is to have effect as if it did not contain the urgency statement;
b direct that the inclusion of the urgency statement is not to have effect in relation to a requirement of the notice;
c vary the notice by changing the time at which, or the period within which, a requirement of the notice must be complied with;
d vary the notice by making other changes required to give effect to a direction under paragraph (a) or (b) or in consequence of a variation under paragraph (c).
4 The decision of the court on an application under this section is final.
5 In this section, “urgency statement” means—
a in relation to an information notice, a statement under section 142(7)(a),
b in relation to an assessment notice, a statement under section 146(8)(a) or (9)(d),
ba in relation to an interview notice, a statement under section 148A(8)(a), and
c in relation to an enforcement notice, a statement under section 150(8)(a).

Complaints

164A Complaints by data subjects to controllers

1 A data subject may make a complaint to the controller if the data subject considers that, in connection with personal data relating to the data subject, there is an infringement of the UK GDPR or Part 3 of this Act.
2 A controller must facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means.
3 If a controller receives a complaint under this section, the controller must acknowledge receipt of the complaint within the period of 30 days beginning when the complaint is received.
4 If a controller receives a complaint under this section, the controller must without undue delay—
a take appropriate steps to respond to the complaint, and
b inform the complainant of the outcome of the complaint.
5 The reference in subsection (4)(a) to taking appropriate steps to respond to the complaint includes—
a making enquiries into the subject matter of the complaint, to the extent appropriate, and
b informing the complainant about progress on the complaint.

164B Controllers to notify the Commissioner of the number of complaints

1 The Secretary of State may by regulations require a controller to notify the Commissioner of the number of complaints made to the controller under section 164A in periods specified or described in the regulations.
2 Regulations under this section may provide that a controller is required to make a notification to the Commissioner in respect of a period only in circumstances specified in the regulations.
3 Regulations under this section may include—
a provision about a matter listed in subsection (4), or
b provision conferring power on the Commissioner to determine those matters.
4 The matters are—
a the form and manner in which a notification must be made,
b the time at which, or period within which, a notification must be made, and
c how the number of complaints made to a controller during a period is to be calculated.
5 Regulations under this section are subject to the negative resolution procedure.

I790165 Complaints by data subjects

1 Articles 57(1)(f) and (2) and 77 of the UK GDPR (data subject's right to lodge a complaint) confer rights on data subjects to complain to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of the UK GDPR.
2 A data subject may make a complaint to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of Part 3 or 4 of this Act.
3 The Commissioner must facilitate the making of complaints under subsection (2) by taking steps such as providing a complaint form which can be completed electronically and by other means.
4 If the Commissioner receives a complaint under subsection (2), the Commissioner must—
a take appropriate steps to respond to the complaint,
b inform the complainant of the outcome of the complaint,
c inform the complainant of the rights under section 166, and
d if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.
5 The reference in subsection (4)(a) to taking appropriate steps in response to a complaint includes—
a investigating the subject matter of the complaint, to the extent appropriate, and
b informing the complainant about progress on the complaint, including about whether further investigation or co-ordination with a foreign designated authority is necessary.
F736 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 In this section—
  • foreign designated authority” means an authority designated for the purposes of Article 13 of the Data Protection Convention by a party, other than the United Kingdom, which is bound by that Convention;
  • F236...

I959166 Orders to progress complaints

1 This section applies where, after a data subject makes a complaint under section 165 or Article 77 of the UK GDPR, the Commissioner—
a fails to take appropriate steps to respond to the complaint,
b fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or
c if the Commissioner's consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months.
2 The Tribunal may, on an application by the data subject, make an order requiring the Commissioner—
a to take appropriate steps to respond to the complaint, or
b to inform the complainant of progress on the complaint, or of the outcome of the complaint, within a period specified in the order.
3 An order under subsection (2)(a) may require the Commissioner—
a to take steps specified in the order;
b to conclude an investigation, or take a specified step, within a period specified in the order.
4 Section 165(5) applies for the purposes of subsections (1)(a) and (2)(a) as it applies for the purposes of section 165(4)(a).

Remedies in the court

I891167 Compliance orders

1 This section applies if, on an application by a data subject, a court is satisfied that there has been an infringement of the data subject's rights under the data protection legislation in contravention of that legislation.
2 A court may make an order for the purposes of securing compliance with the data protection legislation which requires the controller in respect of the processing, or a processor acting on behalf of that controller—
a to take steps specified in the order, or
b to refrain from taking steps specified in the order.
3 The order may, in relation to each step, specify the time at which, or the period within which, it must be taken.
4 In subsection (1)—
a the reference to an application by a data subject includes an application made in exercise of the right under Article 79(1) of the UK GDPR (right to an effective remedy against a controller or processor);
b the reference to the data protection legislation does not include Part 4 of this Act or regulations made under that Part.
5 In relation to a joint controller in respect of the processing of personal data to which Part 3 applies whose responsibilities are determined in an arrangement under section 58, a court may only make an order under this section if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.

I945168 Compensation for contravention of the UK GDPR

1 In Article 82 of the UK GDPR (right to compensation for material or non-material damage), “non-material damage” includes distress.
2 Subsection (3) applies where—
a in accordance with rules of court, proceedings under Article 82 of the UK GDPR are brought by a representative body on behalf of a person, and
b a court orders the payment of compensation.
3 The court may make an order providing for the compensation to be paid on behalf of the person to—
a the representative body, or
b such other person as the court thinks fit.

I802169 Compensation for contravention of other data protection legislation

1 A person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the UK GDPR, is entitled to compensation for that damage from the controller or the processor, subject to subsections (2) and (3).
2 Under subsection (1)—
a a controller involved in processing of personal data is liable for any damage caused by the processing, and
b a processor involved in processing of personal data is liable for damage caused by the processing only if the processor—
i has not complied with an obligation under the data protection legislation specifically directed at processors, or
ii has acted outside, or contrary to, the controller's lawful instructions.
3 A controller or processor is not liable as described in subsection (2) if the controller or processor proves that the controller or processor is not in any way responsible for the event giving rise to the damage.
4 A joint controller in respect of the processing of personal data to which Part 3 or 4 applies whose responsibilities are determined in an arrangement under section 58 or 104 is only liable as described in subsection (2) if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.
5 In this section, “damage” includes financial loss and damage not involving financial loss, such as distress.

Offences relating to personal data

I763170 Unlawful obtaining etc of personal data

1 It is an offence for a person knowingly or recklessly—
a to obtain or disclose personal data without the consent of the controller,
b to procure the disclosure of personal data to another person without the consent of the controller, or
c after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
2 It is a defence for a person charged with an offence under subsection (1) to prove that the obtaining, disclosing, procuring or retaining—
a was necessary for the purposes of preventing , investigating or detecting crime,
b was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
c in the particular circumstances, was justified as being in the public interest.
3 It is also a defence for a person charged with an offence under subsection (1) to prove that—
a the person acted in the reasonable belief that the person had a legal right to do the obtaining, disclosing, procuring or retaining,
b the person acted in the reasonable belief that the person would have had the consent of the controller if the controller had known about the obtaining, disclosing, procuring or retaining and the circumstances of it, or
c the person acted—
i for the special purposes,
ii with a view to the publication by a person of any journalistic, academic, artistic or literary material, and
iii in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.
4 It is an offence for a person to sell personal data if the person obtained the data in circumstances in which an offence under subsection (1) was committed.
5 It is an offence for a person to offer to sell personal data if the person—
a has obtained the data in circumstances in which an offence under subsection (1) was committed, or
b subsequently obtains the data in such circumstances.
6 For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the data.
7 In this section—
a references to the consent of a controller do not include the consent of a person who is a controller by virtue of Article 28(10) of the UK GDPR or section 59(8) or 105(3) of this Act (processor to be treated as controller in certain circumstances);
b where there is more than one controller, such references are references to the consent of one or more of them.

I807171 Re-identification of de-identified personal data

1 It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.
2 For the purposes of this section and section 172—
a personal data is “de-identified” if it has been processed in such a manner that it can no longer be attributed, without more, to a specific data subject;
b a person “re-identifies” information if the person takes steps which result in the information no longer being de-identified within the meaning of paragraph (a).
3 It is a defence for a person charged with an offence under subsection (1) to prove that the re-identification—
a was necessary for the purposes of preventing , investigating or detecting crime,
b was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
c in the particular circumstances, was justified as being in the public interest.
4 It is also a defence for a person charged with an offence under subsection (1) to prove that—
a the person acted in the reasonable belief that the person—
i is the data subject to whom the information relates,
ii had the consent of that data subject, or
iii would have had such consent if the data subject had known about the re-identification and the circumstances of it,
b the person acted in the reasonable belief that the person—
i is the controller responsible for de-identifying the personal data,
ii had the consent of that controller, or
iii would have had such consent if that controller had known about the re-identification and the circumstances of it,
c the person acted—
i for the special purposes,
ii with a view to the publication by a person of any journalistic, academic, artistic or literary material, and
iii in the reasonable belief that in the particular circumstances the re-identification was justified as being in the public interest, or
d the effectiveness testing conditions were met (see section 172).
5 It is an offence for a person knowingly or recklessly to process personal data that is information that has been re-identified where the person does so—
a without the consent of the controller responsible for de-identifying the personal data, and
b in circumstances in which the re-identification was an offence under subsection (1).
6 It is a defence for a person charged with an offence under subsection (5) to prove that the processing—
a was necessary for the purposes of preventing , investigating or detecting crime,
b was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
c in the particular circumstances, was justified as being in the public interest.
7 It is also a defence for a person charged with an offence under subsection (5) to prove that—
a the person acted in the reasonable belief that the processing was lawful,
b the person acted in the reasonable belief that the person—
i had the consent of the controller responsible for de-identifying the personal data, or
ii would have had such consent if that controller had known about the processing and the circumstances of it, or
c the person acted—
i for the special purposes,
ii with a view to the publication by a person of any journalistic, academic, artistic or literary material, and
iii in the reasonable belief that in the particular circumstances the processing was justified as being in the public interest.
8 In this section—
a references to the consent of a controller do not include the consent of a person who is a controller by virtue of Article 28(10) of the UK GDPR or section 59(8) or 105(3) of this Act (processor to be treated as controller in certain circumstances);
b where there is more than one controller, such references are references to the consent of one or more of them.

I735172 Re-identification: effectiveness testing conditions

1 For the purposes of section 171, in relation to a person who re-identifies information that is de-identified personal data, “the effectiveness testing conditions” means the conditions in subsections (2) and (3).
2 The first condition is that the person acted—
a with a view to testing the effectiveness of the de-identification of personal data,
b without intending to cause, or threaten to cause, damage or distress to a person, and
c in the reasonable belief that, in the particular circumstances, re-identifying the information was justified as being in the public interest.
3 The second condition is that the person notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification—
a without undue delay, and
b where feasible, not later than 72 hours after becoming aware of it.
4 Where there is more than one controller responsible for de-identifying personal data, the requirement in subsection (3) is satisfied if one or more of them is notified.

I839173 Alteration etc of personal data to prevent disclosure to data subject

1 Subsection (3) applies where—
a a request has been made in exercise of a data subject access right, and
b the person making the request would have been entitled to receive information in response to that request.
2 In this section, “data subject access right” means a right under—
a Article 15 of the UK GDPR (right of access by the data subject);
b Article 20 of the UK GDPR (right to data portability);
c section 45 of this Act (law enforcement processing: right of access by the data subject);
d section 94 of this Act (intelligence services processing: right of access by the data subject).
3 It is an offence for a person listed in subsection (4) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.
4 Those persons are—
a the controller, and
b a person who is employed by the controller, an officer of the controller or subject to the direction of the controller.
5 It is a defence for a person charged with an offence under subsection (3) to prove that—
a the alteration, defacing, blocking, erasure, destruction or concealment of the information would have occurred in the absence of a request made in exercise of a data subject access right, or
b the person acted in the reasonable belief that the person making the request was not entitled to receive the information in response to the request.

The special purposes

I799174 The special purposes

1 In this Part, “the special purposes” means one or more of the following—
a the purposes of journalism;
b academic purposes;
c artistic purposes;
d literary purposes.
2 In this Part, “special purposes proceedings” means legal proceedings against a controller or processor which relate, wholly or partly, to personal data processed for the special purposes and which are—
a proceedings under section 167 (including proceedings on an application under Article 79 of the UK GDPR), or
b proceedings under Article 82 of the UK GDPR or section 169.
3 The Commissioner may make a written determination, in relation to the processing of personal data, that—
a the personal data is not being processed only for the special purposes;
b the personal data is not being processed with a view to the publication by a person of journalistic, academic, artistic or literary material which has not previously been published by the controller.
4 The Commissioner must give written notice of the determination to the controller and the processor.
5 The notice must provide information about the rights of appeal under section 162.
6 The determination does not take effect until one of the following conditions is satisfied—
a the period for the controller or the processor to appeal against the determination has ended without an appeal having been brought, or
b an appeal has been brought against the determination and—
i the appeal and any further appeal in relation to the determination has been decided or has otherwise ended, and
ii the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.

I237175 Provision of assistance in special purposes proceedings

1 An individual who is a party, or prospective party, to special purposes proceedings may apply to the Commissioner for assistance in those proceedings.
2 As soon as reasonably practicable after receiving an application under subsection (1), the Commissioner must decide whether, and to what extent, to grant it.
3 The Commissioner must not grant the application unless, in the Commissioner's opinion, the case involves a matter of substantial public importance.
4 If the Commissioner decides not to provide assistance, the Commissioner must, as soon as reasonably practicable, notify the applicant of the decision, giving reasons for the decision.
5 If the Commissioner decides to provide assistance, the Commissioner must—
a as soon as reasonably practicable, notify the applicant of the decision, stating the extent of the assistance to be provided, and
b secure that the person against whom the proceedings are, or are to be, brought is informed that the Commissioner is providing assistance.
6 The assistance that may be provided by the Commissioner includes—
a paying costs in connection with the proceedings, and
b indemnifying the applicant in respect of liability to pay costs, expenses or damages in connection with the proceedings.
7 In England and Wales or Northern Ireland, the recovery of expenses incurred by the Commissioner in providing an applicant with assistance under this section (as taxed or assessed in accordance with rules of court) is to constitute a first charge for the benefit of the Commissioner—
a on any costs which, by virtue of any judgment or order of the court, are payable to the applicant by any other person in respect of the matter in connection with which the assistance is provided, and
b on any sum payable to the applicant under a compromise or settlement arrived at in connection with that matter to avoid, or bring to an end, any proceedings.
8 In Scotland, the recovery of such expenses (as taxed or assessed in accordance with rules of court) is to be paid to the Commissioner, in priority to other debts—
a out of any expenses which, by virtue of any judgment or order of the court, are payable to the applicant by any other person in respect of the matter in connection with which the assistance is provided, and
b out of any sum payable to the applicant under a compromise or settlement arrived at in connection with that matter to avoid, or bring to an end, any proceedings.

I68176 Staying special purposes proceedings

1 In any special purposes proceedings before a court, if the controller or processor claims, or it appears to the court, that any personal data to which the proceedings relate—
a is being processed only for the special purposes,
b is being processed with a view to the publication by any person of journalistic, academic, artistic or literary material, and
c has not previously been published by the controller,
the court must stay or, in Scotland, sist the proceedings.
2 In considering, for the purposes of subsection (1)(c), whether material has previously been published, publication in the immediately preceding 24 hours is to be ignored.
3 Under subsection (1), the court must stay or sist the proceedings until either of the following conditions is met—
a a determination of the Commissioner under section 174 with respect to the personal data or the processing takes effect;
b where the proceedings were stayed or sisted on the making of a claim, the claim is withdrawn.

I915177 Guidance about how to seek redress against media organisations

1 The Commissioner must produce and publish guidance about the steps that may be taken where an individual considers that a media organisation is failing or has failed to comply with the data protection legislation.
2 In this section, “media organisation” means a body or other organisation whose activities consist of or include journalism.
3 The guidance must include provision about relevant complaints procedures, including—
a who runs them,
b what can be complained about, and
c how to make a complaint.
4 For the purposes of subsection (3), relevant complaints procedures include procedures for making complaints to the Commissioner, the Office of Communications, the British Broadcasting Corporation and other persons who produce or enforce codes of practice for media organisations.
5 The guidance must also include provision about—
a the powers available to the Commissioner in relation to a failure to comply with the data protection legislation,
b when a claim in respect of such a failure may be made before a court and how to make such a claim,
c alternative dispute resolution procedures,
d the rights of bodies and other organisations to make complaints and claims on behalf of data subjects, and
e the Commissioner's power to provide assistance in special purpose proceedings.
6 The Commissioner—
a may alter or replace the guidance, and
b must publish any altered or replacement guidance.
7 The Commissioner must produce and publish the first guidance under this section before the end of the period of 1 year beginning when this Act is passed.

I866178 Review of processing of personal data for the purposes of journalism

1 The Commissioner must—
a review the extent to which, during each review period, the processing of personal data for the purposes of journalism complied with—
i the data protection legislation, and
ii good practice in the processing of personal data for the purposes of journalism,
b prepare a report of the review, and
c submit the report to the Secretary of State.
2 In this section—
  • good practice in the processing of personal data for the purposes of journalism” has the same meaning as in section 124;
  • review period” means—
    1. the period of 4 years beginning with the day on which Chapter 2 of Part 2 of this Act comes into force, and
    2. each subsequent period of 5 years beginning with the day after the day on which the previous review period ended.
3 The Commissioner must start a review under this section, in respect of a review period, within the period of 6 months beginning when the review period ends.
4 The Commissioner must submit the report of a review under this section to the Secretary of State—
a in the case of the first review, before the end of the period of 18 months beginning when the Commissioner started the review, and
b in the case of each subsequent review, before the end of the period of 12 months beginning when the Commissioner started the review.
5 The report must include consideration of the extent of compliance (as described in subsection (1)(a)) in each part of the United Kingdom.
6 The Secretary of State must—
a lay the report before Parliament, and
b send a copy of the report to—
i the Scottish Ministers,
ii the Welsh Ministers, and
iii the Executive Office in Northern Ireland.
7 Schedule 17 makes further provision for the purposes of a review under this section.

I829179 Effectiveness of the media's dispute resolution procedures

1 The Secretary of State must, before the end of each review period, lay before Parliament a report produced by the Secretary of State or an appropriate person on—
a the use of relevant alternative dispute resolution procedures, during that period, in cases involving a failure, or alleged failure, by a relevant media organisation to comply with the data protection legislation, and
b the effectiveness of those procedures in such cases.
2 In this section—
  • appropriate person” means a person who the Secretary of State considers has appropriate experience and skills to produce a report described in subsection (1);
  • relevant alternative dispute resolution procedures” means alternative dispute resolution procedures provided by persons who produce or enforce codes of practice for relevant media organisations;
  • relevant media organisation” means a body or other organisation whose activities consist of or include journalism, other than a broadcaster;
  • review period” means—
    1. the period of 3 years beginning when this Act is passed, and
    2. each subsequent period of 3 years.
3 The Secretary of State must send a copy of the report to—
a the Scottish Ministers,
b the Welsh Ministers, and
c the Executive Office in Northern Ireland.

Jurisdiction and court procedure

I840180 Jurisdiction

1 The jurisdiction conferred on a court by the provisions listed in subsection (2) is exercisable—
a in England and Wales, by the High Court or the county court,
b in Northern Ireland, by the High Court or a county court, and
c in Scotland, by the Court of Session or the sheriff,
subject to subsections (3) and (4).
2 Those provisions are—
a section 145 (information orders);
b section 152 (enforcement notices and processing for the special purposes);
c section 156 (penalty notices and processing for the special purposes);
d section 167 and Article 79 of the UK GDPR (compliance orders);
e sections 168 and 169 and Article 82 of the UK GDPR (compensation).
3 In relation to the processing of personal data to which Part 4 applies, the jurisdiction conferred by the provisions listed in subsection (2) is exercisable only by the High Court or, in Scotland, the Court of Session.
4 In relation to an information notice which contains a statement under section 142(7), the jurisdiction conferred on a court by section 145 is exercisable only by the High Court or, in Scotland, the Court of Session.
5 The jurisdiction conferred on a court by section 164 (applications in respect of urgent notices) is exercisable only by the High Court or, in Scotland, the Court of Session.

180A Procedure in connection with subject access requests

1 This section applies where a court is required to determine whether a data subject is entitled to information by virtue of a right under—
a Article 15 of the UK GDPR (right of access by the data subject);
b Article 20 of the UK GDPR (right to data portability);
c section 45 of this Act (law enforcement processing: right of access by the data subject);
d section 94 of this Act (intelligence services processing: right of access by the data subject).
2 The court may require the controller to make available for inspection by the court so much of the information as is available to the controller.
3 But, unless and until the question in subsection (1) has been determined in the data subject’s favour, the court may not require the information to be disclosed to the data subject or the data subject’s representatives, whether by discovery (or, in Scotland, recovery) or otherwise.
4 Where the question in subsection (1) relates to a right under a provision listed in subsection (1)(a), (c) or (d), this section does not confer power on the court to require the controller to carry out a search for information that is more extensive than the reasonable and proportionate search required by that provision.

Definitions

I895181 Interpretation of Part 6

In this Part—
  • assessment notice” has the meaning given in section 146;
  • certification provider” has the meaning given in section 17;
  • enforcement notice” has the meaning given in section 149;
  • information notice” has the meaning given in section 142;
  • interview notice” has the meaning given in section 148A;
  • penalty notice” has the meaning given in section 155;
  • penalty variation notice” has the meaning given in Schedule 16;
  • F64...

C25C5PART 7 Supplementary and final provision

Regulations under this Act

I906182 Regulations and consultation

1 Regulations under this Act are to be made by statutory instrument.
2 Before making regulations under this Act, the Secretary of State must consult—
a the Commissioner, and
b such other persons as the Secretary of State considers appropriate.
3 Subsection (2) does not apply to regulations made under—
F78a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
b section 30;
c section 211;
d section 212;
e section 213;
f paragraph 15 of Schedule 2.
F6874 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5 Regulations under this Act may—
a make different provision for different purposes;
b include consequential, supplementary, incidental, transitional, transitory or saving provision.
6 For the purposes of this Act, where regulations are subject to “the negative resolution procedure” the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament.
7 For the purposes of this Act, where regulations are subject to “the affirmative resolution procedure” the regulations may not be made unless a draft of the statutory instrument containing them has been laid before Parliament and approved by a resolution of each House of Parliament.
8 For the purposes of this Act, regulations are subject to “the made affirmative resolution procedure” if
a the statutory instrument containing the regulations must be laid before Parliament after being made, together with an urgency statement in respect of them, and
b the regulations cease to have effect at the end of a period beginning with the day on which the instrument is made, unless within that period the instrument is approved by a resolution of each House of Parliament.
F149 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F1410 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 Any provision that may be included in regulations under this Act subject to the negative resolution procedure may be made by regulations made under this Act or another enactment that are subject to the affirmative resolution procedure or the made affirmative resolution procedure.
12 If a draft of a statutory instrument containing regulations under section 7 would, apart from this subsection, be treated for the purposes of the standing orders of either House of Parliament as a hybrid instrument, it is to proceed in that House as if it were not such an instrument.
13 A requirement under a provision of this Act to consult may be satisfied by consultation before, as well as by consultation after, the provision comes into force.
14 For the purposes of this section, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for regulations to come into force without delay.

Changes to the Data Protection Convention

I18I762183 Power to reflect changes to the Data Protection Convention

1 The Secretary of State may by regulations make such provision as the Secretary of State considers necessary or appropriate in connection with an amendment of, or an instrument replacing, the Data Protection Convention which has effect, or is expected to have effect, in the United Kingdom.
2 The power under subsection (1) includes power—
a to amend or replace the definition of “the Data Protection Convention” in section 3;
b to amend Chapter 3 of Part 2 of this Act;
c to amend Part 4 of this Act;
d to make provision about the functions of the Commissioner, courts or tribunals in connection with relevant processing of personal data, including provision amending Parts 5 to 7 of this Act;
e to make provision about the functions of the Commissioner in connection with the Data Protection Convention or an instrument replacing that Convention, including provision amending Parts 5 to 7 of this Act;
f to consequentially amend this Act.
2A In subsection (2)(d), “relevant processing of personal data” means—
a processing of personal data described in Article 2(1)(a) or (b) or (1A) of the UK GDPR, and
b processing of personal data to which Part 4 of this Act applies.
3 Regulations under this section are subject to the affirmative resolution procedure.
4 Regulations under this section may not be made after the end of the period of 3 years beginning with the day on which this Act is passed.

Prohibitions and restrictions etc on processing

183A Protection of prohibitions and restrictions etc on processing: relevant enactments

1 A relevant enactment or rule of law which imposes a duty, or confers a power, to process personal data does not override a requirement under the main data protection legislation relating to the processing of personal data.
2 Subsection (1) does not apply—
a to a relevant enactment forming part of the main data protection legislation, or
b to the extent that an enactment makes express provision to the contrary referring to this section or to the main data protection legislation (or a provision of that legislation).
3 Subsection (1) does not prevent a duty or power to process personal data from being taken into account for the purpose of determining whether it is possible to rely on an exception to a requirement under the main data protection legislation that is available where there is such a duty or power.
4 In this section—
  • the main data protection legislation” means the data protection legislation other than provision of or made under—
    1. Chapter 6 or 8 of the UK GDPR, or
    2. Parts 5 to 7 of this Act;
  • relevant enactment” means an enactment so far as passed or made on or after 20th August 2025;
  • requirement” includes a prohibition or restriction.
5 The reference in subsection (1) to an enactment or rule of law which imposes a duty, or confers a power, to process personal data is a reference to an enactment or rule of law which, directly or indirectly, requires or authorises the processing of personal data, including (for example)—
a by authorising one person to require another person to process personal data, or
b by removing restrictions on processing personal data,
and the references in subsection (3) to a duty or power are to be read accordingly.

183B Protection of prohibitions and restrictions etc on processing: other enactments

1 This section is about the relationship between—
a a pre-commencement enactment which imposes a duty, or confers a power, to process personal data, and
b a provision of the main data protection legislation containing a requirement relating to the processing of personal data.
2 The relationship is not changed by section 5(A1) of the European Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act).
3 Where the provision described in subsection (1)(b) is a provision of, or made under, the UK GDPR, section 5(A2) of the European Union (Withdrawal) Act 2018 (assimilated direct legislation subject to domestic enactments) does not apply to the relationship.
4 Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision with similar effect to section 183A(1) (or applying that provision) is made in connection with one such relationship but not another.
5 In this section—
a the main data protection legislation” and “requirement” have the same meaning as in section 183A, and
b pre-commencement enactment” means an enactment so far as passed or made before 20th August 2025.
6 Section 183A(5) applies for the purposes of subsection (1)(a) of this section as it applies for the purposes of section 183A(1).

Rights of the data subject

I953184 Prohibition of requirement to produce relevant records

1 It is an offence for a person (“P1”) to require another person to provide P1 with, or give P1 access to, a relevant record in connection with—
a the recruitment of an employee by P1,
b the continued employment of a person by P1, or
c a contract for the provision of services to P1.
2 It is an offence for a person (“P2”) to require another person to provide P2 with, or give P2 access to, a relevant record if—
a P2 is involved in the provision of goods, facilities or services to the public or a section of the public, and
b the requirement is a condition of providing or offering to provide goods, facilities or services to the other person or to a third party.
3 It is a defence for a person charged with an offence under subsection (1) or (2) to prove that imposing the requirement—
a was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
b in the particular circumstances, was justified as being in the public interest.
4 The imposition of the requirement referred to in subsection (1) or (2) is not to be regarded as justified as being in the public interest on the ground that it would assist in the prevention , investigation or detection of crime, given
a Part 5 of the Police Act 1997 (certificates of criminal records etc), and
b Part 1 of the Disclosure (Scotland) Act 2020 (disclosure of criminal history and other information).
5 In subsections (1) and (2), the references to a person who requires another person to provide or give access to a relevant record include a person who asks another person to do so—
a knowing that, in the circumstances, it would be reasonable for the other person to feel obliged to comply with the request, or
b being reckless as to whether, in the circumstances, it would be reasonable for the other person to feel obliged to comply with the request,
and the references to a “requirement” in subsections (3) and (4) are to be interpreted accordingly.
6 In this section—
  • employment” means any employment, including—
    1. work under a contract for services or as an office-holder,
    2. work under an apprenticeship,
    3. work experience as part of a training course or in the course of training for employment, and
    4. voluntary work,
    and “employee” is to be interpreted accordingly;
  • relevant record” has the meaning given in Schedule 18 and references to a relevant record include—
    1. a part of such a record, and
    2. a copy of, or of part of, such a record.

I801185 Avoidance of certain contractual terms relating to health records

1 A term or condition of a contract is void in so far as it purports to require an individual to supply another person with a record which—
a consists of the information contained in a health record, and
b has been or is to be obtained by a data subject in the exercise of a data subject access right.
2 A term or condition of a contract is also void in so far as it purports to require an individual to produce such a record to another person.
3 The references in subsections (1) and (2) to a record include a part of a record and a copy of all or part of a record.
4 In this section, “data subject access right” means a right under—
a Article 15 of the UK GDPR (right of access by the data subject);
b Article 20 of the UK GDPR (right to data portability);
c section 45 of this Act (law enforcement processing: right of access by the data subject);
d section 94 of this Act (intelligence services processing: right of access by the data subject).

I795186 Protection of data subject’s rights

1 An enactment or rule of law prohibiting or restricting the disclosure of information, or authorising the withholding of information, does not remove or restrict the obligations and rights provided for in the provisions listed in subsection (2) F483....
2 The provisions providing obligations and rights are—
a Chapter III of the UK GDPR (rights of the data subject),
b Chapter 3 of Part 3 of this Act (law enforcement processing: rights of the data subject), and
c Chapter 3 of Part 4 of this Act (intelligence services processing: rights of the data subject).
2A Subsection (1) does not apply—
a to an enactment contained in, or made under, a provision listed in subsection (2),
b to an enactment contained in, or made under, a provision listed in subsection (3),
c to the extent that an enactment makes express provision to the contrary referring to this section or to a provision listed in subsection (2), or
d to the extent that subsection (1) is disapplied by section 186A(3).
3 The provisions referred to in subsection (2A)(b) are—
a in Chapter 2 of Part 2 of this Act, sections 15 and 16 and Schedules 2, 3 and 4,
b in Chapter 3 of Part 2 of this Act, sections F605... 24, 25 and 26,
F705c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ca in Part 3 of this Act, section 78A, and
d in Part 4 of this Act, Chapter 6 .

186A Protection of data subject’s rights: further provision

1 This section is about the relationship between—
a a pre-commencement enactment which prohibits or restricts the disclosure of information or authorises the withholding of information, and
b a provision of the UK GDPR or this Act listed in section 186(2).
2 The relationship is not changed by section 5(A1) of the European Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act).
3 Subsection (1) of section 186 does not apply to the relationship so far as there is a contrary intention, whether express or implied (taking account of, among other things, subsection (2) of this section).
4 Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision stating that section 186(1) applies (or with similar effect) is made in connection with one such relationship but not another.
5 In this section, “pre-commencement enactment” means an enactment so far as passed or made before 20th August 2025, other than an enactment contained in, or made under, a provision listed in section 186(2) or (3).

Representation of data subjects

I791187 Representation of data subjects with their authority

1 In relation to the processing of personal data to which the UK GDPR applies, Article 80(1) of the UK GDPR (representation of data subjects)
a F524... enables a data subject to authorise a body or other organisation which meets the conditions set out in subsections (3) and (4) to exercise the data subject's rights under Articles 77, 78 and 79 of the UK GDPR (rights to lodge complaints and to an effective judicial remedy) on the data subject's behalf, and
b also authorises such a body or organisation to exercise the data subject's rights under Article 82 of the UK GDPR (right to compensation).
2 In relation to the processing of personal data to which the UK GDPR does not apply, a body or other organisation which meets the conditions in subsections (3) and (4), if authorised to do so by a data subject, may exercise some or all of the following rights of a data subject on the data subject's behalf—
a rights under section 165(2) and (4)(d) (complaints to the Commissioner);
b rights under section 166(2) (orders for the Commissioner to progress complaints);
c rights under section 167(1) (compliance orders);
d the right to bring judicial review proceedings against the Commissioner.
3 The first condition is that the body or organisation, by virtue of its constitution or an enactment—
a is required (after payment of outgoings) to apply the whole of its income and any capital it expends for charitable or public purposes,
b is prohibited from directly or indirectly distributing amongst its members any part of its assets (otherwise than for charitable or public purposes), and
c has objectives which are in the public interest.
4 The second condition is that the body or organisation is active in the field of protection of data subjects' rights and freedoms with regard to the protection of their personal data.
5 In this Act, references to a “representative body”, in relation to a right of a data subject, are to a body or other organisation authorised to exercise the right on the data subject's behalf under Article 80 of the UK GDPR or this section.

I19I553188 Representation of data subjects with their authority: collective proceedings

1 The Secretary of State may by regulations make provision for representative bodies to bring proceedings before a court or tribunal in England and Wales or Northern Ireland combining two or more relevant claims.
2 In this section, “relevant claim”, in relation to a representative body, means a claim in respect of a right of a data subject which the representative body is authorised to exercise on the data subject's behalf under Article 80(1) of the UK GDPR or section 187.
3 The power under subsection (1) includes power—
a to make provision about the proceedings;
b to confer functions on a person, including functions involving the exercise of a discretion;
c to make different provision in relation to England and Wales and in relation to Northern Ireland.
4 The provision mentioned in subsection (3)(a) includes provision about—
a the effect of judgments and orders;
b agreements to settle claims;
c the assessment of the amount of compensation;
d the persons to whom compensation may or must be paid, including compensation not claimed by the data subject;
e costs.
5 Regulations under this section are subject to the negative resolution procedure.

I509189 Duty to review provision for representation of data subjects

1 Before the end of the review period, the Secretary of State must—
a review the matters listed in subsection (2) in relation to England and Wales and Northern Ireland,
b prepare a report of the review, and
c lay a copy of the report before Parliament.
2 Those matters are—
a the operation of Article 80(1) of the UK GDPR,
b the operation of section 187,
c the merits of exercising the power under Article 80(2) of the UK GDPR (power to enable a body or other organisation which meets the conditions in Article 80(1) of the UK GDPR to exercise some or all of a data subject's rights under Articles 77, 78 and 79 of the UK GDPR without being authorised to do so by the data subject),
d the merits of making equivalent provision in relation to data subjects' rights under Article 82 of the UK GDPR (right to compensation), and
e the merits of making provision for a children's rights organisation to exercise some or all of a data subject's rights under Articles 77, 78, 79 and 82 of the UK GDPR on behalf of a data subject who is a child, with or without being authorised to do so by the data subject.
3 “The review period” is the period of 30 months beginning when section 187 comes into force.
4 In carrying out the review, the Secretary of State must—
a consider the particular needs of children separately from the needs of adults,
b have regard to the fact that children have different needs at different stages of development,
c carry out an analysis of the particular challenges that children face in authorising, and deciding whether to authorise, other persons to act on their behalf under Article 80(1) of the UK GDPR or section 187,
d consider the support and advice available to children in connection with the exercise of their rights under Articles 77, 78, 79 and 82 of the UK GDPR by another person on their behalf and the merits of making available other support or advice, and
e have regard to the United Kingdom's obligations under the United Nations Convention on the Rights of the Child.
5 Before preparing the report under subsection (1), the Secretary of State must consult the Commissioner and such other persons as the Secretary of State considers appropriate, including—
a persons active in the field of protection of data subjects' rights and freedoms with regard to the protection of their personal data,
b children and parents,
c children's rights organisations and other persons who appear to the Secretary of State to represent the interests of children,
d child development experts, and
e trade associations.
6 In this section—
  • children's rights organisation” means a body or other organisation which—
    1. is active in representing the interests of children, and
    2. has objectives which are in the public interest;
  • trade association” includes a body representing controllers or processors;
  • the United Nations Convention on the Rights of the Child” means the Convention on the Rights of the Child adopted by the General Assembly of the United Nations on 20 November 1989 (including any Protocols to that Convention which are in force in relation to the United Kingdom), subject to any reservations, objections or interpretative declarations by the United Kingdom for the time being in force.

I20I279190 Post-review powers to make provision about representation of data subjects

1 After the report under section 189(1) is laid before Parliament, the Secretary of State may by regulations—
a exercise the powers under Article 80(2) of the UK GDPR in relation to England and Wales and Northern Ireland,
b make provision enabling a body or other organisation which meets the conditions in Article 80(1) of the UK GDPR to exercise a data subject's rights under Article 82 of the UK GDPR in England and Wales and Northern Ireland without being authorised to do so by the data subject, and
c make provision described in section 189(2)(e) in relation to the exercise in England and Wales and Northern Ireland of the rights of a data subject who is a child.
2 The powers under subsection (1) include power—
a to make provision enabling a data subject to prevent a body or other organisation from exercising, or continuing to exercise, the data subject's rights;
b to make provision about proceedings before a court or tribunal where a body or organisation exercises a data subject's rights;
c to make provision for bodies or other organisations to bring proceedings before a court or tribunal combining two or more claims in respect of a right of a data subject;
d to confer functions on a person, including functions involving the exercise of a discretion;
e to amend sections 166 to 168, 180, 187, 203, 205 and 206;
f to insert new sections and Schedules into Part 6 or 7 ;
g to make different provision in relation to England and Wales and in relation to Northern Ireland.
3 The powers under subsection (1)(a) and (b) include power to make provision in relation to data subjects who are children or data subjects who are not children or both.
4 The provision mentioned in subsection (2)(b) and (c) includes provision about—
a the effect of judgments and orders;
b agreements to settle claims;
c the assessment of the amount of compensation;
d the persons to whom compensation may or must be paid, including compensation not claimed by the data subject;
e costs.
5 Regulations under this section are subject to the affirmative resolution procedure.

Framework for Data Processing by Government

I21I453191 Framework for Data Processing by Government

1 The Secretary of State may prepare a document, called the Framework for Data Processing by Government, which contains guidance about the processing of personal data in connection with the exercise of functions of—
a the Crown, a Minister of the Crown or a United Kingdom government department, and
b a person with functions of a public nature who is specified or described in regulations made by the Secretary of State.
2 The document may make provision relating to all of those functions or only to particular functions or persons.
3 The document may not make provision relating to, or to the functions of, a part of the Scottish Administration, the Welsh Government, a Northern Ireland Minister or a Northern Ireland department.
4 The Secretary of State may from time to time prepare amendments of the document or a replacement document.
5 Before preparing a document or amendments under this section, the Secretary of State must consult—
a the Commissioner, and
b any other person the Secretary of State considers it appropriate to consult.
6 Regulations under subsection (1)(b) are subject to the negative resolution procedure.
7 In this section, “Northern Ireland Minister” includes the First Minister and deputy First Minister in Northern Ireland.

I752192 Approval of the Framework

1 Before issuing a document prepared under section 191, the Secretary of State must lay it before Parliament.
2 If, within the 40-day period, either House of Parliament resolves not to approve the document, the Secretary of State must not issue it.
3 If no such resolution is made within that period—
a the Secretary of State must issue the document, and
b the document comes into force at the end of the period of 21 days beginning with the day on which it is issued.
4 Nothing in subsection (2) prevents another version of the document being laid before Parliament.
5 In this section, “the 40-day period” means—
a if the document is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or
b if the document is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.
6 In calculating the 40-day period, no account is to be taken of any whole days that fall within a period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.
7 This section applies in relation to amendments prepared under section 191 as it applies in relation to a document prepared under that section.

I446193 Publication and review of the Framework

1 The Secretary of State must publish a document issued under section 192(3).
2 Where an amendment of a document is issued under section 192(3), the Secretary of State must publish—
a the amendment, or
b the document as amended by it.
3 The Secretary of State must keep under review the document issued under section 192(3) for the time being in force.
4 Where the Secretary of State becomes aware that the terms of such a document could result in a breach of an international obligation of the United Kingdom, the Secretary of State must exercise the power under section 191(4) with a view to remedying the situation.

I747194 Effect of the Framework

1 When carrying out processing of personal data which is the subject of a document issued under section 192(3) which is for the time being in force, a person must have regard to the document.
2 A failure to act in accordance with a provision of such a document does not of itself make a person liable to legal proceedings in a court or tribunal.
3 A document issued under section 192(3), including an amendment or replacement document, is admissible in evidence in legal proceedings.
4 In any legal proceedings before a court or tribunal, the court or tribunal must take into account a provision of any document issued under section 192(3) in determining a question arising in the proceedings if—
a the question relates to a time when the provision was in force, and
b the provision appears to the court or tribunal to be relevant to the question.
5 In determining a question arising in connection with the carrying out of any of the Commissioner's functions, the Commissioner must take into account a provision of a document issued under section 192(3) if—
a the question relates to a time when the provision was in force, and
b the provision appears to the Commissioner to be relevant to the question.

Data-sharing: HMRC and reserve forces

I647195 Reserve forces: data-sharing by HMRC

1 The Reserve Forces Act 1996 is amended as follows.
2 After section 125 insert—

Offences

I972196 Penalties for offences

1 A person who commits an offence under section 119 or 173 or paragraph 15 of Schedule 15 is liable—
a on summary conviction in England and Wales, to a fine;
b on summary conviction in Scotland or Northern Ireland, to a fine not exceeding level 5 on the standard scale.
2 A person who commits an offence under section 132, 144, 148, 148C, 170, 171 or 184 is liable—
a on summary conviction in England and Wales, to a fine;
b on summary conviction in Scotland or Northern Ireland, to a fine not exceeding the statutory maximum;
c on conviction on indictment, to a fine.
3 Subsections (4) and (5) apply where a person is convicted of an offence under section 170 or 184.
4 The court by or before which the person is convicted may order a document or other material to be forfeited, destroyed or erased if—
a it has been used in connection with the processing of personal data, and
b it appears to the court to be connected with the commission of the offence,
subject to subsection (5).
5 If a person, other than the offender, who claims to be the owner of the material, or to be otherwise interested in the material, applies to be heard by the court, the court must not make an order under subsection (4) without giving the person an opportunity to show why the order should not be made.

I924197 Prosecution

1 In England and Wales, proceedings for an offence under this Act may be instituted only—
a by the Commissioner, or
b by or with the consent of the Director of Public Prosecutions.
2 In Northern Ireland, proceedings for an offence under this Act may be instituted only—
a by the Commissioner, or
b by or with the consent of the Director of Public Prosecutions for Northern Ireland.
3 Subject to subsection (4), summary proceedings for an offence under section 173 (alteration etc of personal data to prevent disclosure) may be brought within the period of 6 months beginning with the day on which the prosecutor first knew of evidence that, in the prosecutor's opinion, was sufficient to bring the proceedings.
4 Such proceedings may not be brought after the end of the period of 3 years beginning with the day on which the offence was committed.
5 A certificate signed by or on behalf of the prosecutor and stating the day on which the 6 month period described in subsection (3) began is conclusive evidence of that fact.
6 A certificate purporting to be signed as described in subsection (5) is to be treated as so signed unless the contrary is proved.
7 In relation to proceedings in Scotland, section 136(3) of the Criminal Procedure (Scotland) Act 1995 (deemed date of commencement of proceedings) applies for the purposes of this section as it applies for the purposes of that section.

I854198 Liability of directors etc

1 Subsection (2) applies where—
a an offence under this Act has been committed by a body corporate, and
b it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of—
i a director, manager, secretary or similar officer of the body corporate, or
ii a person who was purporting to act in such a capacity.
2 The director, manager, secretary, officer or person, as well as the body corporate, is guilty of the offence and liable to be proceeded against and punished accordingly.
3 Where the affairs of a body corporate are managed by its members, subsections (1) and (2) apply in relation to the acts and omissions of a member in connection with the member's management functions in relation to the body as if the member were a director of the body corporate.
4 Subsection (5) applies where—
a an offence under this Act has been committed by a Scottish partnership, and
b the contravention in question is proved to have occurred with the consent or connivance of, or to be attributable to any neglect on the part of, a partner.
5 The partner, as well as the partnership, is guilty of the offence and liable to be proceeded against and punished accordingly.

I935199 Recordable offences

F7351 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Regulations under section 27(4) of the Police and Criminal Evidence Act 1984 (recordable offences) may repeal subsection (1).

I963200 Guidance about PACE codes of practice

1 The Commissioner must produce and publish guidance about how the Commissioner proposes to perform the duty under section 67(9) of the Police and Criminal Evidence Act 1984 (duty to have regard to codes of practice under that Act when investigating offences and charging offenders) in connection with offences under this Act.
2 The Commissioner—
a may alter or replace the guidance, and
b must publish any altered or replacement guidance.
3 The Commissioner must consult the Secretary of State before publishing guidance under this section (including any altered or replacement guidance).
4 The Commissioner must arrange for guidance under this section (including any altered or replacement guidance) to be laid before Parliament.

The Tribunal

I842201 Disclosure of information to the Tribunal

1 No enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the First-tier Tribunal or the Upper Tribunal with information necessary for the discharge of—
a its functions under the data protection legislation, or
b its other functions relating to the Commissioner's acts and omissions.
2 But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
3 Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.

I773202 Proceedings in the First-tier Tribunal: contempt

1 This section applies where—
a a person does something, or fails to do something, in relation to proceedings before the First-tier Tribunal—
i on an appeal under section 27, 79, 82E, 111 or 162, or
ii for an order under section 166, and
b if those proceedings were proceedings before a court having power to commit for contempt, the act or omission would constitute contempt of court.
2 The First-tier Tribunal may certify the offence to the Upper Tribunal.
3 Where an offence is certified under subsection (2), the Upper Tribunal may—
a inquire into the matter, and
b deal with the person charged with the offence in any manner in which it could deal with the person if the offence had been committed in relation to the Upper Tribunal.
4 Before exercising the power under subsection (3)(b), the Upper Tribunal must—
a hear any witness who may be produced against or on behalf of the person charged with the offence, and
b hear any statement that may be offered in defence.

I22I806203 Tribunal Procedure Rules

1 Tribunal Procedure Rules may make provision for regulating—
a the exercise of the rights of appeal conferred by section 27, 79, 82E, 111 or 162, and
b the exercise of the rights of data subjects under section 166, including their exercise by a representative body.
2 In relation to proceedings involving the exercise of those rights, Tribunal Procedure Rules may make provision about—
a securing the production of material used for the processing of personal data, and
b the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.

Interpretation

I938204 Meaning of “health professional” and “social work professional”

1 In this Act, “health professional” means any of the following—
a a registered medical practitioner;
b a registered nurse or midwife;
c a registered dentist within the meaning of the Dentists Act 1984 (see section 53 of that Act);
d a registered dispensing optician or a registered optometrist within the meaning of the Opticians Act 1989 (see section 36 of that Act);
e a registered osteopath with the meaning of the Osteopaths Act 1993 (see section 41 of that Act);
f a registered chiropractor within the meaning of the Chiropractors Act 1994 (see section 43 of that Act);
g a person registered as a member of a profession to which the Health F526... Professions Order 2001 (S.I. 2002/254) for the time being extends; F335...
h a registered pharmacist or a registered pharmacy technician within the meaning of the Pharmacy Order 2010 (S.I. 2010/231) (see article 3 of that Order);
i a registered person within the meaning of the Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22)) (see Article 2 of that Order);
j a child psychotherapist;
k a scientist employed by a health service body as head of a department.
l a person registered under the Anaesthesia Associates and Physician Associates Order 2024.
2 In this Act, “social work professional” means any of the following—
a a person registered as a social worker in the register maintained by Social Work England under section 39(1) of the Children and Social Work Act 2017;
b a person registered as a social worker in the register maintained by Social Care Wales under section 80 of the Regulation and Inspection of Social Care (Wales) Act 2016 (anaw 2);
c a person registered as a social worker in the register maintained by the Scottish Social Services Council under section 44 of the Regulation of Care (Scotland) Act 2001 (asp 8);
d a person registered as a social worker in the register maintained by the Northern Ireland Social Care Council under section 3 of the Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.)).
3 In subsection (1)(a) “registered medical practitioner” includes a person who is provisionally registered under section 15 or 21 of the Medical Act 1983 and is engaged in such employment as is mentioned in subsection (3) of that section.
4 In subsection (1)(k) “health service body” means any of the following—
a the Secretary of State in relation to the exercise of functions under section 2A or 2B of, or paragraph 7C, 8 or 12 of Schedule 1 to, the National Health Service Act 2006;
b a local authority in relation to the exercise of functions under section 2B or 111 of, or any of paragraphs 1 to 7B or 13 of Schedule 1 to, the National Health Service Act 2006;
c a National Health Service trust first established under section 25 of the National Health Service Act 2006;
d a Special Health Authority established under section 28 of the National Health Service Act 2006;
e an NHS foundation trust;
f the National Institute for Health and Care Excellence;
g NHS England;
h a National Health Service trust first established under section 5 of the National Health Service and Community Care Act 1990;
i a Local Health Board established under section 11 of the National Health Service (Wales) Act 2006;
j a National Health Service trust first established under section 18 of the National Health Service (Wales) Act 2006;
k a Special Health Authority established under section 22 of the National Health Service (Wales) Act 2006;
l a Health Board within the meaning of the National Health Service (Scotland) Act 1978;
m a Special Health Board within the meaning of the National Health Service (Scotland) Act 1978;
n a National Health Service trust first established under section 12A of the National Health Service (Scotland) Act 1978;
o the managers of a State Hospital provided under section 102 of the National Health Service (Scotland) Act 1978;
F503p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
q a special health and social care agency established under the Health and Personal Social Services (Special Agencies) (Northern Ireland) Order 1990 (S.I. 1990/247 (N.I. 3));
r a Health and Social Care trust established under Article 10 of the Health and Personal Social Services (Northern Ireland) Order 1991 (S.I. 1991/194 (N.I. 1)).

I809C10205 General interpretation

1 In this Act—
  • biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or dactyloscopic data;
  • data concerning health” means personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveals information about his or her health status;
  • enactment” includes—
    1. an enactment passed or made after this Act,
    2. an enactment comprised in subordinate legislation,
    3. an enactment comprised in, or in an instrument made under, a Measure or Act of the National Assembly for Wales,
    4. an enactment comprised in, or in an instrument made under, an Act of the Scottish Parliament, F213...
    5. an enactment comprised in, or in an instrument made under, Northern Ireland legislation; and
    6. any assimilated direct legislation;
  • genetic data” means personal data relating to the inherited or acquired genetic characteristics of an individual which gives unique information about the physiology or the health of that individual and which results, in particular, from an analysis of a biological sample from the individual in question;
  • government department” includes the following (except in the expression “United Kingdom government department”)—
    1. a part of the Scottish Administration;
    2. a Northern Ireland department;
    3. the Welsh Government;
    4. a body or authority exercising statutory functions on behalf of the Crown;
  • health record” means a record which—
    1. consists of data concerning health, and
    2. has been made by or on behalf of a health professional in connection with the diagnosis, care or treatment of the individual to whom the data relates;
  • inaccurate”, in relation to personal data, means incorrect or misleading as to any matter of fact;
  • international obligation of the United Kingdom” includes—
    1. F300. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    2. an obligation that arises under an international agreement or arrangement to which the United Kingdom is a party;
  • international organisation” means an organisation and its subordinate bodies governed by international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
  • Minister of the Crown” has the same meaning as in the Ministers of the Crown Act 1975;
  • publish” means make available to the public or a section of the public (and related expressions are to be read accordingly);
  • subordinate legislation” has the meaning given in the Interpretation Act 1978;
  • tribunal” means any tribunal in which legal proceedings may be brought;
  • the Tribunal”, in relation to an application or appeal under this Act, means—
    1. the Upper Tribunal, in any case where it is determined by or under Tribunal Procedure Rules that the Upper Tribunal is to hear the application or appeal, or
    2. the First-tier Tribunal, in any other case.
1A In this Act, references to fundamental rights or fundamental freedoms (however expressed) are to the Convention rights within the meaning of the Human Rights Act 1998.
2 References in this Act to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits, except in—
za section 119A(10) and (11);
a section 125(4), (7) and (8);
b section 161(3), (5) and (6);
c section 176(2);
d section 178(2);
e section 182(8) F70...;
f section 183(4);
g section 192(3), (5) and (6);
h section 197(3) and (4);
i paragraph 23(4) and (5) of Schedule 1;
j paragraphs 5(4) and 6(4) of Schedule 3;
k Schedule 5;
l paragraph 11(5) of Schedule 12;
la paragraph 22(6) of Schedule 12A;
m Schedule 15;
(and the references in section 5 to terms used in F130... Part 2 do not include references to a period expressed in hours, days, weeks, months or years).
F283 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 In the definition of “the UK GDPR” in section 3(10)—
a the reference to Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 is to be treated as a reference to that Regulation as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“the 2019 Regulations”), but
b nothing in the definition or in paragraph (a) determines whether, where Regulation (EU) 2016/679 is modified on or after IP completion day by the law of England and Wales, Scotland or Northern Ireland (other than by Schedule 1 to the 2019 Regulations), the reference to Regulation (EU) 2016/679 is then to be read as a reference to that Regulation as modified.
5 Subsection (4) is not to be read as implying anything about how other references to Regulation (EU) 2016/679 or references to other assimilated law are to be interpreted.

I880C4206 Index of defined expressions

The Table below lists provisions which define or otherwise explain terms defined for this Act, for a Part of this Act or for Chapter 2 or 3 of Part 2 of this Act.
the affirmative resolution proceduresection 182
F255. . .F255. . .
F255. . .F255. . .
assessment notice (in Part 6)section 181
biometric datasection 205
certification provider (in Part 6)section 181
the Commission section 3
the Commissionersection 3
competent authority (in Parts 3 and 4)sections 30 and 82
consent (in Part 4)section 84
controllersection 3
data concerning healthsection 205
the Data Protection Conventionsection 3
the data protection legislationsection 3
data subjectsection 3
designation notice (in Part 4) section 84
employee (in Parts 3 and 4)sections 33 and 84
enactmentsection 205
enforcement notice (in Part 6)section 181
the EU GDPR section 3
filing systemsection 3
FOI public authority (in Chapter 3 of Part 2)section 21
F443. . .F443. . .
genetic datasection 205
government departmentsection 205
health professionalsection 204
health recordsection 205
identifiable living individualsection 3
inaccuratesection 205
information notice (in Part 6)section 181
intelligence service (in Part 4)section 82
international obligation of the United Kingdomsection 205
international organisationsection 205
interview notice (in Part 6)section 181
the Law Enforcement Directivesection 3
the law enforcement purposes (in Part 3)section 31
the made affirmative resolution proceduresection 182
Minister of the Crownsection 205
the negative resolution proceduresection 182
penalty notice (in Part 6)section 181
penalty variation notice (in Part 6)section 181
personal datasection 3
personal data breach (in Parts 3 and 4)sections 33 and 84
processingsection 3
processorsection 3
profiling (in Part 3)section 33
public authority (in the UK GDPR and Part 2)section 7
public body (in the UK GDPR and Part 2)section 7
publishsection 205
qualifying competent authority (in Part 4) section 82
recipient (in Parts 3 and 4)sections 33 and 84
F525. . .F525. . .
representative body (in relation to a right of a data subject)section 187
restriction of processing (in Parts 3 and 4)sections 33 and 84
sensitive processing (in Parts 3 and 4) sections 35 and 86
social work professionalsection 204
the special purposes (in Part 6)section 174
special purposes proceedings (in Part 6)section 174
subordinate legislationsection 205
third country (in Part 3)section 33
tribunalsection 205
the Tribunalsection 205
the UK GDPR section 3
withdrawal notice (in Part 4) section 84

Territorial application

C15I783207 Territorial application of this Act

1 This Act applies only to processing of personal data described in subsections (1A) and (2).
1A In the case of the processing of personal data to which Part 2 (the UK GDPR) applies, it applies to the types of such processing to which the UK GDPR applies by virtue of Article 3 of the UK GDPR.
2 In the case of the processing of personal data to which Part 2 does not apply, it applies where such processing is carried out in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom.
F7013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 Subsections (1), (1A) and (2) have effect subject to any provision in or made under section 120 providing for the Commissioner to carry out functions in relation to other processing of personal data.
5 Section 3(14)(c) does not apply to the reference to the processing of personal data in subsection (2).
F7046 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 In this section, references to a person who has an establishment in the United Kingdom include the following—
a an individual who is ordinarily resident in the United Kingdom,
b a body incorporated under the law of the United Kingdom or a part of the United Kingdom,
c a partnership or other unincorporated association formed under the law of the United Kingdom or a part of the United Kingdom, and
d a person not within paragraph (a), (b) or (c) who maintains, and carries on activities through, an office, branch or agency or other stable arrangements in the United Kingdom,
F734....

General

I794208 Children in Scotland

1 Subsections (2) and (3) apply where a question falls to be determined in Scotland as to the legal capacity of a person aged under 16 to—
a exercise a right conferred by the data protection legislation, or
b give consent for the purposes of the data protection legislation.
2 The person is to be taken to have that capacity where the person has a general understanding of what it means to exercise the right or give such consent.
3 A person aged 12 or over is to be presumed to be of sufficient age and maturity to have such understanding, unless the contrary is shown.

I941209 Application to the Crown

1 This Act binds the Crown.
2 For the purposes of the UK GDPR and this Act, each government department is to be treated as a person separate from the other government departments (to the extent that is not already the case).
3 Where government departments are not able to enter into contracts with each other, a provision of the UK GDPR or this Act that would require relations between them to be governed by a contract (or other binding legal act) in writing is to be treated as satisfied if the relations are the subject of a memorandum of understanding between them.
4 Where the purposes for which and the manner in which personal data is, or is to be, processed are determined by a person acting on behalf of the Royal Household, the Duchy of Lancaster or the Duchy of Cornwall, the controller in respect of that data for the purposes of the UK GDPR and this Act is—
a in relation to the Royal Household, the Keeper of the Privy Purse,
b in relation to the Duchy of Lancaster, such person as the Chancellor of the Duchy appoints, and
c in relation to the Duchy of Cornwall, such person as the Duke of Cornwall, or the possessor for the time being of the Duchy of Cornwall, appoints.
5 Different persons may be appointed under subsection (4)(b) or (c) for different purposes.
6 As regards criminal liability—
a a government department is not liable to prosecution under this Act;
b nothing in subsection (4) makes a person who is a controller by virtue of that subsection liable to prosecution under this Act;
c a person in the service of the Crown is liable to prosecution under the provisions of this Act listed in subsection (7).
7 Those provisions are—
a section 119;
b section 170;
c section 171;
d section 173;
e paragraph 15 of Schedule 15.

I884210 Application to Parliament

1 Parts 1, 2 and 5 to 7 of this Act apply to the processing of personal data by or on behalf of either House of Parliament.
2 Where the purposes for which and the manner in which personal data is, or is to be, processed are determined by or on behalf of the House of Commons, the controller in respect of that data for the purposes of the UK GDPR and this Act is the Corporate Officer of that House.
3 Where the purposes for which and the manner in which personal data is, or is to be, processed are determined by or on behalf of the House of Lords, the controller in respect of that data for the purposes of the UK GDPR and this Act is the Corporate Officer of that House.
4 Subsections (2) and (3) do not apply where the purposes for which and the manner in which the personal data is, or is to be, processed are determined by or on behalf of the Intelligence and Security Committee of Parliament.
5 As regards criminal liability—
a nothing in subsection (2) or (3) makes the Corporate Officer of the House of Commons or the Corporate Officer of the House of Lords liable to prosecution under this Act;
b a person acting on behalf of either House of Parliament is liable to prosecution under the provisions of this Act listed in subsection (6).
6 Those provisions are—
a section 170;
b section 171;
c section 173;
d paragraph 15 of Schedule 15.

I23I942211 Minor and consequential provision

1 In Schedule 19—
a Part 1 contains minor and consequential amendments of primary legislation;
b Part 2 contains minor and consequential amendments of other legislation;
c Part 3 contains consequential modifications of legislation;
d Part 4 contains supplementary provision.
2 The Secretary of State may by regulations make provision that is consequential on any provision made by this Act.
3 Regulations under subsection (2)—
a may include transitional, transitory or saving provision;
b may amend, repeal or revoke an enactment.
4 The reference to an enactment in subsection (3)(b) does not include an enactment passed or made after the end of the Session in which this Act is passed.
5 Regulations under this section that amend, repeal or revoke primary legislation are subject to the affirmative resolution procedure.
6 Any other regulations under this section are subject to the negative resolution procedure.
7 In this section, “primary legislation” means—
a an Act;
b an Act of the Scottish Parliament;
c a Measure or Act of the National Assembly for Wales;
d Northern Ireland legislation.

Final

I894212 Commencement

1 Except as provided by subsections (2) and (3), this Act comes into force on such day as the Secretary of State may by regulations appoint.
2 This section and the following provisions come into force on the day on which this Act is passed—
a sections 1 and 3;
b section 182;
c sections 204, 205 and 206;
d sections 209 and 210;
e sections 213(2), 214 and 215;
f any other provision of this Act so far as it confers power to make regulations or Tribunal Procedure Rules or is otherwise necessary for enabling the exercise of such a power on or after the day on which this Act is passed.
3 The following provisions come into force at the end of the period of 2 months beginning when this Act is passed—
a section 124;
b sections 125, 126 and 127, so far as they relate to a code prepared under section 124;
c section 177;
d section 178 and Schedule 17;
e section 179.
4 Regulations under this section may make different provision for different areas.

I24I929I808213 Transitional provision

1 Schedule 20 contains transitional, transitory and saving provision.
2 The Secretary of State may by regulations make transitional, transitory or saving provision in connection with the coming into force of any provision of this Act or with the EU GDPR beginning to apply, including provision amending or repealing a provision of Schedule 20.
3 Regulations under this section that amend or repeal a provision of Schedule 20 are subject to the negative resolution procedure.
4 Schedule 21 contains further transitional, transitory and saving provision made in connection with the amendment of this Act and the UK GDPR by regulations under section 8 of the European Union (Withdrawal) Act 2018.

I777214 Extent

1 This Act extends to England and Wales, Scotland and Northern Ireland, subject to—
a subsections (2) to (5), and
b paragraph 12 of Schedule 12.
2 Section 199 extends to England and Wales only.
3 Sections 188, 189 and 190 extend to England and Wales and Northern Ireland only.
4 An amendment, repeal or revocation made by this Act has the same extent in the United Kingdom as the enactment amended, repealed or revoked.
5 This subsection and the following provisions also extend to the Isle of Man—
a paragraphs 332 and 434 of Schedule 19;
b sections 211(1), 212(1) and 213(2), so far as relating to those paragraphs.
6 Where there is a power to extend a part of an Act by Order in Council to any of the Channel Islands, the Isle of Man or any of the British overseas territories, the power may be exercised in relation to an amendment or repeal of that part which is made by or under this Act.

I882215 Short title

This Act may be cited as the Data Protection Act 2018.

SCHEDULES

Schedule A1 

Processing in reliance on relevant international law

Section 9A

This condition is met where the processing is necessary for the purposes of responding to a request made in accordance with the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 3 October 2019.

SCHEDULE 1 

Special categories of personal data and criminal convictions etc data

Section 10

PART 1 Conditions relating to employment, health and research etc

Employment, social security and social protection

I7921
1 This condition is met if—
a the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and
b when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).
2 See also the additional safeguards in Part 4 of this Schedule.
3 In this paragraph—
  • social security” includes any of the branches of social security listed in Article 3(1) of Regulation (EC) No. 883/2004 of the European Parliament and of the Council on the co-ordination of social security systems (as amended from time to time);
  • social protection” includes an intervention described in Article 2(b) of Regulation (EC) 458/2007 of the European Parliament and of the Council of 25 April 2007 on the European system of integrated social protection statistics (ESSPROS) as it had effect in EU law immediately before IP completion day.

Health or social care purposes

I8622
1 This condition is met if the processing is necessary for health or social care purposes.
2 In this paragraph “health or social care purposes” means the purposes of—
a preventive or occupational medicine,
b the assessment of the working capacity of an employee,
c medical diagnosis,
d the provision of health care or treatment,
e the provision of social care, or
f the management of health care systems or services or social care systems or services.
3 See also the conditions and safeguards in Article 9(3) of the UK GDPR (obligations of secrecy) and section 11(1).

Public health

I6743This condition is met if the processing—
a is necessary for reasons of public interest in the area of public health, and
b is carried out—
i by or under the responsibility of a health professional, or
ii by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

Research etc

I8204This condition is met if the processing—
a is necessary for archiving purposes, scientific or historical research purposes or statistical purposes,
b is carried out in accordance with Article 84B of the UK GDPR, and
c is in the public interest.

PART 2 Substantial public interest conditions

Requirement for an appropriate policy document when relying on conditions in this Part

I4275
1 Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).
2 See also the additional safeguards in Part 4 of this Schedule.

Statutory etc and government purposes

I557C3C8C96
1 This condition is met if the processing—
a is necessary for a purpose listed in sub-paragraph (2), and
b is necessary for reasons of substantial public interest.
2 Those purposes are—
a the exercise of a function conferred on a person by an enactment or rule of law;
b the exercise of a function of the Crown, a Minister of the Crown or a government department.

Administration of justice and parliamentary purposes

I5787This condition is met if the processing is necessary—
a for the administration of justice, or
b for the exercise of a function of either House of Parliament.

Equality of opportunity or treatment

I3538
1 This condition is met if the processing—
a is of a specified category of personal data, and
b is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained,
subject to the exceptions in sub-paragraphs (3) to (5).
2 In sub-paragraph (1), “specified” means specified in the following table—
Category of personal dataGroups of people (in relation to a category of personal data)
Personal data revealing racial or ethnic originPeople of different racial or ethnic origins
Personal data revealing religious or philosophical beliefsPeople holding different religious or philosophical beliefs
Data concerning healthPeople with different states of physical or mental health
Personal data concerning an individual's sexual orientationPeople of different sexual orientation
3 Processing does not meet the condition in sub-paragraph (1) if it is carried out for the purposes of measures or decisions with respect to a particular data subject.
4 Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.
5 Processing does not meet the condition in sub-paragraph (1) if—
a an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),
b the notice gave the controller a reasonable period in which to stop processing such data, and
c that period has ended.

Racial and ethnic diversity at senior levels of organisations

I1789
1 This condition is met if the processing—
a is of personal data revealing racial or ethnic origin,
b is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally,
c is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations, and
d can reasonably be carried out without the consent of the data subject,
subject to the exception in sub-paragraph (3).
2 For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
a the controller cannot reasonably be expected to obtain the consent of the data subject, and
b the controller is not aware of the data subject withholding consent.
3 Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.
4 For the purposes of this paragraph, an individual holds a senior position in an organisation if the individual—
a holds a position listed in sub-paragraph (5), or
b does not hold such a position but is a senior manager of the organisation.
5 Those positions are—
a a director, secretary or other similar officer of a body corporate;
b a member of a limited liability partnership;
c a partner in a partnership within the Partnership Act 1890, a limited partnership registered under the Limited Partnerships Act 1907 or an entity of a similar character formed under the law of a country or territory outside the United Kingdom.
6 In this paragraph, “senior manager”, in relation to an organisation, means a person who plays a significant role in—
a the making of decisions about how the whole or a substantial part of the organisation's activities are to be managed or organised, or
b the actual managing or organising of the whole or a substantial part of those activities.
7 The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Preventing etc unlawful acts

I72510
1 This condition is met if the processing—
a is necessary for the purposes of the prevention , investigation or detection of an unlawful act,
b must be carried out without the consent of the data subject so as not to prejudice those purposes, and
c is necessary for reasons of substantial public interest.
2 If the processing consists of the disclosure of personal data to a competent authority, or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
3 In this paragraph—
  • act” includes a failure to act;
  • competent authority” has the same meaning as in Part 3 of this Act (see section 30).

Protecting the public against dishonesty etc

I52311
1 This condition is met if the processing—
a is necessary for the exercise of a protective function,
b must be carried out without the consent of the data subject so as not to prejudice the exercise of that function, and
c is necessary for reasons of substantial public interest.
2 In this paragraph, “protective function” means a function which is intended to protect members of the public against—
a dishonesty, malpractice or other seriously improper conduct,
b unfitness or incompetence,
c mismanagement in the administration of a body or association, or
d failures in services provided by a body or association.

Regulatory requirements relating to unlawful acts and dishonesty etc

I50312
1 This condition is met if—
a the processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has—
i committed an unlawful act, or
ii been involved in dishonesty, malpractice or other seriously improper conduct,
b in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing, and
c the processing is necessary for reasons of substantial public interest.
2 In this paragraph—
  • act” includes a failure to act;
  • regulatory requirement” means—
    1. a requirement imposed by legislation or by a person in exercise of a function conferred by legislation, or
    2. a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity.

Journalism etc in connection with unlawful acts and dishonesty etc

I55013
1 This condition is met if—
a the processing consists of , or is carried out in preparation for, the disclosure of personal data for the special purposes,
b it is carried out in connection with a matter described in sub-paragraph (2),
c it is necessary for reasons of substantial public interest,
d it is carried out with a view to the publication of the personal data by any person, and
e the controller reasonably believes that publication of the personal data would be in the public interest.
2 The matters mentioned in sub-paragraph (1)(b) are any of the following (whether alleged or established)—
a the commission of an unlawful act by a person;
b dishonesty, malpractice or other seriously improper conduct of a person;
c unfitness or incompetence of a person;
d mismanagement in the administration of a body or association;
e a failure in services provided by a body or association.
3 The condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
4 In this paragraph—
  • act” includes a failure to act;
  • the special purposes” means—
    1. the purposes of journalism;
    2. academic purposes;
    3. artistic purposes;
    4. literary purposes.

Preventing fraud

I28314
1 This condition is met if the processing—
a is necessary for the purposes of preventing fraud or a particular kind of fraud, and
b consists of—
i the disclosure of personal data by a person as a member of an anti-fraud organisation,
ii the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation,
iia the processing of personal data carried out in preparation for disclosure described in sub-paragraph (i) or (ii), or
iii the processing of personal data disclosed as described in sub-paragraph (i) or (ii).
2 In this paragraph, “anti-fraud organisation” has the same meaning as in section 68 of the Serious Crime Act 2007.

Suspicion of terrorist financing or money laundering

I21215This condition is met if the processing is necessary for the purposes of making a disclosure in good faith under either of the following—
a section 21CA of the Terrorism Act 2000 (disclosures between certain entities within regulated sector in relation to suspicion of commission of terrorist financing offence or for purposes of identifying terrorist property);
b section 339ZB of the Proceeds of Crime Act 2002 (disclosures within regulated sector in relation to suspicion of money laundering).

Support for individuals with a particular disability or medical condition

I64516
1 This condition is met if the processing—
a is carried out by a not-for-profit body which provides support to individuals with a particular disability or medical condition,
b is of a type of personal data falling within sub-paragraph (2) which relates to an individual falling within sub-paragraph (3),
c is necessary for the purposes of—
i raising awareness of the disability or medical condition, or
ii providing support to individuals falling within sub-paragraph (3) or enabling such individuals to provide support to each other,
d can reasonably be carried out without the consent of the data subject, and
e is necessary for reasons of substantial public interest.
2 The following types of personal data fall within this sub-paragraph—
a personal data revealing racial or ethnic origin;
b genetic data or biometric data;
c data concerning health;
d personal data concerning an individual's sex life or sexual orientation.
3 An individual falls within this sub-paragraph if the individual is or has been a member of the body mentioned in sub-paragraph (1)(a) and—
a has the disability or condition mentioned there, has had that disability or condition or has a significant risk of developing that disability or condition, or
b is a relative or carer of an individual who satisfies paragraph (a) of this sub-paragraph.
4 For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
a the controller cannot reasonably be expected to obtain the consent of the data subject, and
b the controller is not aware of the data subject withholding consent.
5 In this paragraph—
  • carer” means an individual who provides or intends to provide care for another individual other than—
    1. under or by virtue of a contract, or
    2. as voluntary work;
  • disability” has the same meaning as in the Equality Act 2010 (see section 6 of, and Schedule 1 to, that Act).
6 The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Counselling etc

I62517
1 This condition is met if the processing—
a is necessary for the provision of confidential counselling, advice or support or of another similar service provided confidentially,
b is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
c is necessary for reasons of substantial public interest.
2 The reasons mentioned in sub-paragraph (1)(b) are—
a in the circumstances, consent to the processing cannot be given by the data subject;
b in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
c the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the service mentioned in sub-paragraph (1)(a).

Safeguarding of children and of individuals at risk

I24718
1 This condition is met if—
a the processing is necessary for the purposes of—
i protecting an individual from neglect or physical, mental or emotional harm, or
ii protecting the physical, mental or emotional well-being of an individual,
b the individual is—
i aged under 18, or
ii aged 18 or over and at risk,
c the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
d the processing is necessary for reasons of substantial public interest.
2 The reasons mentioned in sub-paragraph (1)(c) are—
a in the circumstances, consent to the processing cannot be given by the data subject;
b in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
c the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
3 For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—
a has needs for care and support,
b is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
c as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.
4 In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.

Safeguarding of economic well-being of certain individuals

I57019
1 This condition is met if the processing—
a is necessary for the purposes of protecting the economic well-being of an individual at economic risk who is aged 18 or over,
b is of data concerning health,
c is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
d is necessary for reasons of substantial public interest.
2 The reasons mentioned in sub-paragraph (1)(c) are—
a in the circumstances, consent to the processing cannot be given by the data subject;
b in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
c the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
3 In this paragraph, “individual at economic risk” means an individual who is less able to protect his or her economic well-being by reason of physical or mental injury, illness or disability.

Insurance

I8920
1 This condition is met if the processing—
a is necessary for an insurance purpose,
b is of personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health, and
c is necessary for reasons of substantial public interest,
subject to sub-paragraphs (2) and (3).
2 Sub-paragraph (3) applies where—
a the processing is not carried out for the purposes of measures or decisions with respect to the data subject, and
b the data subject does not have and is not expected to acquire—
i rights against, or obligations in relation to, a person who is an insured person under an insurance contract to which the insurance purpose mentioned in sub-paragraph (1)(a) relates, or
ii other rights or obligations in connection with such a contract.
3 Where this sub-paragraph applies, the processing does not meet the condition in sub-paragraph (1) unless, in addition to meeting the requirements in that sub-paragraph, it can reasonably be carried out without the consent of the data subject.
4 For the purposes of sub-paragraph (3), processing can reasonably be carried out without the consent of the data subject only where—
a the controller cannot reasonably be expected to obtain the consent of the data subject, and
b the controller is not aware of the data subject withholding consent.
5 In this paragraph—
  • insurance contract” means a contract of general insurance or long-term insurance;
  • insurance purpose” means—
    1. advising on, arranging, underwriting or administering an insurance contract,
    2. administering a claim under an insurance contract, or
    3. exercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law.
6 The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
7 Terms used in the definition of “insurance contract” in sub-paragraph (5) and also in an order made under section 22 of the Financial Services and Markets Act 2000 (regulated activities) have the same meaning in that definition as they have in that order.

Occupational pensions

I22921
1 This condition is met if the processing—
a is necessary for the purpose of making a determination in connection with eligibility for, or benefits payable under, an occupational pension scheme,
b is of data concerning health which relates to a data subject who is the parent, grandparent, great-grandparent or sibling of a member of the scheme,
c is not carried out for the purposes of measures or decisions with respect to the data subject, and
d can reasonably be carried out without the consent of the data subject.
2 For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
a the controller cannot reasonably be expected to obtain the consent of the data subject, and
b the controller is not aware of the data subject withholding consent.
3 In this paragraph—
  • occupational pension scheme” has the meaning given in section 1 of the Pension Schemes Act 1993;
  • member”, in relation to a scheme, includes an individual who is seeking to become a member of the scheme.
4 The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Political parties

I59522
1 This condition is met if the processing—
a is of personal data revealing political opinions,
b is carried out by a person or organisation included in the register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000, and
c is necessary for the purposes of the person's or organisation's political activities,
subject to the exceptions in sub-paragraphs (2) and (3).
2 Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to a person.
3 Processing does not meet the condition in sub-paragraph (1) if—
a an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),
b the notice gave the controller a reasonable period in which to stop processing such data, and
c that period has ended.
4 In this paragraph, “political activities” include campaigning, fund-raising, political surveys and case-work.

Elected representatives responding to requests

I83223
1 This condition is met if—
a the processing is carried out—
i by an elected representative or a person acting with the authority of such a representative,
ii in connection with the discharge of the elected representative's functions, and
iii in response to a request by an individual that the elected representative take action on behalf of the individual, and
b the processing is necessary for the purposes of, or in connection with, the action reasonably taken by the elected representative in response to that request,
subject to sub-paragraph (2).
2 Where the request is made by an individual other than the data subject, the condition in sub-paragraph (1) is met only if the processing must be carried out without the consent of the data subject for one of the following reasons—
a in the circumstances, consent to the processing cannot be given by the data subject;
b in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;
c obtaining the consent of the data subject would prejudice the action taken by the elected representative;
d the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.
3 In this paragraph, “elected representative” means—
a a member of the House of Commons;
b a member of the National Assembly for Wales;
c a member of the Scottish Parliament;
d a member of the Northern Ireland Assembly;
F45e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
f an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972, namely—
i in England, a county council, a district council, a London borough council or a parish council;
ii in Wales, a county council, a county borough council or a community council;
g an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000;
h a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;
ha a mayor for the area of a combined county authority established under section 9(1) of the Levelling-up and Regeneration Act 2023;
i the Mayor of London or an elected member of the London Assembly;
j an elected member of—
i the Common Council of the City of London, or
ii the Council of the Isles of Scilly;
k an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994;
l an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.));
m a police and crime commissioner.
4 For the purposes of sub-paragraph (3), a person who is—
a a member of the House of Commons immediately before Parliament is dissolved,
b a member of the National Assembly for Wales immediately before that Assembly is dissolved,
c a member of the Scottish Parliament immediately before that Parliament is dissolved, or
d a member of the Northern Ireland Assembly immediately before that Assembly is dissolved,
is to be treated as if the person were such a member until the end of the period of 30 days beginning with the day after the day on which the subsequent general election in relation to that Parliament or Assembly is held.
5 For the purposes of sub-paragraph (3), a person who is an elected member of the Common Council of the City of London and whose term of office comes to an end at the end of the day preceding the annual Wardmotes is to be treated as if he or she were such a member until the end of the fourth day after the day on which those Wardmotes are held.

Disclosure to elected representatives

I14624
1 This condition is met if—
a the processing consists of , or is carried out in preparation for, the disclosure of personal data—
i to an elected representative or a person acting with the authority of such a representative, and
ii in response to a communication to the controller from that representative or person which was made in response to a request from an individual,
b the personal data is relevant to the subject matter of that communication, and
c the disclosure is necessary for the purpose of responding to that communication,
subject to sub-paragraph (2).
2 Where the request to the elected representative came from an individual other than the data subject, the condition in sub-paragraph (1) is met only if the disclosure must be made without the consent of the data subject for one of the following reasons—
a in the circumstances, consent to the processing cannot be given by the data subject;
b in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;
c obtaining the consent of the data subject would prejudice the action taken by the elected representative;
d the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.
3 In this paragraph, “elected representative” has the same meaning as in paragraph 23.

Informing elected representatives about prisoners

I39625
1 This condition is met if—
a the processing consists of the processing of personal data about a prisoner for the purpose of informing a member of the House of Commons, a member of the National Assembly for Wales or a member of the Scottish Parliament about the prisoner, and
b the member is under an obligation not to further disclose the personal data.
2 The references in sub-paragraph (1) to personal data about, and to informing someone about, a prisoner include personal data about, and informing someone about, arrangements for the prisoner's release.
3 In this paragraph—
  • prison” includes a young offender institution, a remand centre, a secure training centre or a secure college;
  • prisoner” means a person detained in a prison.

Anti-doping in sport

I21127
1 This condition is met if the processing is necessary—
a for the purposes of measures designed to eliminate doping which are undertaken by or under the responsibility of a body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally, or
b for the purposes of providing information about doping, or suspected doping, to such a body or association.
2 The reference in sub-paragraph (1)(a) to measures designed to eliminate doping includes measures designed to identify or prevent doping.
3 If the processing consists of the disclosure of personal data to a body or association described in sub-paragraph (1)(a), or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

Standards of behaviour in sport

I49528
1 This condition is met if the processing—
a is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event,
b must be carried out without the consent of the data subject so as not to prejudice those purposes, and
c is necessary for reasons of substantial public interest.
2 In sub-paragraph (1)(a), the reference to measures designed to protect the integrity of a sport or a sporting event is a reference to measures designed to protect a sport or a sporting event against—
a dishonesty, malpractice or other seriously improper conduct, or
b failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or event.

PART 3 Additional conditions relating to criminal convictions etc

Protecting individual's vital interests

I28730This condition is met if—
a the processing is necessary to protect the vital interests of an individual, and
b the data subject is physically or legally incapable of giving consent.

Processing by not-for-profit bodies

I54631This condition is met if the processing is carried out—
a in the course of its legitimate activities with appropriate safeguards by a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, and
b on condition that—
i the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and
ii the personal data is not disclosed outside that body without the consent of the data subjects.

Personal data in the public domain

I33232This condition is met if the processing relates to personal data which is manifestly made public by the data subject.

Judicial acts

I7834This condition is met if the processing is necessary when a court or tribunal is acting in its judicial capacity.

Administration of accounts used in commission of indecency offences involving children

I61435
1 This condition is met if—
a the processing is of personal data about a conviction or caution for an offence listed in sub-paragraph (2),
b the processing is necessary for the purpose of administering an account relating to the payment card used in the commission of the offence or cancelling that payment card, and
c when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).
2 Those offences are an offence under—
a section 1 of the Protection of Children Act 1978 (indecent photographs of children),
b Article 3 of the Protection of Children (Northern Ireland) Order 1978 (S.I. 1978/1047 (N.I. 17)) (indecent photographs of children),
c section 52 of the Civic Government (Scotland) Act 1982 (indecent photographs etc of children),
d section 160 of the Criminal Justice Act 1988 (possession of indecent photograph of child),
e Article 15 of the Criminal Justice (Evidence etc) (Northern Ireland) Order 1988 (S.I. 1988/1847 (N.I. 17)) (possession of indecent photograph of child), or
f section 62 of the Coroners and Justice Act 2009 (possession of prohibited images of children),
or incitement to commit an offence under any of those provisions.
3 See also the additional safeguards in Part 4 of this Schedule.
4 In this paragraph—
  • caution” means a caution given to a person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;
  • conviction” has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978 (S.I. 1978/1908 (N.I. 27));
  • payment card” includes a credit card, a charge card and a debit card.

Extension of conditions in Part 2 of this Schedule referring to substantial public interest

I53936This condition is met if the processing would meet a condition in Part 2 of this Schedule but for an express requirement for the processing to be necessary for reasons of substantial public interest.

Extension of insurance conditions

I73337This condition is met if the processing—
a would meet the condition in paragraph 20 in Part 2 of this Schedule (the “insurance condition”), or
b would meet the condition in paragraph 36 by virtue of the insurance condition,
but for the requirement for the processing to be processing of a category of personal data specified in paragraph 20(1)(b).

PART 4 Appropriate policy document and additional safeguards

Application of this Part of this Schedule

I45638This Part of this Schedule makes provision about the processing of personal data carried out in reliance on a condition in Part 1, 2 or 3 of this Schedule which requires the controller to have an appropriate policy document in place when the processing is carried out.

Requirement to have an appropriate policy document in place

I79339The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on a condition described in paragraph 38 if the controller has produced a document which—
a explains the controller's procedures for securing compliance with the principles in Article 5 of the UK GDPR (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and
b explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.

Additional safeguard: retention of appropriate policy document

I3640
1 Where personal data is processed in reliance on a condition described in paragraph 38, the controller must during the relevant period—
a retain the appropriate policy document,
b review and (if appropriate) update it from time to time, and
c make it available to the Commissioner, on request, without charge.
2 Relevant period”, in relation to the processing of personal data in reliance on a condition described in paragraph 38, means a period which—
a begins when the controller starts to carry out processing of personal data in reliance on that condition, and
b ends at the end of the period of 6 months beginning when the controller ceases to carry out such processing.

Additional safeguard: record of processing

I81841A record maintained by the controller, or the controller's representative, under Article 30 of the UK GDPR in respect of the processing of personal data in reliance on a condition described in paragraph 38 must include the following information—
a which condition is relied on,
b how the processing satisfies Article 6 of the UK GDPR (lawfulness of processing), and
c whether the personal data is retained and erased in accordance with the policies described in paragraph 39(b) and, if it is not, the reasons for not following those policies.

SCHEDULE 2 

Exemptions etc from the UK GDPR

Section 15

PART 1 Adaptations and restrictions as described in Articles 6(3) and 23(1)

UK GDPR provisions to be adapted or restricted: “the listed GDPR provisions”

I7781In this Part of this Schedule, “the listed GDPR provisions” means—
a the following provisions of the UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the UK GDPR)—
i Article 13(1) to (3) (personal data collected from data subject: information to be provided);
ii Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
iii Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
iv Article 16 (right to rectification);
v Article 17(1) and (2) (right to erasure);
vi Article 18(1) (restriction of processing);
vii Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
viii Article 20(1) and (2) (right to data portability);
ix Article 21(1) (objections to processing);
x Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (i) to (ix); and
b the following provisions of the UK GDPR (the application of which may be adapted by virtue of Article 6(3) of the UK GDPR)—
i Article 5(1)(a) (lawful, fair and transparent processing), other than the lawfulness requirements set out in Article 6;
F51ii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Crime and taxation: general

I7872
1 The listed GDPR provisions and Article 34(1) and (4) of the UK GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes—
a the prevention , investigation or detection of crime,
b the apprehension or prosecution of offenders, or
c the assessment or collection of a tax or duty or an imposition of a similar nature,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).
2 Sub-paragraph (3) applies where—
a personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and
b another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions.
3 Controller 2 is exempt from the obligations in the following provisions of the UK GDPR
a Article 13(1) to (3) (personal data collected from data subject: information to be provided),
b Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),
c Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and
d Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),
to the same extent that Controller 1 is exempt from those obligations by virtue of sub-paragraph (1).

Crime and taxation: risk assessment systems

I9563
1 The UK GDPR provisions listed in sub-paragraph (3) do not apply to personal data which consists of a classification applied to the data subject as part of a risk assessment system falling within sub-paragraph (2) to the extent that the application of those provisions would prevent the system from operating effectively.
2 A risk assessment system falls within this sub-paragraph if—
a it is operated by a government department, a local authority or another authority administering housing benefit, and
b it is operated for the purposes of—
i the assessment or collection of a tax or duty or an imposition of a similar nature, or
ii the prevention , investigation or detection of crime or apprehension or prosecution of offenders, where the offence concerned involves the unlawful use of public money or an unlawful claim for payment out of public money.
3 The UK GDPR provisions referred to in sub-paragraph (1) are the following provisions of the UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the UK GDPR)—
a Article 13(1) to (3) (personal data collected from data subject: information to be provided);
b Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
c Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
d Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c).

Immigration

I9194
1 The relevant UK GDPR provisions do not apply to personal data processed by the Secretary of State for any of the following purposes—
a the maintenance of effective immigration control, or
b the investigation or detection of activities that would undermine the maintenance of effective immigration control,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).
F5431A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F3231B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1C Paragraphs 4A and 4B make provision about F517... safeguards in connection with the exemption in sub-paragraph (1).
2 In sub-paragraph (1) and paragraph 4A, the “relevant UK GDPR provisions are the following provisions of the UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the UK GDPR)—
a Article 13(1) to (3) (personal data collected from data subject: information to be provided);
b Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
c Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
d Article 17(1) and (2) (right to erasure);
e Article 18(1) (restriction of processing);
f Article 21(1) (objections to processing);
g Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f).
(That is, the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing) and Article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)
F4633 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F3634 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Immigration: safeguards: immigration exemption decisions

4A
1 A decision under paragraph 4(1) as to whether, and the extent to which, the application of the relevant UK GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b) (referred to in this paragraph as “an immigration exemption decision”) must be made in accordance with this paragraph.
2 An immigration exemption decision must be made—
a on a case by case basis,
b separately in respect of each of the relevant UK GDPR provisions mentioned in paragraph 4(2)(a) to (f) which relates to the data subject, and
c afresh on each occasion on which the Secretary of State considers disapplying or restricting the application of any of the relevant UK GDPR provisions mentioned in paragraph 4(2)(a) to (f) in relation to the data subject.
3 When making an immigration exemption decision, the Secretary of State must take into account all the circumstances of the case, including at least the following—
a any potential vulnerability of the data subject that is relevant to the decision,
b all the rights and freedoms of the data subject including the data subject’s Convention rights, and
c any relevant duties or obligations of the United Kingdom, the Secretary of State or any other person, including—
i the United Kingdom’s obligations under the Refugee Convention and the Trafficking Convention,
ii any duty under section 55 of the Borders, Citizenship and Immigration Act 2009 (duty regarding the welfare of children), and
iii the need to ensure compliance with the UK GDPR.
4 A decision that the application of a particular relevant UK GDPR provision mentioned in paragraph 4(2)(a) to (f) (or that provision in combination with the provision mentioned in paragraph 4(2)(g), so far as it applies) would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b) may be made only if—
a the application of that provision or those provisions would give rise to a substantial risk of prejudice to any of the matters mentioned in paragraph 4(1)(a) and (b),
b that risk outweighs the risk of prejudice to the interests of the data subject concerned that would arise if the exemption in paragraph 4(1) were to apply in relation to that provision or those provisions, and
c the application of the exemption in relation to that provision or those provisions is necessary and proportionate to the risks in the particular case.
5 In this paragraph—
  • Convention rights” has the same meaning as in the Human Rights Act 1998 (see section 1(1) of that Act);
  • the Refugee Convention” means the Convention relating to the Status of Refugees, done at Geneva on 28 July 1951, and its Protocol;
  • the Trafficking Convention” means the Council of Europe Convention on Action against Trafficking in Human Beings, done at Warsaw on 16 May 2005.

Immigration: safeguard: record of decision that exemption applies

4B
1 Where the Secretary of State makes a decision mentioned in paragraph 4A(4), the Secretary of State must keep a record of it and the reasons for it.
2 Where sub-paragraph (1) applies, the Secretary of State must also inform the data subject of the decision unless, in the particular circumstances of the case, the Secretary of State considers that doing so may be prejudicial to any of the matters mentioned in paragraph 4(1)(a) and (b).

PART 2 Restrictions as described in Article 23(1): restrictions of rules in Articles 13 to 21 and 34

UK GDPR provisions to be restricted: “the listed GDPR provisions”

I9466In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the UK GDPR)—
a Article 13(1) to (3) (personal data collected from data subject: information to be provided);
b Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
c Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
d Article 16 (right to rectification);
e Article 17(1) and (2) (right to erasure);
f Article 18(1) (restriction of processing);
g Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
h Article 20(1) and (2) (right to data portability);
i Article 21(1) (objections to processing);
j Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (i).

Functions designed to protect the public etc

I652C17C16C227The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—
a is designed as described in column 1 of the Table, and
b meets the condition relating to the function specified in column 2 of the Table,
to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
TABLE
Description of function designCondition

1. The function is designed to protect members of the public against—
  1. financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate, or
  2. financial loss due to the conduct of discharged or undischarged bankrupts.

The function is—
  1. conferred on a person by an enactment,
  2. a function of the Crown, a Minister of the Crown or a government department, or
  3. of a public nature, and is exercised in the public interest.

2. The function is designed to protect members of the public against—
  1. dishonesty, malpractice or other seriously improper conduct, or
  2. unfitness or incompetence.

The function is—
  1. conferred on a person by an enactment,
  2. a function of the Crown, a Minister of the Crown or a government department, or
  3. of a public nature, and is exercised in the public interest.

3. The function is designed—
  1. to protect charities or community interest companies against misconduct or mismanagement (whether by trustees, directors or other persons) in their administration,
  2. to protect the property of charities or community interest companies from loss or misapplication, or
  3. to recover the property of charities or community interest companies.

The function is—
  1. conferred on a person by an enactment,
  2. a function of the Crown, a Minister of the Crown or a government department, or
  3. of a public nature, and is exercised in the public interest.

4. The function is designed—
  1. to secure the health, safety and welfare of persons at work, or
  2. to protect persons other than those at work against risk to health or safety arising out of or in connection with the action of persons at work.

The function is—
  1. conferred on a person by an enactment,
  2. a function of the Crown, a Minister of the Crown or a government department, or
  3. of a public nature, and is exercised in the public interest.

5. The function is designed to protect members of the public against—
  1. maladministration by public bodies,
  2. failures in services provided by public bodies, or
  3. a failure of a public body to provide a service which it is a function of the body to provide.

The function is conferred by any enactment on—
  1. the Parliamentary Commissioner for Administration,
  2. the Commissioner for Local Administration in England,
  3. the Health Service Commissioner for England,
  4. the Public Services Ombudsman for Wales,
  5. the Northern Ireland Public Services Ombudsman,
  6. the Prison Ombudsman for Northern Ireland, or
  7. the Scottish Public Services Ombudsman.

6. The function is designed—
  1. to protect members of the public against conduct which may adversely affect their interests by persons carrying on a business,
  2. to regulate agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or
  3. to regulate conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market.

The function is conferred on the Competition and Markets Authority by an enactment.

Audit functions

I3688
1 The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
2 The functions are any function that is conferred by an enactment on—
a the Comptroller and Auditor General;
b the Auditor General for Scotland;
c the Auditor General for Wales;
d the Comptroller and Auditor General for Northern Ireland.

Functions of the Bank of England

I4899
1 The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a relevant function of the Bank of England to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
2 Relevant function of the Bank of England” means—
a a function discharged by the Bank acting in its capacity as a monetary authority (as defined in section 244(2)(c) and (2A) of the Banking Act 2009);
b a public function of the Bank within the meaning of section 349 of the Financial Services and Markets Act 2000;
c a function conferred on the Prudential Regulation Authority by or under the Financial Services and Markets Act 2000 or by another enactment.

Regulatory functions of certain other persons

C1I76711The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—
a is a function of a person described in column 1 of the Table, and
b is conferred on that person as described in column 2 of the Table,
to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
TABLE
Person on whom function is conferredHow function is conferred
1. The Commissioner.

By or under—
  1. the data protection legislation;
  2. the Freedom of Information Act 2000;
  3. section 244 of the Investigatory Powers Act 2016;
  4. the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426);
  5. the Environmental Information Regulations 2004 (S.I. 2004/3391);
  6. the INSPIRE Regulations 2009 (S.I. 2009/3157);
  7. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC;
  8. the Re-use of Public Sector Information Regulations 2015 (S.I. 2015/1415);
  9. the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696).

2. The Scottish Information Commissioner.

By or under—
  1. the Freedom of Information (Scotland) Act 2002 (asp 13);
  2. the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520);
  3. the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440).

3. The Pensions Ombudsman.By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland.
4. The Board of the Pension Protection Fund.By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.
5. The Ombudsman for the Board of the Pension Protection Fund.By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.
6. The Pensions Regulator.By an enactment.
7. The Financial Conduct Authority.By or under the Financial Services and Markets Act 2000 or by another enactment.
8. The Financial Ombudsman.By or under Part 16 of the Financial Services and Markets Act 2000.
9. The investigator of complaints against the financial regulators.By or under Part 6 of the Financial Services Act 2012.
F405. . .F405. . .
11. The monitoring officer of a relevant authority.By or under the Local Government and Housing Act 1989.
12. The monitoring officer of a relevant Welsh authority.By or under the Local Government Act 2000.
13. The Public Services Ombudsman for Wales.By or under the Local Government Act 2000.
14. The Charity Commission.

By or under—
  1. the Charities Act 1992;
  2. the Charities Act 2006;
  3. the Charities Act 2011.

I84412In the Table in paragraph 11—
  • F318...
  • F318...
  • the “Financial Ombudsman” means the scheme operator within the meaning of Part 16 of the Financial Services and Markets Act 2000 (see section 225 of that Act);
  • the “investigator of complaints against the financial regulators” means the person appointed under section 84(1)(b) of the Financial Services Act 2012;
  • relevant authority” has the same meaning as in section 5 of the Local Government and Housing Act 1989, and “monitoring officer”, in relation to such an authority, means a person designated as such under that section;
  • relevant Welsh authority” has the same meaning as “relevant authority” in section 49(6) of the Local Government Act 2000, and “monitoring officer”, in relation to such an authority, has the same meaning as in Part 3 of that Act.

Parliamentary privilege

I95113The listed GDPR provisions and Article 34(1) and (4) of the UK GDPR (communication of personal data breach to the data subject) do not apply to personal data where this is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.

Judicial appointments, judicial independence and judicial proceedings

I64614
1 The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person's suitability for judicial office or the office of Queen's Counsel.
2 The listed GDPR provisions do not apply to personal data processed by—
a an individual acting in a judicial capacity, or
b a court or tribunal acting in its judicial capacity.
3 As regards personal data not falling within sub-paragraph (1) or (2), the listed GDPR provisions do not apply to the extent that the application of those provisions would be likely to prejudice judicial independence or judicial proceedings.

Crown honours, dignities and appointments

I2915
1 The listed GDPR provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity.
2 The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person's suitability for any of the following offices—
a archbishops and diocesan and suffragan bishops in the Church of England;
b deans of cathedrals of the Church of England;
c deans and canons of the two Royal Peculiars;
d the First and Second Church Estates Commissioners;
e lord-lieutenants;
f Masters of Trinity College and Churchill College, Cambridge;
g the Provost of Eton;
h the Poet Laureate;
i the Astronomer Royal.
3 The Secretary of State may by regulations amend the list in sub-paragraph (2) to—
a remove an office, or
b add an office to which appointments are made by Her Majesty.
4 Regulations under sub-paragraph (3) are subject to the affirmative resolution procedure.

PART 3 Restriction for the protection of rights of others

Protection of the rights of others: general

I92216
1 Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers), and Article 5 of the UK GDPR so far as its provisions correspond to the rights and obligations provided for in Article 15(1) to (3), do not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information.
2 Sub-paragraph (1) does not remove the controller's obligation where—
a the other individual has consented to the disclosure of the information to the data subject, or
b it is reasonable to disclose the information to the data subject without the consent of the other individual.
3 In determining whether it is reasonable to disclose the information without consent, the controller must have regard to all the relevant circumstances, including—
a the type of information that would be disclosed,
b any duty of confidentiality owed to the other individual,
c any steps taken by the controller with a view to seeking the consent of the other individual,
d whether the other individual is capable of giving consent, and
e any express refusal of consent by the other individual.
4 For the purposes of this paragraph—
a information relating to another individual” includes information identifying the other individual as the source of information;
b an individual can be identified from information to be provided to a data subject by a controller if the individual can be identified from—
i that information, or
ii that information and any other information that the controller reasonably believes the data subject is likely to possess or obtain.

Assumption of reasonableness for health workers, social workers and education workers

I21017
1 For the purposes of paragraph 16(2)(b), it is to be considered reasonable for a controller to disclose information to a data subject without the consent of the other individual where—
a the health data test is met,
b the social work data test is met, or
c the education data test is met.
2 The health data test is met if—
a the information in question is contained in a health record, and
b the other individual is a health professional who has compiled or contributed to the health record or who, in his or her capacity as a health professional, has been involved in the diagnosis, care or treatment of the data subject.
3 The social work data test is met if—
a the other individual is—
i a children's court officer,
ii a person who is or has been employed by a person or body referred to in paragraph 8 of Schedule 3 in connection with functions exercised in relation to the information, or
iii a person who has provided for reward a service that is similar to a service provided in the exercise of any relevant social services functions, and
b the information relates to the other individual in an official capacity or the other individual supplied the information—
i in an official capacity, or
ii in a case within paragraph (a)(iii), in connection with providing the service mentioned in paragraph (a)(iii).
4 The education data test is met if—
a the other individual is an education-related worker, or
b the other individual is employed by an education authority (within the meaning of the Education (Scotland) Act 1980) in pursuance of its functions relating to education and—
i the information relates to the other individual in his or her capacity as such an employee, or
ii the other individual supplied the information in his or her capacity as such an employee.
5 In this paragraph—
  • children's court officer” means a person referred to in paragraph 8(1)(q), (r), (s), (t) or (u) of Schedule 3;
  • education-related worker” means a person referred to in paragraph 14(4)(a) or (b) or 16(4)(a), (b) or (c) of Schedule 3 (educational records);
  • relevant social services functions” means functions specified in paragraph 8(1)(a), (b), (c) or (d) of Schedule 3.

PART 4 Restrictions as described in Article 23(1): restrictions of rules in Articles 13 to 15

UK GDPR provisions to be restricted: “the listed GDPR provisions”

I93718In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the UK GDPR)—
a Article 13(1) to (3) (personal data collected from data subject: information to be provided);
b Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
c Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
d Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (c).

Self incrimination

I92320
1 A person need not comply with the listed GDPR provisions to the extent that compliance would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.
2 The reference to an offence in sub-paragraph (1) does not include an offence under—
a this Act,
b section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),
c section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or
d Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
3 Information disclosed by any person in compliance with Article 15 of the UK GDPR is not admissible against the person in proceedings for an offence under this Act.

Corporate finance

I32721
1 The listed GDPR provisions do not apply to personal data processed for the purposes of or in connection with a corporate finance service provided by a relevant person to the extent that either Condition A or Condition B is met.
2 Condition A is that the application of the listed GDPR provisions would be likely to affect the price of an instrument.
3 Condition B is that—
a the relevant person reasonably believes that the application of the listed GDPR provisions to the personal data in question could affect a decision of a person—
i whether to deal in, subscribe for or issue an instrument, or
ii whether to act in a way likely to have an effect on a business activity (such as an effect on the industrial strategy of a person, the capital structure of an undertaking or the legal or beneficial ownership of a business or asset), and
b the application of the listed GDPR provisions to that personal data would have a prejudicial effect on the orderly functioning of financial markets or the efficient allocation of capital within the economy.
4 In this paragraph—
  • corporate finance service” means a service consisting in—
    1. underwriting in respect of issues of, or the placing of issues of, any instrument,
    2. services relating to such underwriting, or
    3. advice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings;
  • instrument” means an instrument listed in section C of Annex 1 to Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments, and references to an instrument include an instrument not yet in existence but which is to be or may be created;
  • price” includes value;
  • relevant person” means—
    1. a person who, by reason of a permission under Part 4A of the Financial Services and Markets Act 2000, is able to carry on a corporate finance service without contravening the general prohibition;
    2. an EEA firm of the kind mentioned in paragraph 5(a) or (b) of Schedule 3 to that Act which has qualified for authorisation under paragraph 12 of that Schedule, and may lawfully carry on a corporate finance service;
    3. a person who is exempt from the general prohibition in respect of any corporate finance service—
      1. as a result of an exemption order made under section 38(1) of that Act, or
      2. by reason of section 39(1) of that Act (appointed representatives);
    4. a person, not falling within paragraph (a), (b) or (c), who may lawfully carry on a corporate finance service without contravening the general prohibition;
    5. a person who, in the course of employment, provides to their employer a service falling within paragraph (b) or (c) of the definition of “corporate finance service”;
    6. a partner who provides to other partners in the partnership a service falling within either of those paragraphs.
5 In the definition of “relevant person” in sub-paragraph (4), references to “the general prohibition” are to the general prohibition within the meaning of section 19 of the Financial Services and Markets Act 2000.

Management forecasts

I37522The listed GDPR provisions do not apply to personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that the application of those provisions would be likely to prejudice the conduct of the business or activity concerned.

Negotiations

I47123The listed GDPR provisions do not apply to personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject to the extent that the application of those provisions would be likely to prejudice those negotiations.

Confidential references

I38024The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of—
a the education, training or employment (or prospective education, training or employment) of the data subject,
b the placement (or prospective placement) of the data subject as a volunteer,
c the appointment (or prospective appointment) of the data subject to any office, or
d the provision (or prospective provision) by the data subject of any service.

Exam scripts and exam marks

I80025
1 The listed GDPR provisions do not apply to personal data consisting of information recorded by candidates during an exam.
2 Where personal data consists of marks or other information processed by a controller—
a for the purposes of determining the results of an exam, or
b in consequence of the determination of the results of an exam,
the duty in Article 12(3) or (4) of the UK GDPR for the controller to provide information requested by the data subject within a certain time period, as it applies to Article 15 of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers), is modified as set out in sub-paragraph (3).
3 Where a question arises as to whether the controller is obliged by Article 15 of the UK GDPR to disclose personal data, and the question arises before the day on which the exam results are announced, the controller must provide the information mentioned in Article 12(3) or (4)—
a before the end of the period of 5 months beginning when the question arises, or
b if earlier, before the end of the period of 40 days beginning with the announcement of the results.
4 In this paragraph, “exam” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate's performance while undertaking work or any other activity.
5 For the purposes of this paragraph, the results of an exam are treated as announced when they are first published or, if not published, first communicated to the candidate.

PART 5 Exemptions etc F308... for reasons of freedom of expression and information

Journalistic, academic, artistic and literary purposes

I25I78026
1 In this paragraph, “the special purposes” means one or more of the following—
a the purposes of journalism;
b academic purposes;
c artistic purposes;
d literary purposes.
2 Sub-paragraph (3) applies to the processing of personal data carried out for the special purposes if—
a the processing is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and
b the controller reasonably believes that the publication of the material would be in the public interest.
3 The listed GDPR provisions do not apply to the extent that the controller reasonably believes that the application of those provisions would be incompatible with the special purposes.
4 In determining whether publication would be in the public interest the controller must take into account the special importance of the public interest in the freedom of expression and information.
5 In determining whether it is reasonable to believe that publication would be in the public interest, the controller must have regard to any of the codes of practice or guidelines listed in sub-paragraph (6) that is relevant to the publication in question.
6 The codes of practice and guidelines are—
a BBC Editorial Guidelines;
b Ofcom Broadcasting Code;
c Editors' Code of Practice.
7 The Secretary of State may by regulations amend the list in sub-paragraph (6).
8 Regulations under sub-paragraph (7) are subject to the affirmative resolution procedure.
9 For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the UK GDPR (which may be exempted or derogated from by virtue of Article 85(2) of the UK GDPR)—
a in Chapter II of the UK GDPR (principles)—
i Article 5(1)(a) to (e) (principles relating to processing);
ii Article 6 (lawfulness);
iii Article 7 (conditions for consent);
iv Article 8(1) and (2) (child's consent);
v Article 9 (processing of special categories of data);
vi Article 10 (data relating to criminal convictions etc);
vii Article 11(2) (processing not requiring identification);
b in Chapter III of the UK GDPR (rights of the data subject)—
i Article 13(1) to (3) (personal data collected from data subject: information to be provided);
ii Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
iii Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
iv Article 16 (right to rectification);
v Article 17(1) and (2) (right to erasure);
vi Article 18(1)(a), (b) and (d) (restriction of processing);
vii Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
viii Article 20(1) and (2) (right to data portability);
ix Article 21(1) (objections to processing);
c in Chapter IV of the UK GDPR (controller and processor)—
i Article 34(1) and (4) (communication of personal data breach to the data subject);
ii Article 36 (requirement for controller to consult Commissioner prior to high risk processing);
d in Chapter V of the UK GDPR (transfers of data to third countries etc), Article 44A (general principles for transfers);
F310e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

PART 6 Derogations etc F4... for research, statistics and archiving

Research and statistics

I13627
1 The listed GDPR provisions do not apply to personal data processed for—
a scientific or historical research purposes, or
b statistical purposes,
to the extent that the application of those provisions would prevent or seriously impair the achievement of the purposes in question.This is subject to sub-paragraphs (3) and (4).
2 For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the UK GDPR
a Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
b Article 16 (right to rectification);
c Article 18(1) (restriction of processing);
d Article 21(1) (objections to processing).
3 The exemption in sub-paragraph (1) is available only where—
a the personal data is processed in accordance with Article 84B of the UK GDPR, and
b as regards the disapplication of Article 15(1) to (3), the results of the research or any resulting statistics are not made available in a form which identifies a data subject.
4 Where processing for a purpose described in sub-paragraph (1) serves at the same time another purpose, the exemption in sub-paragraph (1) is available only where the personal data is processed for a purpose referred to in that sub-paragraph.

Archiving in the public interest

I56428
1 The listed GDPR provisions do not apply to personal data processed for archiving purposes in the public interest to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes.This is subject to sub-paragraphs (3) and (4).
2 For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the UK GDPR
a Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
b Article 16 (right to rectification);
c Article 18(1) (restriction of processing);
d Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
e Article 20(1) (right to data portability);
f Article 21(1) (objections to processing).
3 The exemption in sub-paragraph (1) is available only where the personal data is processed in accordance with Article 84B of the UK GDPR.
4 Where processing for a purpose described in sub-paragraph (1) serves at the same time another purpose, the exemption in sub-paragraph (1) is available only where the personal data is processed for a purpose referred to in that sub-paragraph.

SCHEDULE 3 

Exemptions etc from the UK GDPR: health, social work, education and child abuse data

Section 15

PART 1  UK GDPR provisions to be restricted

I9331In this Schedule “the listed GDPR provisions” means the following provisions of the UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the UK GDPR)—
a Article 13(1) to (3) (personal data collected from data subject: information to be provided);
b Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
c Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
d Article 16 (right to rectification);
e Article 17(1) and (2) (right to erasure);
f Article 18(1) (restriction of processing);
g Article 20(1) and (2) (right to data portability);
h Article 21(1) (objections to processing);
i Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (h).

PART 2 Health data

Definitions

I8122
1 In this Part of this Schedule—
  • the appropriate health professional”, in relation to a question as to whether the serious harm test is met with respect to data concerning health, means—
    1. the health professional who is currently or was most recently responsible for the diagnosis, care or treatment of the data subject in connection with the matters to which the data relates,
    2. where there is more than one such health professional, the health professional who is the most suitable to provide an opinion on the question, or
    3. a health professional who has the necessary experience and qualifications to provide an opinion on the question, where—
      1. there is no health professional available falling within paragraph (a) or (b), or
      2. the controller is the Secretary of State and data is processed in connection with the exercise of the functions conferred on the Secretary of State by or under the Child Support Act 1991 and the Child Support Act 1995, or the Secretary of State's functions in relation to social security or war pensions, or
      3. the controller is the Department for Communities in Northern Ireland and data is processed in connection with the exercise of the functions conferred on the Department by or under the Child Support (Northern Ireland) Order 1991 (S.I. 1991/2628 (N.I. 23)) and the Child Support (Northern Ireland) Order 1995 (S.I. 1995/2702 (N.I. 13));
  • war pension” has the same meaning as in section 25 of the Social Security Act 1989 (establishment and functions of war pensions committees).
2 For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to data concerning health if the application of Article 15 of the UK GDPR to the data would be likely to cause serious harm to the physical or mental health of the data subject or another individual.

Exemption from the listed GDPR provisions: data processed by a court

I6243
1 The listed GDPR provisions do not apply to data concerning health if—
a it is processed by a court,
b it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and
c in accordance with those rules, the data may be withheld by the court in whole or in part from the data subject.
2 Those rules are—
a the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);
b the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));
c the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);
d the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);
e the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
f the Sheriff Court Adoption Rules 2009;
g the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
h the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).

Exemption from the listed GDPR provisions: data subject's expectations and wishes

I6064
1 This paragraph applies where a request for data concerning health is made in exercise of a power conferred by an enactment or rule of law and—
a in relation to England and Wales or Northern Ireland, the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject,
b in relation to Scotland, the data subject is an individual aged under 16 and the person making the request has parental responsibilities for the data subject, or
c the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.
2 The listed GDPR provisions do not apply to data concerning health to the extent that complying with the request would disclose information—
a which was provided by the data subject in the expectation that it would not be disclosed to the person making the request,
b which was obtained as a result of any examination or investigation to which the data subject consented in the expectation that the information would not be so disclosed, or
c which the data subject has expressly indicated should not be so disclosed.
3 The exemptions under sub-paragraph (2)(a) and (b) do not apply if the data subject has expressly indicated that he or she no longer has the expectation mentioned there.

Exemption from Article 15 of the UK GDPR: serious harm

I8315
1 Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not apply to data concerning health to the extent that the serious harm test is met with respect to the data.
2 A controller who is not a health professional may not rely on sub-paragraph (1) to withhold data concerning health unless the controller has obtained an opinion from the person who appears to the controller to be the appropriate health professional to the effect that the serious harm test is met with respect to the data.
3 An opinion does not count for the purposes of sub-paragraph (2) if—
a it was obtained before the beginning of the relevant period, or
b it was obtained during that period but it is reasonable in all the circumstances to re-consult the appropriate health professional.
4 In this paragraph, “the relevant period” means the period of 6 months ending with the day on which the opinion would be relied on.

Restriction of Article 15 of the UK GDPR: prior opinion of appropriate health professional

I8106
1 Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not permit the disclosure of data concerning health by a controller who is not a health professional unless the controller has obtained an opinion from the person who appears to the controller to be the appropriate health professional to the effect that the serious harm test is not met with respect to the data.
2 Sub-paragraph (1) does not apply to the extent that the controller is satisfied that the data concerning health has already been seen by, or is within the knowledge of, the data subject.
3 An opinion does not count for the purposes of sub-paragraph (1) if—
a it was obtained before the beginning of the relevant period, or
b it was obtained during that period but it is reasonable in all the circumstances to re-consult the appropriate health professional.
4 In this paragraph, “the relevant period” means the period of 6 months ending with the day on which the opinion would be relied on.

PART 3 Social work data

Definitions

I9437
1 In this Part of this Schedule—
  • education data” has the meaning given by paragraph 17 of this Schedule;
  • Health and Social Care trust” means a Health and Social Care trust established under the Health and Personal Social Services (Northern Ireland) Order 1991 (S.I. 1991/194 (N.I. 1));
  • Principal Reporter” means the Principal Reporter appointed under the Children's Hearings (Scotland) Act 2011 (asp 1), or an officer of the Scottish Children's Reporter Administration to whom there is delegated under paragraph 10(1) of Schedule 3 to that Act any function of the Principal Reporter;
  • social work data” means personal data which—
    1. is data to which paragraph 8 applies, but
    2. is not education data or data concerning health.
2 For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to social work data if the application of Article 15 of the UK GDPR to the data would be likely to prejudice carrying out social work, because it would be likely to cause serious harm to the physical or mental health of the data subject or another individual.
3 In sub-paragraph (2), “carrying out social work” is to be taken to include doing any of the following—
a the exercise of any functions mentioned in paragraph 8(1)(a), (d), (f) to (j), (m), (p), (s), (t), (u), (v) or (w);
b the provision of any service mentioned in paragraph 8(1)(b), (c) or (k);
c the exercise of the functions of a body mentioned in paragraph 8(1)(e) or a person mentioned in paragraph 8(1)(q) or (r).
4 In this Part of this Schedule, a reference to a local authority, in relation to data processed or formerly processed by it, includes a reference to the Council of the Isles of Scilly, in relation to data processed or formerly processed by the Council in connection with any functions mentioned in paragraph 8(1)(a)(ii) which are or have been conferred on the Council by an enactment.
I9398
1 This paragraph applies to personal data falling within any of the following descriptions—
a data processed by a local authority—
i in connection with its social services functions (within the meaning of the Local Authority Social Services Act 1970 or the Social Services and Well-being (Wales) Act 2014 (anaw 4)) or any functions exercised by local authorities under the Social Work (Scotland) Act 1968 or referred to in section 5(1B) of that Act, or
ii in the exercise of other functions but obtained or consisting of information obtained in connection with any of the functions mentioned in sub-paragraph (i);
b data processed by the Department of Health in Northern Ireland or any person or body exercising functions by virtue of paragraph 22A of Schedule 3 to the Health and Personal Social Services (Northern Ireland) Order 1991
i in connection with the provision of social care within the meaning of section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)), or
ii in the exercise of other functions but obtained or consisting of information obtained in connection with the provision of that care;
c data processed by a Health and Social Care trust—
i in the exercise of social care and children functions within the meaning of Article 10A of the Health and Personal Social Services (Northern Ireland) Order 1991,
ia in connection with the provision of social care within the meaning of section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)) by virtue of a delegation direction under Article 10B of the Health and Personal Social Services (Northern Ireland) Order 1991, or
ii in the exercise of other functions but obtained or consisting of information obtained in connection with the provision of that care;
d data processed by a council in the exercise of its functions under Part 2 of Schedule 9 to the Health and Social Services and Social Security Adjudications Act 1983;
e data processed by—
i a probation trust established under section 5 of the Offender Management Act 2007, or
ii the Probation Board for Northern Ireland established by the Probation Board (Northern Ireland) Order 1982 (S.I. 1982/713 (N.I. 10));
f data processed by a local authority in the exercise of its functions under section 36 of the Children Act 1989 or Chapter 2 of Part 6 of the Education Act 1996, so far as those functions relate to ensuring that children of compulsory school age (within the meaning of section 8 of the Education Act 1996) receive suitable education whether by attendance at school or otherwise;
g data processed by the Education Authority in the exercise of its functions under Article 55 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)) or Article 45 of, and Schedule 13 to, the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)), so far as those functions relate to ensuring that children of compulsory school age (within the meaning of Article 46 of the Education and Libraries (Northern Ireland) Order 1986) receive efficient full-time education suitable to their age, ability and aptitude and to any special educational needs they may have, either by regular attendance at school or otherwise;
h data processed by an education authority in the exercise of its functions under sections 35 to 42 of the Education (Scotland) Act 1980 so far as those functions relate to ensuring that children of school age (within the meaning of section 31 of the Education (Scotland) Act 1980) receive efficient education suitable to their age, ability and aptitude, whether by attendance at school or otherwise;
i data relating to persons detained in a hospital at which high security psychiatric services are provided under section 4 of the National Health Service Act 2006 and processed by a Special Health Authority established under section 28 of that Act in the exercise of any functions similar to any social services functions of a local authority;
j data relating to persons detained in special accommodation provided under Article 110 of the Mental Health (Northern Ireland) Order 1986 (S.I. 1986/595 (N.I. 4)) and processed by a Health and Social Care trust in the exercise of any functions similar to any social services functions of a local authority;
k data which—
i is processed by the National Society for the Prevention of Cruelty to Children, or by any other voluntary organisation or other body designated under this paragraph by the Secretary of State or the Department of Health in Northern Ireland, and
ii appears to the Secretary of State or the Department, as the case may be, to be processed for the purposes of the provision of any service similar to a service provided in the exercise of any functions specified in paragraph (a), (b), (c) or (d);
l data processed by a body mentioned in sub-paragraph (2)—
i which was obtained, or consists of information which was obtained, from an authority or body mentioned in any of paragraphs (a) to (k) or from a government department, and
ii in the case of data obtained, or consisting of information obtained, from an authority or body mentioned in any of paragraphs (a) to (k), fell within any of those paragraphs while processed by the authority or body;
m data processed by a National Health Service trust first established under section 25 of the National Health Service Act 2006, section 18 of the National Health Service (Wales) Act 2006 or section 5 of the National Health Service and Community Care Act 1990 in the exercise of any functions similar to any social services functions of a local authority;
n data processed by an NHS foundation trust in the exercise of any functions similar to any social services functions of a local authority;
o data processed by a government department—
i which was obtained, or consists of information which was obtained, from an authority or body mentioned in any of paragraphs (a) to (n), and
ii which fell within any of those paragraphs while processed by that authority or body;
p data processed for the purposes of the functions of the Secretary of State pursuant to section 82(5) of the Children Act 1989;
q data processed by—
i a children's guardian appointed under Part 16 of the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17)),
ii a guardian ad litem appointed under Article 60 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)) or Article 66 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22)), or
iii a safeguarder appointed under section 30(2) or 31(3) of the Children's Hearings (Scotland) Act 2011 (asp 1);
r data processed by the Principal Reporter;
s data processed by an officer of the Children and Family Court Advisory and Support Service for the purpose of the officer's functions under section 7 of the Children Act 1989 or Part 16 of the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
t data processed by the Welsh family proceedings officer for the purposes of the functions under section 7 of the Children Act 1989 or Part 16 of the Family Procedure Rules 2010;
u data processed by an officer of the service appointed as guardian ad litem under Part 16 of the Family Procedure Rules 2010;
v data processed by the Children and Family Court Advisory and Support Service for the purpose of its functions under section 12(1) and (2) and section 13(1), (2) and (4) of the Criminal Justice and Court Services Act 2000;
w data processed by the Welsh Ministers for the purposes of their functions under section 35(1) and (2) and section 36(1), (2), (4), (5) and (6) of the Children Act 2004;
x data processed for the purposes of the functions of the appropriate Minister pursuant to section 12 of the Adoption and Children Act 2002 (independent review of determinations).
2 The bodies referred to in sub-paragraph (1)(l) are—
a a National Health Service trust first established under section 25 of the National Health Service Act 2006 or section 18 of the National Health Service (Wales) Act 2006;
b a National Health Service trust first established under section 5 of the National Health Service and Community Care Act 1990;
c an NHS foundation trust;
d an integrated care board established under section 14Z25 of the National Health Service Act 2006;
e NHS England;
f a Local Health Board established under section 11 of the National Health Service (Wales) Act 2006;
g a Health Board established under section 2 of the National Health Service (Scotland) Act 1978.

Exemption from the listed GDPR provisions: data processed by a court

I5359
1 The listed GDPR provisions do not apply to data that is not education data or data concerning health if—
a it is processed by a court,
b it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and
c in accordance with any of those rules, the data may be withheld by the court in whole or in part from the data subject.
2 Those rules are—
a the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);
b the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));
c the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);
d the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);
e the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
f the Sheriff Court Adoption Rules 2009;
g the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
h the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).

Exemption from the listed GDPR provisions: data subject's expectations and wishes

I62910
1 This paragraph applies where a request for social work data is made in exercise of a power conferred by an enactment or rule of law and—
a in relation to England and Wales or Northern Ireland, the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject,
b in relation to Scotland, the data subject is an individual aged under 16 and the person making the request has parental responsibilities for the data subject, or
c the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.
2 The listed GDPR provisions do not apply to social work data to the extent that complying with the request would disclose information—
a which was provided by the data subject in the expectation that it would not be disclosed to the person making the request,
b which was obtained as a result of any examination or investigation to which the data subject consented in the expectation that the information would not be so disclosed, or
c which the data subject has expressly indicated should not be so disclosed.
3 The exemptions under sub-paragraph (2)(a) and (b) do not apply if the data subject has expressly indicated that he or she no longer has the expectation mentioned there.

Exemption from Article 15 of the UK GDPR: serious harm

I82411Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not apply to social work data to the extent that the serious harm test is met with respect to the data.

Restriction of Article 15 of the UK GDPR: prior opinion of Principal Reporter

I96612
1 This paragraph applies where—
a a question arises as to whether a controller who is a social work authority is obliged by Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) to disclose social work data, and
b the data—
i originated from or was supplied by the Principal Reporter acting in pursuance of the Principal Reporter's statutory duties, and
ii is not data which the data subject is entitled to receive from the Principal Reporter.
2 The controller must inform the Principal Reporter of the fact that the question has arisen before the end of the period of 14 days beginning when the question arises.
3 Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not permit the controller to disclose the data to the data subject unless the Principal Reporter has informed the controller that, in the opinion of the Principal Reporter, the serious harm test is not met with respect to the data.
4 In this paragraph “social work authority” means a local authority for the purposes of the Social Work (Scotland) Act 1968.

PART 4 Education data

Educational records

I48713In this Part of this Schedule “educational record” means a record to which paragraph 14, 15 or 16 applies.
I53614
1 This paragraph applies to a record of information which—
a is processed by or on behalf of the proprietor of, or a teacher at, a school in England and Wales specified in sub-paragraph (3),
b relates to an individual who is or has been a pupil at the school, and
c originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).
2 But this paragraph does not apply to information which is processed by a teacher solely for the teacher's own use.
3 The schools referred to in sub-paragraph (1)(a) are—
a a school maintained by a local authority;
b an Academy school;
c an alternative provision Academy;
d an independent school that is not an Academy school or an alternative provision Academy;
e a non-maintained special school.
4 The persons referred to in sub-paragraph (1)(c) are—
a an employee of the local authority which maintains the school;
b in the case of—
i a voluntary aided, foundation or foundation special school (within the meaning of the School Standards and Framework Act 1998),
ii an Academy school,
iii an alternative provision Academy,
iv an independent school that is not an Academy school or an alternative provision Academy, or
v a non-maintained special school,
a teacher or other employee at the school (including an educational psychologist engaged by the proprietor under a contract for services);
c the pupil to whom the record relates;
d a parent, as defined by section 576(1) of the Education Act 1996, of that pupil.
5 In this paragraph—
  • independent school” has the meaning given by section 463 of the Education Act 1996;
  • local authority” has the same meaning as in that Act (see sections 579(1) and 581 of that Act);
  • non-maintained special school” has the meaning given by section 337A of that Act;
  • proprietor” has the meaning given by section 579(1) of that Act.
I27115
1 This paragraph applies to a record of information which is processed—
a by an education authority in Scotland, and
b for the purpose of the relevant function of the authority.
2 But this paragraph does not apply to information which is processed by a teacher solely for the teacher's own use.
3 For the purposes of this paragraph, information processed by an education authority is processed for the purpose of the relevant function of the authority if the processing relates to the discharge of that function in respect of a person—
a who is or has been a pupil in a school provided by the authority, or
b who receives, or has received, further education provided by the authority.
4 In this paragraph “the relevant function” means, in relation to each education authority, its function under section 1 of the Education (Scotland) Act 1980 and section 7(1) of the Self-Governing Schools etc. (Scotland) Act 1989.
I39316
1 This paragraph applies to a record of information which—
a is processed by or on behalf of the Board of Governors, proprietor or trustees of, or a teacher at, a school in Northern Ireland specified in sub-paragraph (3),
b relates to an individual who is or has been a pupil at the school, and
c originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).
2 But this paragraph does not apply to information which is processed by a teacher solely for the teacher's own use.
3 The schools referred to in sub-paragraph (1)(a) are—
a a grant-aided school;
b an independent school.
4 The persons referred to in sub-paragraph (1)(c) are—
a a teacher at the school;
b an employee of the Education Authority, other than a teacher at the school;
c an employee of the Council for Catholic Maintained Schools, other than a teacher at the school;
d the pupil to whom the record relates;
e a parent, as defined by Article 2(2) of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).
5 In this paragraph, “grant-aided school”, “independent school”, “proprietor” and “trustees” have the same meaning as in the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).

Other definitions

I92017
1 In this Part of this Schedule—
  • education authority” and “further education” have the same meaning as in the Education (Scotland) Act 1980;
  • education data” means personal data consisting of information which—
    1. constitutes an educational record, but
    2. is not data concerning health;
  • Principal Reporter” means the Principal Reporter appointed under the Children's Hearings (Scotland) Act 2011 (asp 1), or an officer of the Scottish Children's Reporter Administration to whom there is delegated under paragraph 10(1) of Schedule 3 to that Act any function of the Principal Reporter;
  • pupil” means—
    1. in relation to a school in England and Wales, a registered pupil within the meaning of the Education Act 1996,
    2. in relation to a school in Scotland, a pupil within the meaning of the Education (Scotland) Act 1980, and
    3. in relation to a school in Northern Ireland, a registered pupil within the meaning of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3));
  • “school”—
    1. in relation to England and Wales, has the same meaning as in the Education Act 1996,
    2. in relation to Scotland, has the same meaning as in the Education (Scotland) Act 1980, and
    3. in relation to Northern Ireland, has the same meaning as in the Education and Libraries (Northern Ireland) Order 1986;
  • teacher” includes—
    1. in Great Britain, head teacher, and
    2. in Northern Ireland, the principal of a school.
2 For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to education data if the application of Article 15 of the UK GDPR to the data would be likely to cause serious harm to the physical or mental health of the data subject or another individual.

Exemption from the listed GDPR provisions: data processed by a court

I11018
1 The listed GDPR provisions do not apply to education data if—
a it is processed by a court,
b it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and
c in accordance with those rules, the data may be withheld by the court in whole or in part from the data subject.
2 Those rules are—
a the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);
b the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));
c the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);
d the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);
e the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
f the Sheriff Court Adoption Rules 2009;
g the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
h the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).

Exemption from Article 15 of the UK GDPR: serious harm

I83019Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not apply to education data to the extent that the serious harm test is met with respect to the data.

Restriction of Article 15 of the UK GDPR: prior opinion of Principal Reporter

I91420
1 This paragraph applies where—
a a question arises as to whether a controller who is an education authority is obliged by Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) to disclose education data, and
b the controller believes that the data—
i originated from or was supplied by or on behalf of the Principal Reporter acting in pursuance of the Principal Reporter's statutory duties, and
ii is not data which the data subject is entitled to receive from the Principal Reporter.
2 The controller must inform the Principal Reporter of the fact that the question has arisen before the end of the period of 14 days beginning when the question arises.
3 Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not permit the controller to disclose the data to the data subject unless the Principal Reporter has informed the controller that, in the opinion of the Principal Reporter, the serious harm test is not met with respect to the data.

PART 5 Child abuse data

Exemption from Article 15 of the UK GDPR: child abuse data

I85021
1 This paragraph applies where a request for child abuse data is made in exercise of a power conferred by an enactment or rule of law and—
a the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject, or
b the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.
2 Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not apply to child abuse data to the extent that the application of that provision would not be in the best interests of the data subject.
3 “Child abuse data” is personal data consisting of information as to whether the data subject is or has been the subject of, or may be at risk of, child abuse.
4 For this purpose, “child abuse” includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18.
5 This paragraph does not apply in relation to Scotland.

SCHEDULE 4 

Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment

Section 15

UK GDPR provisions to be restricted: “the listed GDPR provisions”

I7861In this Schedule “the listed GDPR provisions” means the following provisions of the UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the UK GDPR)—
a Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
b Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in Article 15(1) to (3).

Human fertilisation and embryology information

I8372The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by any of sections 31, 31ZA to 31ZE and 33A to 33D of the Human Fertilisation and Embryology Act 1990.

Adoption records and reports

I8983
1 The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by an enactment listed in sub-paragraph (2), (3) or (4).
2 The enactments extending to England and Wales are—
a regulation 14 of the Adoption Agencies Regulations 1983 (S.I. 1983/1964);
b regulation 41 of the Adoption Agencies Regulations 2005 (S.I. 2005/389);
c regulation 42 of the Adoption Agencies (Wales) Regulations 2005 (S.I. 2005/1313 (W. 95));
d rules 5, 6, 9, 17, 18, 21, 22 and 53 of the Adoption Rules 1984 (S.I. 1984/265);
e rules 24, 29, 30, 65, 72, 73, 77, 78 and 83 of the Family Procedure (Adoption) Rules 2005 (S.I. 2005/2795 (L. 22));
f in the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17)), rules 14.6, 14.11, 14.12, 14.13, 14.14, 14.24, 16.20 (so far as it applies to a children's guardian appointed in proceedings to which Part 14 of those Rules applies), 16.32 and 16.33 (so far as it applies to a children and family reporter in proceedings to which Part 14 of those Rules applies).
3 The enactments extending to Scotland are—
a regulation 23 of the Adoption Agencies (Scotland) Regulations 1996 (S.I. 1996/3266 (S. 254));
b rule 67.3 of the Act of Sederunt (Rules of the Court of Session 1994) 1994 (S.I. 1994/1443 (S. 69));
c rules 10.3, 17.2, 21, 25, 39, 43.3, 46.2 and 47 of the Act of Sederunt (Sheriff Court Rules Amendment) (Adoption and Children (Scotland) Act 2007) 2009 (S.S.I. 2009/284);
d sections 53 and 55 of the Adoption and Children (Scotland) Act 2007 (asp 4);
e regulation 28 of the Adoption Agencies (Scotland) Regulations 2009 (S.S.I. 2009/154);
f regulation 3 of the Adoption (Disclosure of Information and Medical Information about Natural Parents) (Scotland) Regulations 2009 (S.S.I. 2009/268).
4 The enactments extending to Northern Ireland are—
a Articles 50 and 54 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22));
b rule 53 of Order 84 of the Rules of the Court of Judicature (Northern Ireland) 1980 (S.R. (N.I.) 1980 No. 346);
c rules 4A.4(5), 4A.5(1), 4A.6(6), 4A.22(5) and 4C.7 of Part IVA of the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322).

Statements of special educational needs

I8564
1 The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by an enactment listed in sub-paragraph (2).
2 The enactments are—
a regulation 17 of the Special Educational Needs and Disability Regulations 2014 (S.I. 2014/1530);
b regulation 10 of the Additional Support for Learning (Co-ordinated Support Plan) (Scotland) Amendment Regulations 2005 (S.S.I. 2005/518);
c regulation 22 of the Education (Special Educational Needs) Regulations (Northern Ireland) 2005 (S.R. (N.I.) 2005 No. 384).

Parental order records and reports

I8485
1 The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by an enactment listed in sub-paragraph (2), (3) or (4).
2 The enactments extending to England and Wales are—
a sections 60, 77, 78 and 79 of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of and Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985) in relation to parental orders made under—
i section 30 of the Human Fertilisation and Embryology Act 1990, or
ii section 54 of the Human Fertilisation and Embryology Act 2008;
b rules made under section 144 of the Magistrates' Courts Act 1980 by virtue of section 141(1) of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of and Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010, so far as the rules relate to—
i the appointment and duties of the parental order reporter, and
ii the keeping of registers and the custody, inspection and disclosure of documents and information relating to parental order proceedings or related proceedings;
c rules made under section 75 of the Courts Act 2003 by virtue of section 141(1) of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985), so far as the rules relate to—
i the appointment and duties of the parental order reporter, and
ii the keeping of registers and the custody, inspection and disclosure of documents and information relating to parental order proceedings or related proceedings.
3 The enactments extending to Scotland are—
a sections 53 and 55 of the Adoption and Children (Scotland) Act 2007 (asp 4), as applied with modifications by regulation 4 of and Schedule 3 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985) in relation to parental orders made under—
i section 30 of the Human Fertilisation and Embryology Act 1990, or
ii section 54 of the Human Fertilisation and Embryology Act 2008;
b rules 2.47 and 2.59 of the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
c rules 21 and 25 of the Sheriff Court Adoption Rules 2009.
4 The enactments extending to Northern Ireland are—
a Articles 50 and 54 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22)), as applied with modifications by regulation 3 of and Schedule 2 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 in respect of parental orders made under—
i section 30 of the Human Fertilisation and Embryology Act 1990, or
ii section 54 of the Human Fertilisation and Embryology Act 2008;
b rules 4, 5 and 16 of Order 84A of the Rules of the Court of Judicature (Northern Ireland) 1980 (S.R. (N.I.) 1980 No. 346);
c rules 3, 4 and 15 of Order 50A of the County Court Rules (Northern Ireland) 1981 (S.R. (N.I.) 1981 No. 225).

Information provided by Principal Reporter for children's hearing

6The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by any of the following enactments—
a section 178 of the Children's Hearings (Scotland) Act 2011 (asp 1);
b the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).

SCHEDULE 5 

Accreditation of certification providers: reviews and appeals

Section 17

Introduction

I9101
1 This Schedule applies where—
a a person (“the applicant”) applies to an accreditation authority for accreditation as a certification provider, and
b is dissatisfied with the decision on that application.
2 In this Schedule—
  • accreditation authority” means—
    1. the Commissioner, or
    2. the UK national accreditation body;
  • certification provider” and “UK national accreditation body” have the same meaning as in section 17.

Review

I6302
1 The applicant may ask the accreditation authority to review the decision.
2 The request must be made in writing before the end of the period of 28 days beginning with the day on which the person receives written notice of the accreditation authority's decision.
3 The request must specify—
a the decision to be reviewed, and
b the reasons for asking for the review.
4 The request may be accompanied by additional documents which the applicant wants the accreditation authority to take into account for the purposes of the review.
5 If the applicant makes a request in accordance with sub-paragraphs (1) to (4), the accreditation authority must—
a review the decision, and
b inform the applicant of the outcome of the review in writing before the end of the period of 28 days beginning with the day on which the request for a review is received.

Right to appeal

I3263
1 If the applicant is dissatisfied with the decision on the review under paragraph 2, the applicant may ask the accreditation authority to refer the decision to an appeal panel constituted in accordance with paragraph 4.
2 The request must be made in writing before the end of the period of 3 months beginning with the day on which the person receives written notice of the decision on the review.
3 A request must specify—
a the decision to be referred to the appeal panel, and
b the reasons for asking for it to be referred.
4 The request may be accompanied by additional documents which the applicant wants the appeal panel to take into account.
5 The applicant may discontinue an appeal at any time by giving notice in writing to the accreditation authority.

Appeal panel

I7644
1 If the applicant makes a request in accordance with paragraph 3, an appeal panel must be established in accordance with this paragraph.
2 An appeal panel must consist of a chair and at least two other members.
3 Where the request relates to a decision of the Commissioner—
a the Secretary of State may appoint one person to be a member of the appeal panel other than the chair, and
b subject to paragraph (a), the Commissioner must appoint the members of the appeal panel.
4 Where the request relates to a decision of the UK national accreditation body
a the Secretary of State—
i may appoint one person to be a member of the appeal panel other than the chair, or
ii may direct the Commissioner to appoint one person to be a member of the appeal panel other than the chair, and
b subject to paragraph (a), the chair of the UK national accreditation body must appoint the members of the appeal panel.
5 A person may not be a member of an appeal panel if the person—
a has a commercial interest in the decision referred to the panel,
b has had any prior involvement in any matters relating to the decision, or
c is an employee or officer of the accreditation authority.
6 The Commissioner may not be a member of an appeal panel to which a decision of the Commissioner is referred.
7 The applicant may object to all or any of the members of the appeal panel appointed under sub-paragraph (3) or (4).
8 If the applicant objects to a member of the appeal panel under sub-paragraph (7), the person who appointed that member must appoint a replacement.
9 The applicant may not object to a member of the appeal panel appointed under sub-paragraph (8).

Hearing

I3045
1 If the appeal panel considers it necessary, a hearing must be held at which both the applicant and the accreditation authority may be represented.
2 Any additional documents which the applicant or the accreditation authority want the appeal panel to take into account must be submitted to the chair of the appeal panel at least 5 working days before the hearing.
3 The appeal panel may allow experts and witnesses to give evidence at a hearing.

Decision following referral to appeal panel

I8266
1 The appeal panel must, before the end of the period of 28 days beginning with the day on which the appeal panel is established in accordance with paragraph 4—
a make a reasoned recommendation in writing to the accreditation authority, and
b give a copy of the recommendation to the applicant.
2 For the purposes of sub-paragraph (1), where there is an objection under paragraph 4(7), an appeal panel is not to be taken to be established in accordance with paragraph 4 until the replacement member is appointed (or, if there is more than one objection, until the last replacement member is appointed).
3 The accreditation authority must, before the end of the period of 3 working days beginning with the day on which the authority receives the recommendation—
a make a reasoned final decision in writing, and
b give a copy of the decision to the applicant.
4 Where the accreditation authority is the UK national accreditation body, the recommendation must be given to, and the final decision must be made by, the chief executive of that body.

Meaning of “working day”

I1037In this Schedule, “working day” means any day other than—
a Saturday or Sunday,
b Christmas Day or Good Friday, or
c a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom.

F678SCHEDULE 6 

The applied GDPR and the applied Chapter 2

Section 22

F678PART 1 Modifications to the GDPR

F678Introductory

F6781. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678References to the GDPR and its provisions

F6782. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678References to Union law and Member State law

F6783. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678References to the Union and to Member States

F6784. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678References to supervisory authorities

F6785. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678References to the national parliament

F6786. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Chapter I of the GDPR (general provisions)

F6787. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F6788. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F6789. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Chapter II of the GDPR (principles)

F67810. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67811. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67812. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67813. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Section 1 of Chapter III of the GDPR (rights of the data subject: transparency and modalities)

F67814. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Section 2 of Chapter III of the GDPR (rights of the data subject: information and access to personal data)

F67815. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67816. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Section 3 of Chapter III of the GDPR (rights of the data subject: rectification and erasure)

F67817. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67818. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Section 4 of Chapter III of the GDPR (rights of the data subject: right to object and automated individual decision-making)

F67819. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67820. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Section 5 of Chapter III of the GDPR (rights of the data subject: restrictions)

F67821. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Section 1 of Chapter IV of the GDPR (controller and processor: general obligations)

F67822. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67823. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67824. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67825. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67826. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Section 3 of Chapter IV of the GDPR (controller and processor: data protection impact assessment and prior consultation)

F67827. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67828. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Section 4 of Chapter IV of the GDPR (controller and processor: data protection officer)

F67829. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67830. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Section 5 of Chapter IV of the GDPR (controller and processor: codes of conduct and certification)

F67831. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67832. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67833. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67834. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Chapter V of the GDPR (transfers of data to third countries or international organisations)

F67835. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67836. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67837. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67838. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67839. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Section 1 of Chapter VI of the GDPR (independent supervisory authorities: independent status)

F67840. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67841. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67842. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67843. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Section 2 of Chapter VI of the GDPR (independent supervisory authorities: competence, tasks and powers)

F67844. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67845. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67846. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67847. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67848. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Chapter VII of the GDPR (co-operation and consistency)

F67849. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Chapter VIII of the GDPR (remedies, liability and penalties)

F67850. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67851. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67852. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67853. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67854. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67855. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67856. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67857. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Chapter IX of the GDPR (provisions relating to specific processing situations)

F67858. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67859. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67860. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67861. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67862. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67863. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67864. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Chapter X of the GDPR (delegated acts and implementing acts)

F67865. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67866. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Chapter XI of the GDPR (final provisions)

F67867. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67868. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67869. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67870. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67871. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F67872. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678PART 2 Modifications to Chapter 2 of Part 2

F678Introductory

F67873. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678General modifications

F67874. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F678Exemptions

F67875. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SCHEDULE 7 

Competent authorities

Section 30

I5801Any United Kingdom government department other than a non-ministerial government department.
I1272The Scottish Ministers.
I7313Any Northern Ireland department.
I3704The Welsh Ministers.

Chief officers of police and other policing bodies

I2045The chief constable of a police force maintained under section 2 of the Police Act 1996.
I1346The Commissioner of Police of the Metropolis.
I547The Commissioner of Police for the City of London.
I6128The Chief Constable of the Police Service of Northern Ireland.
I3109The chief constable of the Police Service of Scotland.
I20110The chief constable of the British Transport Police.
I9811The chief constable of the Civil Nuclear Constabulary.
I30312The chief constable of the Ministry of Defence Police.
I6413The Provost Marshal of the Royal Navy Police.
I65814The Provost Marshal of the Royal Military Police.
I46515The Provost Marshal of the Royal Air Force Police.
15AThe Provost Marshal for serious crime.
I27516The chief officer of—
a a body of constables appointed under provision incorporating section 79 of the Harbours, Docks, and Piers Clauses Act 1847;
b a body of constables appointed under an order made under section 14 of the Harbours Act 1964;
c the body of constables appointed under section 154 of the Port of London Act 1968 (c.xxxii).
I19717A body established in accordance with a collaboration agreement under section 22A of the Police Act 1996.
I8518The Director General of the Independent Office for Police Conduct.
18AThe Service Police Complaints Commissioner.
I27819The Police Investigations and Review Commissioner.
I61720The Police Ombudsman for Northern Ireland.

Other authorities with investigatory functions

I73721The Commissioners for Her Majesty's Revenue and Customs.
I75422The Welsh Revenue Authority.
I39023Revenue Scotland.
I58724The Director General of the National Crime Agency.
I42325The Director of the Serious Fraud Office.
I7626The Director of Border Revenue.
I18727The Financial Conduct Authority.
I10928The Health and Safety Executive.
I43129The Competition and Markets Authority.
I23330The Gas and Electricity Markets Authority.
I33831The Food Standards Agency.
I61632Food Standards Scotland.
I27433Her Majesty's Land Registry.
I69834The Criminal Cases Review Commission.
I11235The Scottish Criminal Cases Review Commission.

Authorities with functions relating to offender management

I33336A provider of probation services (other than the Secretary of State), acting in pursuance of arrangements made under section 3(2) of the Offender Management Act 2007.
I71337The Youth Justice Board for England and Wales.
I64938The Parole Board for England and Wales.
I43739The Parole Board for Scotland.
I28940The Parole Commissioners for Northern Ireland.
I73441The Probation Board for Northern Ireland.
I10242The Prisoner Ombudsman for Northern Ireland.
I51243A person who has entered into a contract for the running of, or part of—
a a prison or young offender institution under section 84 of the Criminal Justice Act 1991, or
b a secure training centre under section 7 of the Criminal Justice and Public Order Act 1994.
I63644A person who has entered into a contract with the Secretary of State—
a under section 80 of the Criminal Justice Act 1991 for the purposes of prisoner escort arrangements, or
b under paragraph 1 of Schedule 1 to the Criminal Justice and Public Order Act 1994 for the purposes of escort arrangements.
I46245A person who is, under or by virtue of any enactment, responsible for securing the electronic monitoring of an individual.
I18946A youth offending team established under section 39 of the Crime and Disorder Act 1998.

Other authorities

I11447The Director of Public Prosecutions.
I42148The Director of Public Prosecutions for Northern Ireland.
I65449The Lord Advocate.
I24550A Procurator Fiscal.
I62751The Director of Service Prosecutions.
I48552The Information Commissioner.
I59853The Scottish Information Commissioner.
I56854The Scottish Courts and Tribunal Service.
I33955The Crown agent.
I48456A court or tribunal.
57The Border Security Commander.

SCHEDULE 8 

Conditions for sensitive processing under Part 3

Section 35(5)

Statutory etc purposes

I971This condition is met if the processing—
a is necessary for the exercise of a function conferred on a person by an enactment or rule of law, and
b is necessary for reasons of substantial public interest.

Administration of justice

I1452This condition is met if the processing is necessary for the administration of justice.

Protecting individual's vital interests

I4153This condition is met if the processing is necessary to protect the vital interests of the data subject or of another individual.

Safeguarding of children and of individuals at risk

I6814
1 This condition is met if—
a the processing is necessary for the purposes of—
i protecting an individual from neglect or physical, mental or emotional harm, or
ii protecting the physical, mental or emotional well-being of an individual,
b the individual is—
i aged under 18, or
ii aged 18 or over and at risk,
c the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
d the processing is necessary for reasons of substantial public interest.
2 The reasons mentioned in sub-paragraph (1)(c) are—
a in the circumstances, consent to the processing cannot be given by the data subject;
b in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
c the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
3 For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—
a has needs for care and support,
b is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
c as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.
4 In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.

Personal data already in the public domain

I7095This condition is met if the processing relates to personal data which is manifestly made public by the data subject.

Judicial acts

I2307This condition is met if the processing is necessary when a court or other judicial authority is acting in its judicial capacity.

Preventing fraud

I6808
1 This condition is met if the processing—
a is necessary for the purposes of preventing fraud or a particular kind of fraud, and
b consists of—
i the disclosure of personal data by a competent authority as a member of an anti-fraud organisation,
ii the disclosure of personal data by a competent authority in accordance with arrangements made by an anti-fraud organisation,
iia the processing of personal data carried out in preparation for disclosure described in sub-paragraph (i) or (ii), or
iii the processing of personal data disclosed as described in sub-paragraph (i) or (ii).
2 In this paragraph, “anti-fraud organisation” has the same meaning as in section 68 of the Serious Crime Act 2007.

Archiving etc

I7049This condition is met if the processing is necessary—
a for archiving purposes in the public interest,
b for scientific or historical research purposes, or
c for statistical purposes.

SCHEDULE 9 

Conditions for processing under Part 4

Section 86

I1551The data subject has given consent to the processing.
I902The processing is necessary—
a for the performance of a contract to which the data subject is a party, or
b in order to take steps at the request of the data subject prior to entering into a contract.
I1113The processing is necessary for compliance with a legal obligation to which the controller is subject, other than an obligation imposed by contract.
I7184The processing is necessary in order to protect the vital interests of the data subject or of another individual.
I665The processing is necessary—
a for the administration of justice,
b for the exercise of any functions of either House of Parliament,
c for the exercise of any functions conferred on a person by an enactment or rule of law,
d for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
e for the exercise of any other functions of a public nature exercised in the public interest by a person.
I2766
1 The processing is necessary for the purposes of legitimate interests pursued by—
a the controller, or
b the third party or parties to whom the data is disclosed.
2 Sub-paragraph (1) does not apply where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject.
3 In this paragraph, “third party”, in relation to personal data, means a person other than the data subject, the controller or a processor or other person authorised to process personal data for the controller or processor.

SCHEDULE 10 

Conditions for sensitive processing under Part 4

Section 86

Right or obligation relating to employment

I3612The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by an enactment or rule of law on the controller in connection with employment.

Vital interests of a person

I4023The processing is necessary—
a in order to protect the vital interests of the data subject or of another person, in a case where—
i consent cannot be given by or on behalf of the data subject, or
ii the controller cannot reasonably be expected to obtain the consent of the data subject, or
b in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

Safeguarding of children and of individuals at risk

I2264
1 This condition is met if—
a the processing is necessary for the purposes of—
i protecting an individual from neglect or physical, mental or emotional harm, or
ii protecting the physical, mental or emotional well-being of an individual,
b the individual is—
i aged under 18, or
ii aged 18 or over and at risk,
c the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
d the processing is necessary for reasons of substantial public interest.
2 The reasons mentioned in sub-paragraph (1)(c) are—
a in the circumstances, consent to the processing cannot be given by the data subject;
b in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
c the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
3 For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—
a has needs for care and support,
b is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
c as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.
4 In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.

Data already published by data subject

I675The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

Administration of justice, parliamentary, statutory etc and government purposes

I2317The processing is necessary—
a for the administration of justice,
b for the exercise of any functions of either House of Parliament,
c for the exercise of any functions conferred on any person by an enactment or rule of law, or
d for the exercise of any functions of the Crown, a Minister of the Crown or a government department.

Medical purposes

I2688
1 The processing is necessary for medical purposes and is undertaken by—
a a health professional, or
b a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.
2 In this paragraph, “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

Equality

I4079
1 The processing—
a is of sensitive personal data consisting of information as to racial or ethnic origin,
b is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and
c is carried out with appropriate safeguards for the rights and freedoms of data subjects.
2 In this paragraph, “sensitive personal data” means personal data the processing of which constitutes sensitive processing (see section 86(7)).

SCHEDULE 11 

Other exemptions under Part 4

Section 112

Preliminary

I3451In this Schedule, “the listed provisions” means—
a Chapter 2 of Part 4 (the data protection principles), except section 86(1)(a) and (2) and Schedules 9 and 10;
b Chapter 3 of Part 4 (rights of data subjects);
c in Chapter 4 of Part 4 , section 108 (communication of personal data breach to the Commissioner).

Crime

I5822The listed provisions do not apply to personal data processed for any of the following purposes—
a the prevention , investigation and detection of crime, or
b the apprehension and prosecution of offenders,
to the extent that the application of the listed provisions would be likely to prejudice any of the matters mentioned in paragraph (a) or (b).

Parliamentary privilege

I6834The listed provisions do not apply to personal data where this is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.

Judicial proceedings

I4995The listed provisions do not apply to personal data to the extent that the application of the listed provisions would be likely to prejudice judicial proceedings.

Crown honours and dignities

I3296The listed provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity.

Armed forces

I1807The listed provisions do not apply to personal data to the extent that the application of the listed provisions would be likely to prejudice the combat effectiveness of any of the armed forces of the Crown.

Economic well-being

I6388The listed provisions do not apply to personal data to the extent that the application of the listed provisions would be likely to prejudice the economic well-being of the United Kingdom.

Negotiations

I8310The listed provisions do not apply to personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject to the extent that the application of the listed provisions would be likely to prejudice the negotiations.

Confidential references given by the controller

I46711The listed provisions do not apply to personal data consisting of a reference given (or to be given) in confidence by the controller for the purposes of—
a the education, training or employment (or prospective education, training or employment) of the data subject,
b the appointment (or prospective appointment) of the data subject to any office, or
c the provision (or prospective provision) by the data subject of any service.

Exam scripts and marks

I57412
1 The listed provisions do not apply to personal data consisting of information recorded by candidates during an exam.
2 Where personal data consists of marks or other information processed by a controller—
a for the purposes of determining the results of an exam, or
b in consequence of the determination of the results of an exam,
section 94 has effect subject to sub-paragraph (3).
3 Where the relevant time falls before the results of the exam are announced, the period mentioned in section 94(10)(b) is extended until the earlier of—
a the end of the period of 5 months beginning with the relevant time, and
b the end of the period of 40 days beginning with the announcement of the results.
4 In this paragraph—
  • exam” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate's performance while undertaking work or any other activity;
  • the relevant time” has the same meaning as in section 94.
5 For the purposes of this paragraph, the results of an exam are treated as announced when they are first published or, if not published, first communicated to the candidate.

Research and statistics

I51613
1 The listed provisions do not apply to personal data processed for—
a scientific or historical research purposes, or
b statistical purposes,
to the extent that the application of those provisions would prevent or seriously impair the achievement of the purposes in question.
2 The exemption in sub-paragraph (1) is available only where—
a the personal data is processed subject to appropriate safeguards for the rights and freedoms of data subjects, and
b the results of the research or any resulting statistics are not made available in a form which identifies a data subject.

Archiving in the public interest

I54314
1 The listed provisions do not apply to personal data processed for archiving purposes in the public interest to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes.
2 The exemption in sub-paragraph (1) is available only where the personal data is processed subject to appropriate safeguards for the rights and freedoms of data subjects.

SCHEDULE 12 

The Information Commissioner

Section 114

Status and capacity

I2851
1 The Commissioner is to continue to be a corporation sole.
2 The Commissioner and the Commissioner's officers and staff are not to be regarded as servants or agents of the Crown.

Appointment

I4732
1 The Commissioner is to be appointed by Her Majesty by Letters Patent.
2 No recommendation may be made to Her Majesty for the appointment of a person as the Commissioner unless the person concerned has been selected on merit on the basis of fair and open competition.
3 The Commissioner is to hold office for such term not exceeding 7 years as may be determined at the time of the Commissioner's appointment, subject to paragraph 3.
4 A person cannot be appointed as the Commissioner more than once.

Resignation and removal

I3763
1 The Commissioner may be relieved of office by Her Majesty at the Commissioner's own request.
2 The Commissioner may be removed from office by Her Majesty on an Address from both Houses of Parliament.
3 No motion is to be made in either House of Parliament for such an Address unless a Minister of the Crown has presented a report to that House stating that the Minister is satisfied that one or both of the following grounds is made out—
a the Commissioner is guilty of serious misconduct;
b the Commissioner no longer fulfils the conditions required for the performance of the Commissioner's functions.

Salary etc

I554
1 The Commissioner is to be paid such salary as may be specified by a resolution of the House of Commons.
2 There is to be paid in respect of the Commissioner such pension as may be specified by a resolution of the House of Commons.
3 A resolution for the purposes of this paragraph may—
a specify the salary or pension,
b specify the salary or pension and provide for it to be increased by reference to such variables as may be specified in the resolution, or
c provide that the salary or pension is to be the same as, or calculated on the same basis as, that payable to, or in respect of, a person employed in a specified office under, or in a specified capacity in the service of, the Crown.
4 A resolution for the purposes of this paragraph may take effect from—
a the date on which it is passed, or
b from an earlier date or later date specified in the resolution.
5 A resolution for the purposes of this paragraph may make different provision in relation to the pension payable to, or in respect of, different holders of the office of Commissioner.
6 A salary or pension payable under this paragraph is to be charged on and issued out of the Consolidated Fund.
7 In this paragraph, “pension” includes an allowance or gratuity and a reference to the payment of a pension includes a reference to the making of payments towards the provision of a pension.

Officers and staff

I3195
1 The Commissioner—
a must appoint one or more deputy commissioners, and
b may appoint other officers and staff.
2 The Commissioner is to determine the remuneration and other conditions of service of people appointed under this paragraph.
3 The Commissioner may pay pensions, allowances or gratuities to, or in respect of, people appointed under this paragraph, including pensions, allowances or gratuities paid by way of compensation in respect of loss of office or employment.
4 The references in sub-paragraph (3) to paying pensions, allowances or gratuities includes making payments towards the provision of pensions, allowances or gratuities.
5 In making appointments under this paragraph, the Commissioner must have regard to the principle of selection on merit on the basis of fair and open competition.
6 The Employers' Liability (Compulsory Insurance) Act 1969 does not require insurance to be effected by the Commissioner.

Carrying out of the Commissioner's functions by officers and staff

I5636
1 The functions of the Commissioner are to be carried out by the deputy commissioner or deputy commissioners if—
a there is a vacancy in the office of the Commissioner, or
b the Commissioner is for any reason unable to act.
2 When the Commissioner appoints a second or subsequent deputy commissioner, the Commissioner must specify which deputy commissioner is to carry out which of the Commissioner's functions in the circumstances referred to in sub-paragraph (1).
3 A function of the Commissioner may, to the extent authorised by the Commissioner, be carried out by any of the Commissioner's officers or staff.

Authentication of the seal of the Commissioner

I3157The application of the seal of the Commissioner is to be authenticated by—
a the Commissioner's signature, or
b the signature of another person authorised for the purpose.

Presumption of authenticity of documents issued by the Commissioner

I3218A document purporting to be an instrument issued by the Commissioner and to be—
a duly executed under the Commissioner's seal, or
b signed by or on behalf of the Commissioner,
is to be received in evidence and is to be deemed to be such an instrument unless the contrary is shown.

Money

I5199The Secretary of State may make payments to the Commissioner out of money provided by Parliament.

Fees etc and other sums

I19510
1 All fees, charges, penalties and other sums received by the Commissioner in carrying out the Commissioner's functions are to be paid by the Commissioner to the Secretary of State.
2 Sub-paragraph (1) does not apply where the Secretary of State, with the consent of the Treasury, otherwise directs.
3 Any sums received by the Secretary of State under sub-paragraph (1) are to be paid into the Consolidated Fund.

Accounts

I75311
1 The Commissioner must—
a keep proper accounts and other records in relation to the accounts, and
b prepare in respect of each financial year a statement of account in such form as the Secretary of State may direct.
2 The Commissioner must send a copy of the statement to the Comptroller and Auditor General—
a on or before 31 August next following the end of the year to which the statement relates, or
b on or before such earlier date after the end of that year as the Treasury may direct.
3 The Comptroller and Auditor General must examine, certify and report on the statement.
4 The Commissioner must arrange for copies of the statement and the Comptroller and Auditor General's report to be laid before Parliament.
5 In this paragraph, “financial year” means a period of 12 months beginning with 1 April.

Scotland

I12012Paragraphs 1(1), 7 and 8 do not extend to Scotland.

Schedule 12A 

The Information Commission

Section 114A

1 Status

1 The Commission is not to be regarded—
a as a servant or agent of the Crown, or
b as enjoying any status, immunity or privilege of the Crown.
2 The Commission’s property is not to be regarded—
a as property of the Crown, or
b as property held on behalf of the Crown.

2 Number of members

1 The number of members of the Commission is to be determined by the Secretary of State.
2 That number must not be—
a less than 3, or
b more than 14.
3 The Secretary of State may by regulations substitute a different number for the number for the time being specified in sub-paragraph (2)(b).
4 Regulations under this paragraph are subject to the negative resolution procedure.

3 Membership: general

1 The Commission is to consist of—
a the non-executive members, and
b the executive members.
2 The non-executive members are—
a a chair appointed by His Majesty by Letters Patent on the recommendation of the Secretary of State, and
b such other members as the Secretary of State may appoint.
3 The executive members are—
a a chief executive appointed by the non-executive members or in accordance with paragraph 25, and
b such other members, if any, as the non-executive members may appoint.
4 The Secretary of State must consult the chair of the Commission before appointing a non-executive member.
5 The non-executive members must consult the Secretary of State before appointing the chief executive.
6 The non-executive members must consult the chief executive about whether there should be any executive members within sub-paragraph (3)(b) and, if so, how many there should be.
7 The Secretary of State may by direction set a maximum and a minimum number of executive members.
8 The Commission may appoint one of the non-executive members as a deputy to the chair.

4 Membership: non-executive members to outnumber executive members

The Secretary of State must exercise the powers conferred on the Secretary of State by paragraphs 2 and 3 so as to secure that the number of non-executive members of the Commission is, so far as practicable, at all times greater than the number of executive members.

5 Membership: selection on merit etc

1 The Secretary of State may not recommend a person for appointment as the chair of the Commission unless the person has been selected on merit on the basis of fair and open competition.
2 A person may not be appointed as a member of the Commission unless the person has been selected on merit on the basis of fair and open competition.

6 Membership: conflicts of interests

1 Before—
a recommending a person for appointment as the chair of the Commission, or
b appointing a person as a non-executive member of the Commission,
the Secretary of State must be satisfied that the person does not have a conflict of interest.
2 The Secretary of State must check from time to time that none of the non-executive members has a conflict of interest.
3 The Secretary of State may require a non-executive member to provide whatever information the Secretary of State considers necessary for the purpose of checking that the member does not have a conflict of interest.
4 A non-executive member who is required to provide information under sub-paragraph (3) must provide it within such period as may be specified by the Secretary of State.
5 In this Schedule, “conflict of interest”, in relation to a person, means a financial or other interest which is likely to affect prejudicially the discharge by the person of the person’s functions as a member of the Commission.

7 Tenure of the chair

1 The chair of the Commission holds and vacates office in accordance with the terms of the chair’s appointment, subject to the provisions of this paragraph.
2 The chair must be appointed for a term of not more than 7 years.
3 On the recommendation of the Secretary of State, His Majesty may by Letters Patent extend the term of the chair’s appointment but not so the term as extended is more than 7 years.
4 A person cannot be appointed as the chair more than once.
5 The chair may be relieved from office by His Majesty at the chair’s own request.
6 The chair may be removed from office by His Majesty on an Address from both Houses of Parliament.
7 No motion is to be made in either House of Parliament for such an Address unless the Secretary of State has presented a report to that House stating that the Secretary of State is satisfied that—
a the chair is guilty of serious misconduct,
b the chair has a conflict of interest (see paragraph 6(5)),
c the chair has failed to comply with paragraph 6(4), or
d the chair is unable, unfit or unwilling to carry out the chair’s functions.

8 Tenure of deputy chair

1 A deputy chair of the Commission may resign that office by giving written notice to the Commission.
2 A deputy chair of the Commission ceases to hold that office on ceasing to be a non-executive member of the Commission.
3 A deputy chair of the Commission may be removed from that office by the Commission.

9 Tenure of the other non-executive members

1 This paragraph applies to a non-executive member of the Commission appointed by the Secretary of State.
2 The member holds and vacates office in accordance with the terms of their appointment, subject to the provisions of this paragraph.
3 The member must be appointed for a term of not more than 7 years.
4 The Secretary of State may extend the term of the member’s appointment but not so that the term as extended is more than 7 years.
5 The Secretary of State may not appoint the member as a non-executive member of the Commission on a subsequent occasion.
6 The member may resign from office by giving written notice to the Secretary of State and the Commission.
7 The Secretary of State may remove the member from office by written notice if satisfied that—
a the member is guilty of serious misconduct,
b the member has a conflict of interest (see paragraph 6(5)),
c the member has failed to comply with paragraph 6(4), or
d the member is unable, unfit or unwilling to carry out the member’s functions.
8 At the time of removing the member from office the Secretary of State must make public the decision to do so.
9 The Secretary of State must—
a give the member a statement of reasons for the removal, and
b if asked to do so by the member, publish the statement.

10 Remuneration and pensions of non-executive members

1 The Commission may pay to the non-executive members of the Commission such remuneration and allowances as the Secretary of State may determine.
2 The Commission may pay, or make provision for paying, to or in respect of the non-executive members of the Commission, such sums by way of pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of office) as the Secretary of State may determine.
3 The Commission may make a payment to a person of such amount as the Secretary of State may determine where—
a the person ceases to be a non-executive member of the Commission otherwise than on the expiry of the person’s term of office, and
b it appears to the Secretary of State that there are special circumstances which make it appropriate for the person to receive compensation.

11 Executive members: terms and conditions

1 The executive members of the Commission are to be employees of the Commission.
2 The executive members are to be employed by the Commission on such terms and conditions, including those as to remuneration, as the non-executive members of the Commission may determine.
3 The Commission must—
a pay to or in respect of the executive members of the Commission such pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of office) as the non-executive members of the Commission may determine, and
b provide and maintain for them such pension schemes (whether contributory or not) as the non-executive members of the Commission may determine.

12 Other staff: appointment, terms and conditions

1 The Commission may—
a appoint other employees, and
b make such other arrangements for the staffing of the Commission as it considers appropriate.
2 In appointing an employee, the Commission must have regard to the principle of selection on merit on the basis of fair and open competition.
3 Employees appointed by the Commission are to be appointed on such terms and conditions, including those as to remuneration, as the Commission may determine.
4 The Commission may—
a pay to or in respect of those employees such pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of employment) as the Commission may determine, and
b provide and maintain for them such pension schemes (whether contributory or not) as the Commission may determine.

13 Committees

1 The Commission may establish committees.
2 A committee of the Commission may consist of or include persons who are neither members nor employees of the Commission.
3 But a committee of the Commission to which functions are delegated under paragraph 14(1)(c) must include at least one person who is either a member or an employee of the Commission.
4 Where a person who is neither a member nor an employee of the Commission is a member of a committee of the Commission, the Commission may pay to that person such remuneration and expenses as it may determine.

14 Delegation of functions

1 The Commission may delegate any of its functions to—
a a member of the Commission,
b an employee of the Commission, or
c a committee of the Commission.
2 A function is delegated under sub-paragraph (1) to the extent and on the terms that the Commission determines.
3 A committee of the Commission may delegate any function delegated to it to a member of the committee.
4 A function is delegated under sub-paragraph (3) to the extent and on the terms that the committee determines.
5 The power of a committee of the Commission to delegate a function, and to determine the extent and terms of the delegation, is subject to the Commission’s power to direct what a committee established by it may and may not do.
6 The delegation of a function by the Commission or a committee of the Commission under this paragraph does not prevent the Commission or the committee from exercising that function.

15 Advice from committees

The Commission may require a committee of the Commission to give the Commission advice about matters relating to the discharge of the Commission’s functions.

16 Proceedings

1 The Commission may make arrangements for regulating—
a its own procedure, and
b the procedure of a committee of the Commission.
2 The non-executive members of the Commission may by majority make arrangements for regulating the procedure for the carrying out of the separate functions which are conferred on them under this Schedule.
3 Arrangements under this paragraph may include arrangements as to quorum and the making of decisions by a majority.
4 The Commission must publish arrangements which it makes under this paragraph.
5 This paragraph is subject to paragraph 18.

17 Records of proceedings

The Commission must make arrangements for the keeping of proper records of—
a its proceedings,
b the proceedings of a committee of the Commission,
c the proceedings at a meeting of the non-executive members of the Commission,
d anything done by a member or employee of the Commission under paragraph 14(1), and
e anything done by a member of a committee of the Commission under paragraph 14(3).

18 Disqualification for acting in relation to certain matters

1 This paragraph applies if—
a a member of the Commission has a direct or indirect interest in a matter falling to be considered at a meeting of the Commission,
b a non-executive member of the Commission has a direct or indirect interest in a matter falling to be considered at a meeting of the non-executive members, or
c a member of a committee of the Commission has a direct or indirect interest in a matter falling to be considered at a meeting of the committee.
2 The member with the interest must declare it.
3 The declaration must be recorded in the minutes of the meeting.
4 The member with the interest may not take part in a discussion or decision at the meeting relating to the matter, unless—
a in the case of a meeting of the Commission, the other members of the Commission who are present have resolved unanimously that the interest is to be disregarded,
b in the case of a meeting of the non-executive members, the other non-executive members who are present have resolved unanimously that the interest is to be disregarded, or
c in the case of a meeting of a committee, the other members of the committee who are present have, in the manner authorised by the Commission, resolved that the interest is to be disregarded.
5 In giving authorisation for the purposes of sub-paragraph (4)(c), the Commission must secure that a resolution for those purposes does not allow a member to take part in a discussion or decision at a meeting of a committee to which functions are delegated under paragraph 14(1)(c) unless the number of other members of the committee in favour of the resolution—
a is not less than two thirds of those who are both present and entitled to vote on the resolution, and
b is not less than its quorum.
6 For the purposes of this paragraph, a notification given at or sent to a meeting of the Commission that a person—
a is a member of a company or firm, and
b is to be regarded as interested in any matter involving that company or firm,
is to be regarded as compliance with sub-paragraph (2) in relation to any such matter for the purposes of that meeting and subsequent meetings of the Commission, of the non-executive members or of a committee.
7 For the purposes of this paragraph, a notification given at or sent to a meeting of the non-executive members of the Commission or of a committee of the Commission that—
a a person is a member of a company or firm, and
b is to be regarded as interested in any matter involving that company or firm,
is to be regarded as compliance with sub-paragraph (2) in relation to any such matter for the purposes of that meeting and subsequent meetings of the non-executive members or (as the case may be) of the committee.
8 A notification described in sub-paragraph (6) or (7) remains in force until it is withdrawn.
9 A person required to make a declaration for the purposes of this paragraph in relation to any meeting—
a is not required to attend the meeting, but
b is to be taken to have complied with the requirements of this paragraph if the person takes reasonable steps to secure that notice of the person’s interest is read out, and taken into consideration, at the meeting in question.

19 Validity of proceedings

1 The validity of proceedings of the Commission, of the non-executive members of the Commission or of a committee of the Commission is not affected by—
a a vacancy in the membership of the Commission or of the committee,
b a defect in the appointment of a member of the Commission,
c a failure of the Secretary of State to comply with the requirements of paragraph 4, or
d a failure to comply with arrangements under paragraph 16 or with a requirement under paragraph 18.
2 Nothing in sub-paragraph (1)(d) validates proceedings of a meeting which is inquorate unless it is inquorate by reason only of a matter within sub-paragraph (1)(b) or (c).

20 Money

The Secretary of State may make payments to the Commission.

21 Fees etc and other sums

1 All fees, charges, penalties and other sums received by the Commission in carrying out its functions are to be paid to the Secretary of State.
2 Sub-paragraph (1) does not apply where the Secretary of State otherwise directs.
3 Any sums received by the Secretary of State under this paragraph are to be paid into the Consolidated Fund.

22 Accounts

1 The Commission must keep proper accounts and proper records in relation to them.
2 The Commission must prepare a statement of accounts in respect of each financial year in the form specified by the Secretary of State.
3 The Commission must send a copy of each statement of accounts to the Secretary of State and the Comptroller and Auditor General before the end of August next following the financial year to which the statement relates.
4 The Comptroller and Auditor General must—
a examine, certify and report on the statement of accounts, and
b send a copy of the certified statement and the report to the Secretary of State.
5 The Secretary of State must lay before Parliament each document received under sub-paragraph (4)(b).
6 In this paragraph “financial year” means—
a the period beginning with the date on which the Commission is established and ending with the 31 March following that date, and
b each successive period of 12 months.

23 Authentication of seal and presumption of authenticity of documents

1 The application of the Commission’s seal must be authenticated by the signature of—
a the chair of the Commission, or
b another person authorised for that purpose by the Commission.
2 A document purporting to be duly executed under the Commission’s seal or signed on its behalf—
a is to be received in evidence, and
b is to be taken to be executed or signed in that way, unless the contrary is shown.
3 This paragraph does not extend to Scotland.

24 Supplementary powers

The Commission may do anything it thinks appropriate for the purposes of, or in connection with, its functions.

25 Transitional provision: interim chief executive

1 The first chief executive of the Commission is to be appointed by the chair of the Commission.
2 Before making the appointment the chair must consult the Secretary of State.
3 The appointment must be for a term of not more than 2 years.
4 The chair may extend the term of the appointment but not so the term as extended is more than 2 years.
5 For the term of appointment, the person appointed under sub-paragraph (1) is “the interim chief executive”.
6 Until the expiry of the term of appointment, the powers conferred on the non-executive members by paragraph 11(2) and (3) are exercisable in respect of the interim chief executive by the chair (instead of by the non-executive members).
7 In sub-paragraphs (5) and (6), the references to the term of appointment are to the term of appointment described in sub-paragraph (3), including any extension of the term under sub-paragraph (4).

26 Interpretation

In this Schedule—
a references to pensions, allowances or gratuities include references to any similar benefits provided on death or retirement, and
b references to the payment of pensions, allowances or gratuities to or in respect of a person include references to the making of payments towards the provision of pensions, allowances or gratuities to be paid to or in respect of a person.

SCHEDULE 13 

Other general functions of the Commissioner

Section 116

General tasks

I9651
1 The Commissioner must—
a monitor and enforce Parts 3 and 4 of this Act;
b promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing of personal data to which those Parts apply;
c advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to processing of personal data to which those Parts apply;
d promote the awareness of controllers and processors of their obligations under Parts 3 and 4 of this Act;
e on request, provide information to a data subject concerning the exercise of the data subject's rights under Parts 3 and 4 of this Act and, if appropriate, co-operate with F727... foreign designated authorities to provide such information;
f co-operate with F260... foreign designated authorities with a view to ensuring the consistency of application and enforcement of F260... the Data Protection Convention, including by sharing information and providing mutual assistance;
g conduct investigations on the application of Parts 3 and 4 of this Act, including on the basis of information received from F163... a foreign designated authority or another public authority;
h monitor relevant developments to the extent that they have an impact on the protection of personal data, including the development of information and communication technologies;
F726i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Section 3(14)(c) does not apply to the reference to personal data in sub-paragraph (1)(h).

General powers

I1192The Commissioner has the following investigative, corrective, authorisation and advisory powers in relation to processing of personal data to which Part 3 or 4 of this Act applies—
a to notify the controller or the processor of an alleged infringement of Part 3 or 4 of this Act;
b to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of Part 3 or 4 of this Act;
c to issue reprimands to a controller or processor where processing operations have infringed provisions of Part 3 or 4 of this Act;
d to issue, on the Commissioner's own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.

Definitions

I7763In this Schedule—
  • foreign designated authority” means an authority designated for the purposes of Article 13 of the Data Protection Convention by a party, other than the United Kingdom, which is bound by that Convention;
  • F515...

SCHEDULE 14 

Co-operation and mutual assistance

Section 118

F664PART 1 Law Enforcement Directive

F664Co-operation

F6641. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F664Requests for information and assistance from LED supervisory authorities

F6642. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F664Fees

F6643. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F664Restrictions on use of information

F6644. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F664LED supervisory authority

F6645. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

PART 2 Data Protection Convention

Co-operation between the Commissioner and foreign designated authorities

I4126
1 The Commissioner must, at the request of a foreign designated authority—
a provide that authority with such information referred to in Article 13(3)(a) of the Data Protection Convention (information on law and administrative practice in the field of data protection) as is the subject of the request, and
b take appropriate measures in accordance with Article 13(3)(b) of the Data Protection Convention for providing that authority with information relating to the processing of personal data in the United Kingdom.
2 The Commissioner may ask a foreign designated authority—
a to provide the Commissioner with information referred to in Article 13(3) of the Data Protection Convention, or
b to take appropriate measures to provide such information.

Assisting persons resident outside the UK with requests under Article 14 of the Convention

I3647
1 This paragraph applies where a request for assistance in exercising any of the rights referred to in Article 8 of the Data Protection Convention in the United Kingdom is made by a person resident outside the United Kingdom, including where the request is forwarded to the Commissioner through the Secretary of State or a foreign designated authority.
2 The Commissioner must take appropriate measures to assist the person to exercise those rights.

Assisting UK residents with requests under Article 8 of the Convention

I3878
1 This paragraph applies where a request for assistance in exercising any of the rights referred to in Article 8 of the Data Protection Convention in a country or territory (other than the United Kingdom) specified in the request is—
a made by a person resident in the United Kingdom, and
b submitted through the Commissioner under Article 14(2) of the Convention.
2 If the Commissioner is satisfied that the request contains all necessary particulars referred to in Article 14(3) of the Data Protection Convention, the Commissioner must send the request to the foreign designated authority in the specified country or territory.
3 Otherwise, the Commissioner must, where practicable, notify the person making the request of the reasons why the Commissioner is not required to assist.

Restrictions on use of information

I429Where the Commissioner receives information from a foreign designated authority as a result of—
a a request made by the Commissioner under paragraph 6(2), or
b a request received by the Commissioner under paragraph 6(1) or 7,
the Commissioner may use the information only for the purposes specified in the request.

Foreign designated authority

I62610In this Part of this Schedule, “foreign designated authority” means an authority designated for the purposes of Article 13 of the Data Protection Convention by a party, other than the United Kingdom, which is bound by that Data Protection Convention.

C6SCHEDULE 15 

Powers of entry and inspection

Section 154

Issue of warrants in connection with non-compliance and offences

I707C61
1 This paragraph applies if a judge of the High Court, a circuit judge or a District Judge (Magistrates' Courts) is satisfied by information on oath supplied by the Commissioner that—
a there are reasonable grounds for suspecting that—
i a controller or processor has failed or is failing as described in section 149(2), or
ii an offence under this Act has been or is being committed, and
b there are reasonable grounds for suspecting that evidence of the failure or of the commission of the offence is to be found on premises specified in the information or is capable of being viewed using equipment on such premises.
2 The judge may grant a warrant to the Commissioner.

Issue of warrants in connection with assessment notices

I157C62
1 This paragraph applies if a judge of the High Court, a circuit judge or a District Judge (Magistrates' Courts) is satisfied by information on oath supplied by the Commissioner that a controller or processor has failed to comply with a requirement imposed by an assessment notice.
2 The judge may, for the purpose of enabling the Commissioner to determine whether the controller or processor has complied or is complying with the data protection legislation, grant a warrant to the Commissioner in relation to premises that were specified in the assessment notice.

Restrictions on issuing warrants: processing for the special purposes

I470C63A judge must not issue a warrant under this Schedule in respect of personal data processed for the special purposes unless a determination under section 174 with respect to the data or the processing has taken effect.

Restrictions on issuing warrants: procedural requirements

I717C64
1 A judge must not issue a warrant under this Schedule unless satisfied that—
a the conditions in sub-paragraphs (2) to (4) are met,
b compliance with those conditions would defeat the object of entry to the premises in question, or
c the Commissioner requires access to the premises in question urgently.
2 The first condition is that the Commissioner has given 7 days' notice in writing to the occupier of the premises in question demanding access to the premises.
3 The second condition is that—
a access to the premises was demanded at a reasonable hour and was unreasonably refused, or
b entry to the premises was granted but the occupier unreasonably refused to comply with a request by the Commissioner or the Commissioner's officers or staff to be allowed to do any of the things referred to in paragraph 5.
4 The third condition is that, since the refusal, the occupier of the premises—
a has been notified by the Commissioner of the application for the warrant, and
b has had an opportunity to be heard by the judge on the question of whether or not the warrant should be issued.
5 In determining whether the first condition is met, an assessment notice given to the occupier is to be disregarded.

Content of warrants

I307C65
1 A warrant issued under this Schedule must authorise the Commissioner or any of the Commissioner's officers or staff—
a to enter the premises,
b to search the premises, and
c to inspect, examine, operate and test any equipment found on the premises which is used or intended to be used for the processing of personal data.
2 A warrant issued under paragraph 1 must authorise the Commissioner or any of the Commissioner's officers or staff—
a to inspect and seize any documents or other material found on the premises which may be evidence of the failure or offence mentioned in that paragraph,
b to require any person on the premises to provide, in an appropriate form, a copy of information capable of being viewed using equipment on the premises which may be evidence of that failure or offence,
c to require any person on the premises to provide an explanation of any document or other material found on the premises and of any information capable of being viewed using equipment on the premises, and
d to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the controller or processor has failed or is failing as described in section 149(2).
3 A warrant issued under paragraph 2 must authorise the Commissioner or any of the Commissioner's officers or staff—
a to inspect and seize any documents or other material found on the premises which may enable the Commissioner to determine whether the controller or processor has complied or is complying with the data protection legislation,
b to require any person on the premises to provide, in an appropriate form, a copy of information capable of being viewed using equipment on the premises which may enable the Commissioner to make such a determination,
c to require any person on the premises to provide an explanation of any document or other material found on the premises and of any information capable of being viewed using equipment on the premises, and
d to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the controller or processor has complied or is complying with the data protection legislation.
4 A warrant issued under this Schedule must authorise the Commissioner or any of the Commissioner's officers or staff to do the things described in sub-paragraphs (1) to (3) at any time in the period of 7 days beginning with the day on which the warrant is issued.
5 For the purposes of this paragraph, a copy of information is in an “appropriate form” if —
a it can be taken away, and
b it is visible and legible or it can readily be made visible and legible.

Copies of warrants

I130C66A judge who issues a warrant under this Schedule must—
a issue two copies of it, and
b certify them clearly as copies.

Execution of warrants: reasonable force

I350C67A person executing a warrant issued under this Schedule may use such reasonable force as may be necessary.

Execution of warrants: time when executed

I601C68A warrant issued under this Schedule may be executed only at a reasonable hour, unless it appears to the person executing it that there are grounds for suspecting that exercising it at a reasonable hour would defeat the object of the warrant.

Execution of warrants: occupier of premises

I250C69
1 If an occupier of the premises in respect of which a warrant is issued under this Schedule is present when the warrant is executed, the person executing the warrant must—
a show the occupier the warrant, and
b give the occupier a copy of it.
2 Otherwise, a copy of the warrant must be left in a prominent place on the premises.

Execution of warrants: seizure of documents etc

I425C610
1 This paragraph applies where a person executing a warrant under this Schedule seizes something.
2 The person must, on request—
a give a receipt for it, and
b give an occupier of the premises a copy of it.
3 Sub-paragraph (2)(b) does not apply if the person executing the warrant considers that providing a copy would result in undue delay.
4 Anything seized may be retained for so long as is necessary in all the circumstances.

Matters exempt from inspection and seizure: privileged communications

I171C611
1 The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable in respect of a communication which is made—
a between a professional legal adviser and the adviser's client, and
b in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
2 The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable in respect of a communication which is made—
a between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
b in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
c for the purposes of such proceedings.
3 Sub-paragraphs (1) and (2) do not prevent the exercise of powers conferred by a warrant issued under this Schedule in respect of—
a anything in the possession of a person other than the professional legal adviser or the adviser's client, or
b anything held with the intention of furthering a criminal purpose.
4 The references to a communication in sub-paragraphs (1) and (2) include—
a a copy or other record of the communication, and
b anything enclosed with or referred to in the communication if made as described in sub-paragraph (1)(b) or in sub-paragraph (2)(b) and (c).
5 In sub-paragraphs (1) to (3), the references to the client of a professional legal adviser include a person acting on behalf of such a client.

Matters exempt from inspection and seizure: Parliamentary privilege

I355C612The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable where their exercise would involve an infringement of the privileges of either House of Parliament.

Partially exempt material

I571C613
1 This paragraph applies if a person in occupation of premises in respect of which a warrant is issued under this Schedule objects to the inspection or seizure of any material under the warrant on the grounds that it consists partly of matters in respect of which those powers are not exercisable.
2 The person must, if the person executing the warrant so requests, provide that person with a copy of so much of the material as is not exempt from those powers.

Return of warrants

I328C614
1 Where a warrant issued under this Schedule is executed—
a it must be returned to the court from which it was issued after being executed, and
b the person by whom it is executed must write on the warrant a statement of the powers that have been exercised under the warrant.
2 Where a warrant issued under this Schedule is not executed, it must be returned to the court from which it was issued within the time authorised for its execution.

Offences

I639C615
1 It is an offence for a person—
a intentionally to obstruct a person in the execution of a warrant issued under this Schedule, or
b to fail without reasonable excuse to give a person executing such a warrant such assistance as the person may reasonably require for the execution of the warrant.
2 It is an offence for a person—
a to make a statement in response to a requirement under paragraph 5(2)(c) or (d) or (3)(c) or (d) which the person knows to be false in a material respect, or
b recklessly to make a statement in response to such a requirement which is false in a material respect.

Self-incrimination

I277C616
1 An explanation given, or information provided, by a person in response to a requirement under paragraph 5(2)(c) or (d) or (3)(c) or (d) may only be used in evidence against that person—
a on a prosecution for an offence under a provision listed in sub-paragraph (2), or
b on a prosecution for any other offence where—
i in giving evidence that person makes a statement inconsistent with that explanation or information, and
ii evidence relating to that explanation or information is adduced, or a question relating to it is asked, by that person or on that person's behalf.
2 Those provisions are—
a paragraph 15,
b section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),
c section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or
d Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).

Vessels, vehicles etc

I719C617In this Schedule—
a premises” includes a vehicle, vessel or other means of transport, and
b references to the occupier of premises include the person in charge of a vehicle, vessel or other means of transport.

Scotland

I511C618In the application of this Schedule to Scotland—
a references to a judge of the High Court have effect as if they were references to a judge of the Court of Session,
b references to a circuit judge have effect as if they were references to the sheriff or the summary sheriff,
c references to information on oath have effect as if they were references to evidence on oath, and
d references to the court from which the warrant was issued have effect as if they were references to the sheriff clerk.

Northern Ireland

I588C619In the application of this Schedule to Northern Ireland—
a references to a circuit judge have effect as if they were references to a county court judge, and
b references to information on oath have effect as if they were references to a complaint on oath.

C2SCHEDULE 16 

Penalties

Section 155

Meaning of “penalty”

I452C21In this Schedule, “penalty” means a penalty imposed by a penalty notice.

Notice of intent to impose penalty

I526C22
1 Before giving a person a penalty notice, the Commissioner must, by written notice (a “notice of intent”) inform the person that the Commissioner intends to give a penalty notice.
F6262 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F6263 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contents of notice of intent

I133C23
1 A notice of intent must contain the following information—
a the name and address of the person to whom the Commissioner proposes to give a penalty notice;
b the reasons why the Commissioner proposes to give a penalty notice (see sub-paragraph (2));
c an indication of the amount of the penalty the Commissioner proposes to impose, including any aggravating or mitigating factors that the Commissioner proposes to take into account.
2 The information required under sub-paragraph (1)(b) includes—
a a description of the circumstances of the failure, and
b where the notice is given in respect of a failure described in section 149(2), the nature of the personal data involved in the failure.
3 A notice of intent must also—
a state that the person may make written representations about the Commissioner's intention to give a penalty notice, and
b specify the period within which such representations may be made.
4 The period specified for making written representations must be a period of not less than 21 days beginning when the notice of intent is given.
5 If the Commissioner considers that it is appropriate for the person to have an opportunity to make oral representations about the Commissioner's intention to give a penalty notice, the notice of intent must also—
a state that the person may make such representations, and
b specify the arrangements for making such representations and the time at which, or the period within which, they may be made.

Giving a penalty notice

I60C24
A1 This paragraph applies where the Commissioner gives a notice of intent to a person.
A2 Within the period of 6 months beginning when the notice is given, or as soon as reasonably practicable thereafter, the Commission must give to the person—
a a penalty notice, or
b written notice that the Commissioner has decided not to give a penalty notice to the person.
1 But the Commissioner may not give a penalty notice to the person before a time, or before the end of a period, specified in the notice of intent for making oral or written representations.
2 When deciding whether to give a penalty notice to the person and determining the amount of the penalty, the Commissioner must consider any oral or written representations made by the person in accordance with the notice of intent.

Contents of penalty notice

I736C25
1 A penalty notice must contain the following information—
a the name and address of the person to whom it is addressed;
b details of the notice of intent given to the person;
c whether the Commissioner received oral or written representations in accordance with the notice of intent;
d the reasons why the Commissioner proposes to impose the penalty (see sub-paragraph (2));
e the reasons for the amount of the penalty, including any aggravating or mitigating factors that the Commissioner has taken into account;
f details of how the penalty is to be paid;
g details of the rights of appeal under section 162;
h details of the Commissioner's enforcement powers under this Schedule.
2 The information required under sub-paragraph (1)(d) includes—
a a description of the circumstances of the failure, and
b where the notice is given in respect of a failure described in section 149(2), the nature of the personal data involved in the failure.

Period for payment of penalty

I313C26
1 A penalty must be paid to the Commissioner within the period specified in the penalty notice.
2 The period specified must be a period of not less than 28 days beginning when the penalty notice is given.

Variation of penalty

I551C27
1 The Commissioner may vary a penalty notice by giving written notice (a “penalty variation notice”) to the person to whom it was given.
2 A penalty variation notice must specify—
a the penalty notice concerned, and
b how it is varied.
3 A penalty variation notice may not—
a reduce the period for payment of the penalty;
b increase the amount of the penalty;
c otherwise vary the penalty notice to the detriment of the person to whom it was given.
4 If—
a a penalty variation notice reduces the amount of the penalty, and
b when that notice is given, an amount has already been paid that exceeds the amount of the reduced penalty,
the Commissioner must repay the excess.

Cancellation of penalty

I738C28
1 The Commissioner may cancel a penalty notice by giving written notice to the person to whom it was given.
2 If a penalty notice is cancelled, the Commissioner—
a may not take any further action under section 155 or this Schedule in relation to the failure to which that notice relates, and
b must repay any amount that has been paid in accordance with that notice.

Enforcement of payment

I414C29
1 The Commissioner must not take action to recover a penalty unless—
a the period specified in accordance with paragraph 6 has ended,
b any appeals against the penalty notice have been decided or otherwise ended,
c if the penalty notice has been varied, any appeals against the penalty variation notice have been decided or otherwise ended, and
d the period for the person to whom the penalty notice was given to appeal against the penalty, and any variation of it, has ended.
2 In England and Wales, a penalty is recoverable—
a if the county court so orders, as if it were payable under an order of that court;
b if the High Court so orders, as if it were payable under an order of that court.
3 In Scotland, a penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.
4 In Northern Ireland, a penalty is recoverable—
a if a county court so orders, as if it were payable under an order of that court;
b if the High Court so orders, as if it were payable under an order of that court.

SCHEDULE 17 

Review of processing of personal data for the purposes of journalism

Section 178

Interpretation

I8271In this Schedule—
  • relevant period” means—
    1. the period of 18 months beginning when the Commissioner starts the first review under section 178, and
    2. the period of 12 months beginning when the Commissioner starts a subsequent review under that section;
  • the relevant review”, in relation to a relevant period, means the review under section 178 which the Commissioner must produce a report about by the end of that period.

Information notices

I8492
1 This paragraph applies where the Commissioner gives an information notice during a relevant period.
2 If the information notice—
a states that, in the Commissioner's opinion, the information is required for the purposes of the relevant review, and
b gives the Commissioner's reasons for reaching that opinion,
subsections (5) and (6) of section 142 do not apply but the notice must not require the information to be provided before the end of the period of 24 hours beginning when the notice is given.

Assessment notices

I9123
1 Sub-paragraph (2) applies where the Commissioner gives an assessment notice to a person during a relevant period.
2 If the assessment notice—
a states that, in the Commissioner's opinion, it is necessary for the controller or processor to comply with a requirement in the notice for the purposes of the relevant review, and
b gives the Commissioner's reasons for reaching that opinion,
subsections (6) and (7) of section 146 do not apply but the notice must not require the controller or processor to comply with the requirement before the end of the period of 7 days beginning when the notice is given.
3 During a relevant period, section 147 has effect as if for subsection (5) there were substituted—

Interview notices

3A
1 Sub-paragraph (2) applies where the Commissioner gives an interview notice to an individual during a relevant period.
2 If the interview notice—
a states that, in the Commissioner’s opinion, it is necessary for the individual to comply with a requirement in the notice for the purposes of the relevant review, and
b gives the Commissioner’s reasons for reaching that opinion,
subsections (6) and (7) of section 148A do not apply but the notice must not require the individual to comply with the requirement before the end of the period of 24 hours beginning when the notice is given.
3 During a relevant period, section 148B has effect as if for subsection (8) there were substituted—

Applications in respect of urgent notices

I8284Section 164 applies where an information notice , assessment notice or interview notice contains a statement under paragraph 2(2)(a) , 3(2)(a) or 3A(2)(a) as it applies where such a notice contains a statement under section 142(7)(a) , 146(8)(a) or 148A(8)(a).

SCHEDULE 18 

Relevant records

Section 184

Relevant records

I9471
1 In section 184, “relevant record” means—
a a relevant health record (see paragraph 2),
b a relevant record relating to a conviction or caution (see paragraph 3), or
c a relevant record relating to statutory functions (see paragraph 4).
2 A record is not a “relevant record” to the extent that it relates, or is to relate, only to personal data which falls within Article 2(1A) of the UK GDPR (manual unstructured personal data held by FOI public authorities).

Relevant health records

I3852Relevant health record” means a health record which has been or is to be obtained by a data subject in the exercise of a data subject access right.

Relevant records relating to a conviction or caution

I8793
1 Relevant record relating to a conviction or caution” means a record which—
a has been or is to be obtained by a data subject in the exercise of a data subject access right from a person listed in sub-paragraph (2), and
b contains information relating to a conviction or caution.
2 Those persons are—
a the chief constable of a police force maintained under section 2 of the Police Act 1996;
b the Commissioner of Police of the Metropolis;
c the Commissioner of Police for the City of London;
d the Chief Constable of the Police Service of Northern Ireland;
e the chief constable of the Police Service of Scotland;
f the Director General of the National Crime Agency;
fa the Independent Commission for Reconciliation and Information Recovery;
g the Secretary of State.
3 In this paragraph—
  • caution” means a caution given to a person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;
  • conviction” has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978 (S.I. 1978/1908 (N.I. 27)).

Relevant records relating to statutory functions

I9024
1 Relevant record relating to statutory functions” means a record which—
a has been or is to be obtained by a data subject in the exercise of a data subject access right from a person listed in sub-paragraph (2), and
b contains information relating to a relevant function in relation to that person.
2 Those persons are—
a the Secretary of State;
b the Department for Communities in Northern Ireland;
c the Department of Justice in Northern Ireland;
d the Scottish Ministers;
e the Disclosure and Barring Service;
f the independent reviewer appointed under section 12 of the Age of Criminal Responsibility (Scotland) Act 2019.
3 In relation to the Secretary of State, the “relevant functions” are—
a the Secretary of State's functions in relation to a person sentenced to detention under—
i section 92 of the Powers of Criminal Courts (Sentencing) Act 2000,
ia section 260 of the Sentencing Code,
ii section 205(2) or 208 of the Criminal Procedure (Scotland) Act 1995, or
iii Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 (S.I. 1998/1504 (N.I. 9));
b the Secretary of State's functions in relation to a person imprisoned or detained under—
i the Prison Act 1952,
ii the Prisons (Scotland) Act 1989, or
iii the Prison Act (Northern Ireland) 1953 (c. 18 (N.I.));
c the Secretary of State's functions under—
i the Social Security Contributions and Benefits Act 1992,
ii the Social Security Administration Act 1992,
iii the Jobseekers Act 1995,
iv Part 5 of the Police Act 1997,
v Part 1 of the Welfare Reform Act 2007, or
vi Part 1 of the Welfare Reform Act 2012.
4 In relation to the Department for Communities in Northern Ireland, the “relevant functions” are its functions under—
a the Social Security Contributions and Benefits (Northern Ireland) Act 1992,
b the Social Security Administration (Northern Ireland) Act 1992,
c the Jobseekers (Northern Ireland) Order 1995 (S.I. 1995/2705 (N.I. 15)), or
d Part 1 of the Welfare Reform Act (Northern Ireland) 2007 (c. 2 (N.I.)).
5 In relation to the Department of Justice in Northern Ireland, the “relevant functions” are its functions under Part 5 of the Police Act 1997.
6 In relation to the Scottish Ministers, the “relevant functions” are their functions under
a Part 1 of the Disclosure (Scotland) Act 2020, or
b Parts 1 and 2 of the Protection of Vulnerable Groups (Scotland) Act 2007 (asp 14).
7 In relation to the Disclosure and Barring Service, the “relevant functions” are its functions under—
a Part 5 of the Police Act 1997,
b the Safeguarding Vulnerable Groups Act 2006, or
c the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (S.I. 2007/1351 (N.I. 11)).
8 In relation to the independent reviewer mentioned in sub-paragraph (2)(f), the “relevant functions” are the reviewer’s functions under Part 2 of the Age of Criminal Responsibility (Scotland) Act 2019.

Data subject access right

I9175In this Schedule, “data subject access right” means a right under—
a Article 15 of the UK GDPR (right of access by the data subject);
b Article 20 of the UK GDPR (right to data portability);
c section 45 of this Act (law enforcement processing: right of access by the data subject);
d section 94 of this Act (intelligence services processing: right of access by the data subject).

Records stating that personal data is not processed

I2996For the purposes of this Schedule, a record which states that a controller is not processing personal data relating to a particular matter is to be taken to be a record containing information relating to that matter.

Power to amend

I267
1 The Secretary of State may by regulations amend this Schedule.
2 Regulations under this paragraph are subject to the affirmative resolution procedure.

SCHEDULE 19 

Minor and consequential amendments

Section 211

PART 1 Amendments of primary legislation

Registration Service Act 1953 (c. 37)

I2391
1 Section 19AC of the Registration Service Act 1953 (codes of practice) is amended as follows.
2 In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
3 In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.

Veterinary Surgeons Act 1966 (c. 36)

I1242
1 Section 1A of the Veterinary Surgeons Act 1966 (functions of the Royal College of Veterinary Surgeons as competent authority) is amended as follows.
2 In subsection (8)—
a omit “personal data protection legislation in the United Kingdom that implements”,
b for paragraph (a) substitute—
, and
c in paragraph (b), at the beginning insert “ legislation in the United Kingdom that implements ”.
3 In subsection (9), after “section” insert
.

Parliamentary Commissioner Act 1967 (c. 13)

I6823In section 11AA(1) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner to Information Commissioner)—
a in paragraph (a), for sub-paragraph (i) substitute—
, and
b for paragraph (b) substitute—

Local Government Act 1974 (c. 7)

I6114The Local Government Act 1974 is amended as follows.
I4585In section 33A(1) (disclosure of information by Local Commissioner to Information Commissioner)—
a in paragraph (a), for sub-paragraph (i) substitute—
, and
b for paragraph (b) substitute—
I1826In section 34O(1) (disclosure of information by Local Commissioner to Information Commissioner)—
a in paragraph (a), for sub-paragraph (i) substitute—
, and
b for paragraph (b) substitute—

Consumer Credit Act 1974 (c. 39)

I4607The Consumer Credit Act 1974 is amended as follows.
I4758In section 157(2A) (duty to disclose name etc of agency)—
a in paragraph (a), for “the Data Protection Act 1998” substitute “ the GDPR ”, and
b in paragraph (b), after “any” insert “ other ”.
I5409In section 159(1)(a) (correction of wrong information) for “section 7 of the Data Protection Act 1998” substitute “ Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) ”.
I17010In section 189(1) (definitions), at the appropriate place insert—
.

Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22))

I13911The Pharmacy (Northern Ireland) Order 1976 is amended as follows.
I23512In article 2(2) (interpretation), omit the definition of “Directive 95/46/EC”.
I58313In article 8D (European professional card), after paragraph (3) insert—
I48314In article 22A(6) (Directive 2005/36/EC: functions of competent authority etc.), before sub-paragraph (a) insert—
.
I32415
1 Schedule 2C (Directive 2005/36/EC: European professional card) is amended as follows.
2 In paragraph 8(1) (access to data), for “Directive 95/46/EC” substitute “ the GDPR ”.
3 In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).
I73216
1 The table in Schedule 2D (functions of the Society under Directive 2005/36/EC) is amended as follows.
2 In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
3 In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
I37217
1 Paragraph 2 of Schedule 3 (fitness to practice: disclosure of information) is amended as follows.
2 In sub-paragraph (2)(a), after “provision” insert “ or the GDPR ”.
3 For sub-paragraph (3) substitute—
4 After sub-paragraph (4) insert—

Representation of the People Act 1983 (c. 2)

I31218
1 Schedule 2 to the Representation of the People Act 1983 (provisions which may be contained in regulations as to registration etc) is amended as follows.
2 In paragraph 1A(5), for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
3 In paragraph 8C(2), for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
4 In paragraph 11A—
a in sub-paragraph (1) for “who are data users to supply data, or documents containing information extracted from data and” substitute “ to supply information ”, and
b omit sub-paragraph (2).

Medical Act 1983 (c. 54)

I6919The Medical Act 1983 is amended as follows.
I48020
1 Section 29E (evidence) is amended as follows.
2 In subsection (5), after “enactment” insert “ or the GDPR ”.
3 For subsection (7) substitute—
4 In subsection (9), at the end insert—
I26421
1 Section 35A (General Medical Council's power to require disclosure of information) is amended as follows.
2 In subsection (4), after “enactment” insert “ or the GDPR ”.
3 For subsection (5A) substitute—
4 In subsection (7), at the end insert—
I34922In section 49B(7) (Directive 2005/36: designation of competent authority etc.), after “Schedule 4A” insert
.
I70023In section 55(1) (interpretation), omit the definition of “Directive 95/46/EC”.
I52124
1 Paragraph 9B of Schedule 1 (incidental powers of the General Medical Council) is amended as follows.
2 In sub-paragraph (2)(a), after “enactment” insert “ or the GPDR ”.
3 After sub-paragraph (3) insert—
I46125
1 Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows.
2 In sub-paragraph (8), after “enactment” insert “ or the GDPR ”.
3 For sub-paragraph (8A) substitute—
4 After sub-paragraph (13) insert—
I3726
1 The table in Schedule 4A (functions of the General Medical Council as competent authority under Directive 2005/36) is amended as follows.
2 In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
3 In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

Dentists Act 1984 (c. 24)

I20527The Dentists Act 1984 is amended as follows.
I43228
1 Section 33B (the General Dental Council's power to require disclosure of information: the dental profession) is amended as follows.
2 In subsection (3), after “enactment” insert “ or relevant provision of the GDPR ”.
3 For subsection (4) substitute—
4 After subsection (10) insert—
I45529In section 36ZA(6) (Directive 2005/36: designation of competent authority etc), after “Schedule 4ZA—” insert—
.
I52930
1 Section 36Y (the General Dental Council's power to require disclosure of information: professions complementary to dentistry) is amended as follows.
2 In subsection (3), after “enactment” insert “ or relevant provision of the GDPR ”.
3 For subsection (4) substitute—
4 After subsection (10) insert—
I59031In section 53(1) (interpretation), omit the definition of “Directive 95/46/EC”.
I4032
1 The table in Schedule 4ZA (Directive 2005/36: functions of the General Dental Council under section 36ZA(3)) is amended as follows.
2 In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
3 In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

Companies Act 1985 (c. 6)

I13733In section 449(11) of the Companies Act 1985 (provision for security of information obtained), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

Access to Medical Reports Act 1988 (c. 28)

I16734In section 2(1) of the Access to Medical Reports Act 1988 (interpretation), for the definition of “health professional” substitute—
.

Opticians Act 1989 (c. 44)

I62835
1 Section 13B of the Opticians Act 1989 (the Council's power to require disclosure of information) is amended as follows.
2 In subsection (3), after “enactment” insert “ or the GDPR ”.
3 For subsection (4) substitute—
4 After subsection (9) insert—

Access to Health Records Act 1990 (c. 23)

I28136The Access to Health Records Act 1990 is amended as follows.
I51737For section 2 substitute—
I8838
1 Section 3 (right of access to health records) is amended as follows.
2 In subsection (2), omit “Subject to subsection (4) below,”.
3 In subsection (4), omit from “other than the following” to the end.

Human Fertilisation and Embryology Act 1990 (c. 37)

I46339
1 Section 33D of the Human Fertilisation and Embryology Act 1990 (disclosure for the purposes of medical or other research) is amended as follows.
2 In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 In subsection (9), at the appropriate place insert—

Trade Union and Labour Relations (Consolidation) Act 1992 (c. 52)

I21640
1 Section 251B of the Trade Union and Labour Relations (Consolidation) Act 1992 (prohibition on disclosure of information) is amended as follows.
2 In subsection (3), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (6) insert—

Tribunals and Inquiries Act 1992 (c. 53)

I65141In the table in Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals to which the Act applies), in the second column, in paragraph 14(a), for “section 6 of the Data Protection Act 1998” substitute “ section 114 of the Data Protection Act 2018 ”.

Industrial Relations (Northern Ireland) Order 1992 (S.I. 1992/807 (N.I. 5))

I7342
1 Article 90B of the Industrial Relations (Northern Ireland) Order 1992 (prohibition on disclosure of information held by the Labour Relations Agency) is amended as follows.
2 In paragraph (3), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After paragraph (6) insert—

Health Service Commissioners Act 1993 (c. 46)

I20843In section 18A(1) of the Health Service Commissioners Act 1993 (power to disclose information)—
a in paragraph (a), for sub-paragraph (i) substitute—
, and
b for paragraph (b) substitute—

Data Protection Act 1998 (c. 29)

I5244The Data Protection Act 1998 is repealed, with the exception of section 62 and paragraphs 13, 15, 16, 18 and 19 of Schedule 15 (which amend other enactments).

Crime and Disorder Act 1998 (c. 37)

I22245In section 17A(4) of the Crime and Disorder Act 1998 (sharing of information), for “(within the meaning of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.

Food Standards Act 1999 (c. 28)

I17746
1 Section 19 of the Food Standards Act 1999 (publication etc by the Food Standards Agency of advice and information) is amended as follows.
2 In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 In subsection (8), after “section” insert
.

Immigration and Asylum Act 1999 (c. 33)

I50647
1 Section 13 of the Immigration and Asylum Act 1999 (proof of identity of persons to be removed or deported) is amended as follows.
2 For subsection (4) substitute—
3 After subsection (4) insert—

Financial Services and Markets Act 2000 (c. 8)

I6548The Financial Services and Markets Act 2000 is amended as follows.
F46049. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
I55950In section 391A(6)(b) (publication: special provisions relating to the capital requirements directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I39251In section 391C(7)(a) (publication: special provisions relating to the UCITS directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I56752In section 391D(9)(a) (publication: special provisions relating to the markets in financial instruments directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I41653In section 417 (definitions), at the appropriate place insert—
.

Terrorism Act 2000 (c. 11)

I61954In section 21F(2)(d) of the Terrorism Act 2000 (other permitted disclosures between institutions etc) for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.

Freedom of Information Act 2000 (c. 36)

I7255The Freedom of Information Act 2000 is amended as follows.
I67156In section 2(3) (absolute exemptions), for paragraph (f) substitute—
.
I37157In section 18 (the Information Commissioner), omit subsection (1).
I61058
1 Section 40 (personal information) is amended as follows.
2 In subsection (2)—
a in paragraph (a), for “do” substitute “ does ”, and
b in paragraph (b), for “either the first or the second” substitute “ the first, second or third ”.
3 For subsection (3) substitute—
4 For subsection (4) substitute—
5 For subsection (5) substitute—
6 Omit subsection (6).
7 For subsection (7) substitute—
I9359Omit section 49 (reports to be laid before Parliament).
I27I29160For section 61 (appeal proceedings) substitute—
I25761In section 76(1) (disclosure of information between Commissioner and ombudsmen), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I36562After section 76A insert—
I11663In section 77(1)(b) (offence of altering etc records with intent to prevent disclosure), omit “or section 7 of the Data Protection Act 1998,”.
I54564In section 84 (interpretation), at the appropriate place insert—
.

Political Parties, Elections and Referendums Act 2000 (c. 41)

I41065
1 Paragraph 28 of Schedule 19C to the Political Parties, Elections and Referendums Act 2000 (civil sanctions: disclosure of information) is amended as follows.
2 In sub-paragraph (4)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After sub-paragraph (5) insert—

Public Finance and Accountability (Scotland) Act 2000 (asp 1)

I19066The Public Finance and Accountability (Scotland) Act 2000 is amended as follows.
I29467In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
I57668In section 26C(3)(a) (power to require disclosure of data), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
I4569In section 29(1) (interpretation), at the appropriate place insert—
.

Criminal Justice and Police Act 2001 (c. 16)

I66170The Criminal Justice and Police Act 2001 is amended as follows.
I24371In section 57(1) (retention of seized items)—
a omit paragraph (m), and
b after paragraph (s) insert—
.
I54872In section 65(7) (meaning of “legal privilege”)—
a for “paragraph 1 of Schedule 9 to the Data Protection Act 1998 (c. 29)” substitute “ paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2018 ”, and
b for “paragraph 9” substitute “ paragraph 11 (matters exempt from inspection and seizure: privileged communications) ”.
I72073In Schedule 1 (powers of seizure)—
a omit paragraph 65, and
b after paragraph 73T insert—

Anti-terrorism, Crime and Security Act 2001 (c.24)

I75574The Anti-terrorism, Crime and Security Act 2001 is amended as follows.
I55575
1 Section 19 (disclosure of information held by revenue departments) is amended as follows.
2 In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 In subsection (9), after “section” insert
.
F16876. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.))

I65677
1 Section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 (power to obtain information etc) is amended as follows.
2 In subsection (3), after “provision” insert “ or the GDPR ”.
3 For subsection (5) substitute—
4 After subsection (7) insert—

Justice (Northern Ireland) Act 2002 (c. 26)

I14778
1 Section 5A of the Justice (Northern Ireland) Act 2002 (disclosure of information to the Commission) is amended as follows.
2 In subsection (3)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (9) insert—

Proceeds of Crime Act 2002 (c. 29)

I58179The Proceeds of Crime Act 2002 is amended as follows.
I75680In section 333C(2)(d) (other permitted disclosures between institutions etc), for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.
I37981In section 436(3)(a) (disclosure of information to certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
I29282In section 438(8)(a) (disclosure of information by certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
I39883In section 439(3)(a) (disclosure of information to Lord Advocate and to Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
I62184In section 441(7)(a) (disclosure of information by Lord Advocate and Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
I47785After section 442 insert—

Enterprise Act 2002 (c. 40)

I71486
1 Section 237 of the Enterprise Act 2002 (general restriction on disclosure) is amended as follows.
2 In subsection (4), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After subsection (6) insert—

Scottish Public Services Ombudsman Act 2002 (asp 11)

I16887
1 In Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (disclosure of information by the Ombudsman), the entry for the Information Commissioner is amended as follows.
2 In paragraph 1, for sub-paragraph (a) substitute—
.
3 For paragraph 2 substitute—

Freedom of Information (Scotland) Act 2002 (asp 13)

I5688The Freedom of Information (Scotland) Act 2002 is amended as follows.
I60889In section 2(2)(e)(ii) (absolute exemptions), omit “by virtue of subsection (2)(a)(i) or (b) of that section”.
I34390
1 Section 38 (personal information) is amended as follows.
2 In subsection (1), for paragraph (b) substitute—
.
3 For subsection (2) substitute—
4 For subsection (3) substitute—
5 Omit subsection (4).
6 In subsection (5), for the definitions of “the data protection principles” and of “data subject” and “personal data” substitute—
.
7 After that subsection insert—

Courts Act 2003 (c. 39)

I26391Schedule 5 to the Courts Act 2003 (collection of fines) is amended as follows.
I59292
1 Paragraph 9C (disclosure of information in connection with making of attachment of earnings orders or applications for benefit deductions: supplementary) is amended as follows.
2 In sub-paragraph (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After sub-paragraph (5) insert—
I25393
1 Paragraph 10A (attachment of earnings orders (Justice Act (Northern Ireland) 2016): disclosure of information) is amended as follows.
2 In sub-paragraph (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 In sub-paragraph (8), at the appropriate place insert—
.

Sexual Offences Act 2003 (c. 42)

I43094
1 Section 94 of the Sexual Offences Act 2003 (Part 2: supply of information to the Secretary of State etc for verification) is amended as follows.
2 In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 In subsection (8), at the appropriate place insert—
.

Criminal Justice Act 2003 (c. 44)

I8095The Criminal Justice Act 2003 is amended as follows.
I24496In section 327A(9) (disclosure of information about convictions etc of child sex offenders to members of the public), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I12197In section 327B (disclosure of information about convictions etc of child sex offenders to members of the public: interpretation), after subsection (4) insert—

Mental Health (Care and Treatment) (Scotland) Act 2003 (asp 13)

I75098
1 Section 279 of the Mental Health (Care and Treatment) (Scotland) Act 2003 (information for research) is amended as follows.
2 In subsection (2), for “research purposes within the meaning given by section 33 of the Data Protection Act 1998 (c. 29) (research, history and statistics)” substitute “ purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics) ”.
3 After subsection (9) insert—

Public Audit (Wales) Act 2004 (c. 23)

I63199
1 Section 64C of the Public Audit (Wales) Act 2004 (voluntary provision of data) is amended as follows.
2 In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 In subsection (5), at the beginning insert
.

Companies (Audit, Investigations and Community Enterprise) Act 2004 (c. 27)

I472100The Companies (Audit, Investigations and Community Enterprise) Act 2004 is amended as follows.
I74101
1 Section 15A (disclosure of information by tax authorities) is amended as follows.
2 In subsection (2)—
a omit “within the meaning of the Data Protection Act 1998”, and
b for “that Act” substitute “ the data protection legislation ”.
3 After subsection (7) insert—
I223102
1 Section 15D (permitted disclosure of information obtained under compulsory powers) is amended as follows.
2 In subsection (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (7) insert—

Domestic Violence, Crime and Victims Act 2004 (c. 28)

I185103
1 Section 54 of the Domestic Violence, Crime and Victims Act 2004 (disclosure of information) is amended as follows.
2 In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After subsection (8) insert—

Children Act 2004 (c. 31)

I53104The Children Act 2004 is amended as follows.
I561105
1 Section 12 (information databases) is amended as follows.
2 In subsection (13)(e) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After subsection (13) insert—
I148106
1 Section 29 (information databases: Wales) is amended as follows.
2 In subsection (14)(e) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After subsection (14) insert—

Constitutional Reform Act 2005 (c. 4)

I381107
1 Section 107 of the Constitutional Reform Act 2005 (disclosure of information to the Commission) is amended as follows.
2 In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After subsection (9) insert—

Mental Capacity Act 2005 (c. 9)

I309108In section 64 of the Mental Capacity Act 2005 (interpretation), for the definition of “health record” substitute—
.

Public Services Ombudsman (Wales) Act 2005 (c. 10)

I589109
1 Section 34X of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information) is amended as follows.
2 In subsection (4), for paragraph (a) substitute—
.
3 For subsection (5) substitute—

Commissioners for Revenue and Customs Act 2005 (c. 11)

I123110
1 Section 22 of the Commissioners for Revenue and Customs Act 2005 (data protection, etc) is amended as follows.
2 The existing text becomes subsection (1).
3 In that subsection, in paragraph (a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
4 After that subsection insert—

Gambling Act 2005 (c. 19)

I118111
1 Section 352 of the Gambling Act 2005 (data protection) is amended as follows.
2 The existing text becomes subsection (1).
3 In that subsection, for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
4 After that subsection insert—

Commissioner for Older People (Wales) Act 2006 (c. 30)

I751112
1 Section 18 of the Commissioner for Older People (Wales) Act 2006 (power to disclose information) is amended as follows.
2 In subsection (7), for paragraph (a) substitute—
.
3 For subsection (8) substitute—

National Health Service Act 2006 (c. 41)

I572113The National Health Service Act 2006 is amended as follows.
I267114
1 Section 251 (control of patient information) is amended as follows.
2 In subsection (7), for “made by or under the Data Protection Act 1998 (c 29)” substitute “ of the data protection legislation ”.
3 In subsection (13), at the appropriate place insert—
.
I672115
1 Section 264C (provision and disclosure of information about health service products: supplementary) is amended as follows.
2 In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (3) insert—
I726116In paragraph 7B(3) of Schedule 1 (further provision about the Secretary of State and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “ has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.

National Health Service (Wales) Act 2006 (c. 42)

I447117The National Health Service (Wales) Act 2006 is amended as follows.
I138118
1 Section 201C (provision of information about medical supplies: supplementary) is amended as follows.
2 In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (3) insert—
I234119In paragraph 7B(3) of Schedule 1 (further provision about the Welsh Ministers and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “ has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.

Companies Act 2006 (c. 46)

I158120The Companies Act 2006 is amended as follows.
I142121In section 458(2) (disclosure of information by tax authorities)—
a for “within the meaning of the Data Protection Act 1998 (c. 29)” substitute “ within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act) ”, and
b for “that Act” substitute “ the data protection legislation ”.
I129122In section 461(7) (permitted disclosure of information obtained under compulsory powers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
I183123In section 948(9) (restrictions on disclosure) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
I352124In section 1173(1) (minor definitions: general), at the appropriate place insert—
.
I554125In section 1224A(7) (restrictions on disclosure), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I305126In section 1253D(3) (restriction on transfer of audit working papers to third countries), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I75127In section 1261(1) (minor definitions: Part 42), at the appropriate place insert—
.
I320128In section 1262 (index of defined expressions: Part 42), at the appropriate place insert—
.
I400129In Schedule 8 (index of defined expressions: general), at the appropriate place insert—
.

Tribunals, Courts and Enforcement Act 2007 (c. 15)

I699130The Tribunals, Courts and Enforcement Act 2007 is amended as follows.
I193131In section 11(5)(b) (right to appeal to Upper Tribunal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “ section 27(3) or (5), 79(5) or (7) or 111(3) or (5) of the Data Protection Act 2018 ”.
I443132In section 13(8)(a) (right to appeal to the Court of Appeal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “ section 27(3) or (5), 79(5) or (7) or 111(3) or (5) of the Data Protection Act 2018 ”.

Statistics and Registration Service Act 2007 (c. 18)

I384133The Statistics and Registration Service Act 2007 is amended as follows.
I107134
1 Section 45 (information held by HMRC) is amended as follows.
2 In subsection (4A), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
3 In subsection (4B), for “the Data Protection Act 1998” substitute “ the Data Protection Act 2018 ”.
I117135
1 Section 45A (information held by other public authorities) is amended as follows.
2 In subsection (8), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
3 In subsection (9), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
4 In subsection (12)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
5 In subsection 12(c), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.
I687136
1 Section 45B(3) (access to information held by Crown bodies etc) is amended as follows.
2 In paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 In paragraph (c), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.
I635137
1 Section 45C(13) (power to require disclosures by other public authorities) is amended as follows.
2 In paragraph (b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 In paragraph (d), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.
I341138In section 45D(9)(b) (power to require disclosure by undertakings), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I39139
1 Section 45E (further provision about powers in sections 45B, 45C and 45D) is amended as follows.
2 In subsection (6), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
3 In subsection (16), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
4 In subsection (17), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I58140
1 Section 53A (disclosure by the Statistics Board to devolved administrations) is amended as follows.
2 In subsection (9), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
3 In subsection (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
4 In subsection (12)(b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I153141
1 Section 54 (Data Protection Act 1998 and Human Rights Act 1998) is amended as follows.
2 In the heading, omit “Data Protection Act 1998 and”.
3 Omit paragraph (a) (together with the final “or”).
I433142In section 67 (general interpretation: Part 1), at the appropriate place insert—
.

Serious Crime Act 2007 (c. 27)

I176143The Serious Crime Act 2007 is amended as follows.
I411144
1 Section 5A (verification and disclosure of information) is amended as follows.
2 In subsection (6)—
a for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
b for “are” substitute “ is ”.
3 After subsection (6) insert—
I498145
1 Section 68 (disclosure of information to prevent fraud) is amended as follows.
2 In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 In subsection (8), at the appropriate place insert—
I469146
1 Section 85 (disclosure of information by Revenue and Customs) is amended as follows.
2 In subsection (8)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 In subsection (9), at the appropriate place insert—

Adoption and Children (Scotland) Act 2007 (asp 4)

I520148In section 74 of the Adoption and Children (Scotland) Act 2007 (disclosure of medical information about parents), for subsection (5) substitute—

Criminal Justice and Immigration Act 2008 (c. 4)

I140149The Criminal Justice and Immigration Act 2008 is amended as follows.
I450150Omit—
a section 77 (power to alter penalty for unlawfully obtaining etc personal data), and
b section 78 (new defence for obtaining etc for journalism and other special purposes).
I156151
1 Section 114 (supply of information to Secretary of State etc) is amended as follows.
2 In subsection (5), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After subsection (6) insert—

Regulatory Enforcement and Sanctions Act 2008 (c. 13)

I330152
1 Section 70 of the Regulatory Enforcement and Sanctions Act 2008 (disclosure of information) is amended as follows.
2 In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After subsection (5) insert—

Health and Social Care Act 2008 (c. 14)

I653153In section 20A(5) of the Health and Social Care Act 2008 (functions relating to processing of information by registered persons), in the definition of “processing”, for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act); ”.

Counter-Terrorism Act 2008 (c. 28)

I325154
1 Section 20 of the Counter-Terrorism Act 2008 (disclosure and the intelligence services: supplementary provisions) is amended as follows.
2 In subsection (2)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After subsection (4) insert—

Public Health etc. (Scotland) Act 2008 (asp 5)

I748155
1 Section 117 of the Public Health etc. (Scotland) Act 2008 (disclosure of information) is amended as follows.
2 In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After subsection (7) insert—

Banking Act 2009 (c. 1)

I497156
1 Section 83ZY of the Banking Act 2009 (special resolution regime: publication of notices etc) is amended as follows.
2 In subsection (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 In subsection (11), after “section” insert
.

Borders, Citizenship and Immigration Act 2009 (c. 11)

I181157
1 Section 19 of the Borders, Citizenship and Immigration Act 2009 (use and disclosure of customs information: application of statutory provisions) is amended as follows.
2 In subsection (1)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After subsection (4) insert—

Marine and Coastal Access Act 2009 (c. 23)

I342158The Marine and Coastal Access Act 2009 is amended as follows.
I721159
1 Paragraph 13 of Schedule 7 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.
2 In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After sub-paragraph (6) insert—
I675160
1 Paragraph 9 of Schedule 10 (further provision about fixed monetary penalties: disclosure of information) is amended as follows.
2 In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After sub-paragraph (6) insert—

Coroners and Justice Act 2009 (c. 25)

I640161In Schedule 21 to the Coroners and Justice Act 2009 (minor and consequential amendments), omit paragraph 29(3).

Broads Authority Act 2009 (c. i)

I236162
1 Section 38 of the Broads Authority Act 2009 (provision of information) is amended as follows.
2 In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 In subsection (6), after “section” insert
.

Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))

I693163
1 Section 13 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (functions of the Regional Agency) is amended as follows.
2 In subsection (8), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After subsection (8) insert—

Terrorist Asset-Freezing etc. Act 2010 (c. 38)

I300164
1 Section 25 of the Terrorist Asset-Freezing etc. Act 2010 (application of provisions) is amended as follows.
2 In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 In subsection (6), at the appropriate place insert—
.

Marine (Scotland) Act 2010 (asp 5)

I644165
1 Paragraph 12 of Schedule 2 to the Marine (Scotland) Act 2010 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.
2 In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After sub-paragraph (6) insert—

Charities Act 2011 (c. 25)

I388166
1 Section 59 of the Charities Act 2011 (disclosure: supplementary) is amended as follows.
2 The existing text becomes subsection (1).
3 In that subsection, in paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
4 After that subsection insert—

Welsh Language (Wales) Measure 2011 (nawm 1)

I429167The Welsh Language (Wales) Measure 2011 is amended as follows.
I690168
1 Section 22 (power to disclose information) is amended as follows.
2 In subsection (4)—
a in the English language text, for paragraph (a) substitute—
, and
b in the Welsh language text, for paragraph (a) substitute—
.
3 For subsection (5)—
a in the English language text substitute—
, and
b in the Welsh language text substitute—
4 In subsection (8)—
a in the English language text, for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
b in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso'r ddeddfwriaeth diogelu data”.
5 In subsection (9)—
a at the appropriate place in the English language text insert—
, and
b at the appropriate place in the Welsh language text insert—
.
I175169
1 Paragraph 8 of Schedule 2 (inquiries by the Commissioner: reports) is amended as follows.
2 In sub-paragraph (7)—
a in the English language text, for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
b in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso'r ddeddfwriaeth diogelu data”.
3 In sub-paragraph (8)—
a in the English language text, after “this paragraph” insert
, and
b in the Welsh language text, after “hwn” insert—
.

Safeguarding Board Act (Northern Ireland) 2011 (c. 7 (N.I))

I591170
1 Section 10 of the Safeguarding Board Act (Northern Ireland) 2011 (duty to co-operate) is amended as follows.
2 In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
3 After subsection (3) insert—

Health and Social Care Act 2012 (c. 7)

I502171The Health and Social Care Act 2012 is amended as follows.
I565172In section 250(7) (power to publish information standards), for the definition of “processing” substitute—
.
I749173
1 Section 251A (consistent identifiers) is amended as follows.
2 In subsection (7)(a), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.
3 After subsection (8) insert—
I479174
1 Section 251B (duty to share information) is amended as follows.
2 In subsection (5)(a), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.
3 After subsection (6) insert—

Protection of Freedoms Act 2012 (c. 9)

I354175The Protection of Freedoms Act 2012 is amended as follows.
I207176
1 Section 27 (exceptions and further provision about consent and notification) is amended as follows.
2 In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (5) insert—
I702177In section 28(1) (interpretation: Chapter 2), for the definition of “processing” substitute—
.
I336178In section 29(7) (code of practice for surveillance camera systems), for the definition of “processing” substitute—
.

HGV Road User Levy Act 2013 (c. 7)

I504179
1 Section 14A of the HGV Road User Levy Act 2013 (disclosure of information by Revenue and Customs) is amended as follows.
2 In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (5) insert—

Crime and Courts Act 2013 (c. 22)

I96180The Crime and Courts Act 2013 is amended as follows.
I537181
1 Section 42 (other interpretive provisions) is amended as follows.
2 In subsection (5)(a), for “section 13 of the Data Protection Act 1998 (damage or distress suffered as a result of a contravention of a requirement of that Act)” substitute “ Article 82 of the GDPR or section 168 or 169 of the Data Protection Act 2018 (compensation for contravention of the data protection legislation) ”.
3 After subsection (5) insert—
I745182
1 Paragraph 1 of Schedule 7 (statutory restrictions on disclosure) is amended as follows.
2 The existing text becomes sub-paragraph (1).
3 In that sub-paragraph, in paragraph (a)—
a for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
b for “are” substitute “ is ”.
4 After that sub-paragraph, insert—

Marine Act (Northern Ireland) 2013 (c. 10 (N.I.))

I665183
1 Paragraph 8 of Schedule 2 to the Marine Act (Northern Ireland) 2013 (further provision about fixed monetary penalties under section 35: disclosure of information) is amended as follows.
2 In sub-paragraph (5)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After sub-paragraph (6) insert—

Local Audit and Accountability Act 2014 (c. 2)

I240184
1 Paragraph 3 of Schedule 9 to the Local Audit and Accountability Act 2014 (data matching: voluntary provision of data) is amended as follows.
2 In sub-paragraph (3)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After sub-paragraph (3) insert—
4 In sub-paragraph (4), for “comprise or include” substitute “ comprises or includes ”.

Anti-social Behaviour, Crime and Policing Act 2014 (c. 12)

I605185
1 Paragraph 7 of Schedule 4 to the Anti-social Behaviour, Crime and Policing Act 2014 (anti-social behaviour case reviews: information) is amended as follows.
2 In sub-paragraph (4)—
a for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
b for “are” substitute “ is ”.
3 After sub-paragraph (5) insert—

Immigration Act 2014 (c. 22)

I391186
1 Paragraph 6 of Schedule 6 to the Immigration Act 2014 (information: limitation on powers) is amended as follows.
2 The existing text becomes sub-paragraph (1).
3 In that sub-paragraph, in paragraph (a)—
a for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
b for “are” substitute “ is ”.
4 After that sub-paragraph insert—

Care Act 2014 (c. 23)

I602187In section 67(9) of the Care Act 2014 (involvement in assessment, plans etc), for paragraph (a) substitute—
.

Social Services and Well-being (Wales) Act 2014 (anaw 4)

I650188In section 18(10)(b) of the Social Services and Well-being (Wales) Act 2014 (registers of sight-impaired, hearing-impaired and other disabled people)—
a in the English language text, for “(within the meaning of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”, and
b in the Welsh language text, for “(o fewn ystyr “personal data” yn Neddf Diogelu Data 1998)” substitute “(o fewn ystyr “ personal data ” yn Rhan 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o'r Ddeddf honno))”.

Counter-Terrorism and Security Act 2015 (c. 6)

I404189
1 Section 38 of the Counter-Terrorism and Security Act 2015 (support etc for people vulnerable to being drawn into terrorism: co-operation) is amended as follows.
2 In subsection (4)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (4) insert—

Small Business, Enterprise and Employment Act 2015 (c. 26)

I488190
1 Section 6 of the Small Business, Enterprise and Employment Act 2015 (application of listed provisions to designated credit reference agencies) is amended as follows.
2 In subsection (7)—
a for paragraph (b) substitute—
, and
b omit paragraph (c).
3 After subsection (7) insert—

Modern Slavery Act 2015 (c. 30)

F737191. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 (c. 2 (N.I.))

I165192The Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 is amended as follows.
I468193In section 13(5) (duty to notify National Crime Agency about suspected victims of certain offences) for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I515194In section 25(1) (interpretation of this Act), at the appropriate place insert—
.
I723195In paragraph 18(5) of Schedule 3 (supply of information to relevant Northern Ireland departments, Secretary of State, etc) for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

Justice Act (Northern Ireland) 2015 (c. 9 (N.I.))

I99196
1 Section 72 of the Justice Act (Northern Ireland) 2015 (supply of information to relevant Northern Ireland departments or Secretary of State) is amended as follows.
2 In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 In subsection (7), at the appropriate place insert—
.

Immigration Act 2016 (c. 19)

F738197. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Investigatory Powers Act 2016 (c. 25)

I420198The Investigatory Powers Act 2016 is amended as follows.
I525199In section 1(5)(b), for sub-paragraph (ii) substitute—
.
I272200In section 199 (bulk personal datasets: interpretation), for subsection (2) substitute—
F653201. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
I692202In section 206 (additional safeguards for health records), for subsection (7) substitute—
I347203
1 Section 237 (information gateway) is amended as follows.
2 In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (2) insert—

Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))

I50204
1 Section 49 of the Police Services Ombudsman Act (Northern Ireland) 2016 (disclosure of information) is amended as follows.
2 In subsection (4), for paragraph (a) substitute—
.
3 For subsection (5) substitute—
4 After subsection (6) insert—

Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (c. 12 (N.I.))

I150205
1 Section 1 of the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (control of information of a relevant person) is amended as follows.
2 In subsection (8), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.
3 After subsection (12) insert—

Mental Capacity Act (Northern Ireland) 2016 (c. 18 (N.I.))

I397206In section 306(1) of the Mental Capacity Act (Northern Ireland) 2016 (definitions for purposes of Act), for the definition of “health record” substitute—
.

Justice Act (Northern Ireland) 2016 (c. 21 (N.I.))

I132207The Justice Act (Northern Ireland) 2016 is amended as follows.
I573208
1 Section 17 (disclosure of information) is amended as follows.
2 In subsection (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 In subsection (8), after “section” insert
.
I746209In section 44(3) (disclosure of information)—
a in paragraph (a), for “Part 5 of the Data Protection Act 1998” substitute “ sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 ”, and
b for paragraph (b) substitute—

Policing and Crime Act 2017 (c. 3)

I82210
1 Section 50 of the Policing and Crime Act 2017 (Freedom of Information Act etc: Police Federation for England and Wales) is amended as follows.
2 The existing text becomes subsection (1).
3 In that subsection, in paragraph (b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
4 After that subsection, insert—

Children and Social Work Act 2017 (c. 12)

211In Schedule 5 to the Children and Social Work Act 2017—
a in Part 1 (general amendments to do with social workers etc in England), omit paragraph 6, and
b in Part 2 (renaming of Health and Social Work Professions Order 2001), omit paragraph 47(g).

Higher Education and Research Act 2017 (c. 29)

I663212The Higher Education and Research Act 2017 is amended as follows.
I476213
1 Section 63 (cooperation and information sharing by the Office for Students) is amended as follows.
2 In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 In subsection (7), at the appropriate place insert—
.
I87214
1 Section 112 (cooperation and information sharing between the Office for Students and UKRI) is amended as follows.
2 In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (6) insert —

Digital Economy Act 2017 (c. 30)

I206215The Digital Economy Act 2017 is amended as follows.
I510216
1 Section 40 (further provisions about disclosures under sections 35 to 39) is amended as follows.
2 In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (10) insert—
I79217
1 Section 43 (codes of practice) is amended as follows.
2 In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
3 In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
I666218
1 Section 49 (further provision about disclosures under section 48) is amended as follows.
2 In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (10) insert—
I729219
1 Section 52 (code of practice) is amended as follows.
2 In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
3 In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.
I579220
1 Section 57 (further provision about disclosures under section 56) is amended as follows.
2 In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (10) insert—
I478221
1 Section 60 (code of practice) is amended as follows.
2 In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
3 In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.
I62222
1 Section 65 (supplementary provision about disclosures under section 64) is amended as follows.
2 In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After subsection (8) insert—
I200223
1 Section 70 (code of practice) is amended as follows.
2 In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
3 In subsection (15), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.
I51224Omit sections 108 to 110 (charges payable to the Information Commissioner).

Landfill Disposals Tax (Wales) Act 2017 (anaw 3)

I544225
1 Section 60 of the Landfill Disposals Tax (Wales) Act 2017 (disclosure of information to the Welsh Revenue Authority) is amended as follows.
2 In subsection (4)(a)—
a in the English language text, for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”, and
b in the Welsh language text, for “torri Deddf Diogelu Data 1998 (p. 29)” substitute “torri'r ddeddfwriaeth diogelu data”.
3 After subsection (7)—
a in the English language text insert—
, and
b in the Welsh language text insert—

Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (anaw 2)

I252226
1 Section 4 of the Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (additional learning needs code) is amended as follows.
2 In the English language text—
a in subsection (9), omit from “and in this subsection” to the end, and
b after subsection (9) insert—
3 In the Welsh language text—
a in subsection (9), omit from “ac yn yr is-adran hon” to the end, and
b after subsection (9) insert—

This Act

227
1 Section 204 of this Act (meaning of “health professional” and “social work professional”) is amended as follows (to reflect the arrangements for the registration of social workers in England under Part 2 of the Children and Social Work Act 2017).
2 In subsection (1)(g)—
a omit “and Social Work”, and
b omit “, other than the social work profession in England”.
3 In subsection (2), for paragraph (a) substitute—
.

PART 2 Amendments of other legislation

Estate Agents (Specified Offences) (No. 2) Order 1991 (S.I. 1991/1091)

I186228In the table in the Schedule to the Estate Agents (Specified Offences) (No. 2) Order 1991 (specified offences), at the end insert—

Channel Tunnel (International Arrangements) Order 1993 (S.I. 1993/1813)

I386229
1 Article 4 of the Channel Tunnel (International Arrangements) Order 1993 (application of enactments) is amended as follows.
2 In paragraph (2)—
a for “section 5 of the Data Protection Act 1998 (“the 1998 Act”), data which are” substitute “ section 207 of the Data Protection Act 2018 (“the 2018 Act”), data which is ”,
b for “data controller” substitute “ controller ”,
c after “in the context of” insert “ the activities of ”, and
d for “and the 1998 Act” substitute “ and the 2018 Act ”.
3 In paragraph (3)—
a for “section 5 of the 1998 Act, data which are” substitute “ section 207 of the 2018 Act, data which is ”,
b for “data controller” substitute “ controller ”,
c after “in the context of” insert “ the activities of ”, and
d for “and the 1998 Act” substitute “ and the 2018 Act ”.

Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))

I232230The Access to Health Records (Northern Ireland) Order 1993 is amended as follows.
I265231In Article 4 (health professionals), for paragraph (1) substitute—
I131232In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “ made by the Department ”.

Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)

I623233In article 4 of the Channel Tunnel (Miscellaneous Provisions) Order 1994 (application of enactments), for paragraphs (2) and (3) substitute—

European Primary and Specialist Dental Qualifications Regulations 1998 (S.I. 1998/811)

I673234The European Primary and Specialist Dental Qualifications Regulations 1998 are amended as follows.
I399235
1 Regulation 2(1) (interpretation) is amended as follows.
2 Omit the definition of “Directive 95/46/EC”.
3 At the appropriate place insert—
.
I269236
1 The table in Schedule A1 (functions of the GDC under Directive 2005/36) is amended as follows.
2 In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
3 In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)

I727237For article 7 of the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 substitute—

Northern Ireland Assembly Commission (Crown Status) Order 1999 (S.I. 1999/3145)

I418238For article 9 of the Northern Ireland Assembly Commission (Crown Status) Order 1999 substitute—

Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184)

I61239The Data Protection (Corporate Finance Exemption) Order 2000 is revoked.

Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 (S.I. 2000/185)

I620240The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 is revoked.

Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186)

I95241The Data Protection (Functions of Designated Authority) Order 2000 is revoked.

Data Protection (International Co-operation) Order 2000 (S.I. 2000/190)

I395242The Data Protection (International Co-operation) Order 2000 is revoked.

Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (S.I. 2000/191)

I166243The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 are revoked.

Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290)

I596244In the Consumer Credit (Credit Reference Agency) Regulations 2000, regulation 4(1) and Schedule 1 (statement of rights under section 9(3) of the Data Protection Act 1998) are revoked.

Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413)

I360245The Data Protection (Subject Access Modification) (Health) Order 2000 is revoked.

Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414)

I442246The Data Protection (Subject Access Modification) (Education) Order 2000 is revoked.

Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415)

I409247The Data Protection (Subject Access Modification) (Social Work) Order 2000 is revoked.

Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416)

I586248The Data Protection (Crown Appointments) Order 2000 is revoked.

Data Protection (Processing of Sensitive Personal Data) Order 2000 (S.I. 2000/417)

I662249The Data Protection (Processing of Sensitive Personal Data) Order 2000 is revoked.

Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419)

I161250The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 is revoked.

Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864)

I530251The Data Protection (Designated Codes of Practice) (No. 2) Order 2000 is revoked.

Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)

I224252The Representation of the People (England and Wales) Regulations 2001 are amended as follows.
I284253In regulation 3(1) (interpretation), at the appropriate places insert—
;
;
.
I297254In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I382255In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I558256In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I38257In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—
.
I648258
1 Regulation 92(2) (interpretation and application of Part VI etc) is amended as follows.
2 After sub-paragraph (b) insert—
3 Omit sub-paragraphs (c) and (d).
I316259In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.
I362260In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
I419261In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
I632262In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
I491263In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
I266264In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—
.

Representation of the People (Scotland) Regulations 2001 (S.I. 2001/497)

I676265The Representation of the People (Scotland) Regulations 2001 are amended as follows.
I743266In regulation 3(1) (interpretation), at the appropriate places, insert—
;
;
.
I105267In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I686268In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I694269In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
I43270In regulation 61(3) (records and lists kept under Schedule 4), for paragraph (a) (but not the final “or”) substitute—
.
I340271In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—
.
I290272
1 Regulation 92(2) (interpretation of Part VI etc) is amended as follows.
2 After sub-paragraph (b) insert—
3 Omit sub-paragraphs (c) and (d).
I613273In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.
I528274In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
I560275In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
I657276In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
I246277In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—
.

Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001 (S.I. 2001/2188)

I547278
1 Article 9 of the Financial Services and Markets 2000 (Disclosure of Confidential Information) Regulations 2001 (disclosure by regulators or regulator workers to certain other persons) is amended as follows.
2 In paragraph (2B), for sub-paragraph (a) substitute—
.
3 After paragraph (5) insert—

Nursing and Midwifery Order 2001 (S.I. 2002/253)

I474279The Nursing and Midwifery Order 2001 is amended as follows.
I144280
1 Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.
2 In paragraph (18), after “enactment” insert “ or the GDPR ”.
3 After paragraph (18) insert—
I609281
1 Article 25 (the Council's power to require disclosure of information) is amended as follows.
2 In paragraph (3), after “enactment” insert “ or the GDPR ”.
3 In paragraph (6)—
a for “paragraph (5),” substitute “ paragraph (3)— ”, and
b at the appropriate place insert—
I490282In article 39B (European professional card), after paragraph (2) insert—
I357283In article 40(6) (Directive 2005/36/EC: designation of competent authority etc), at the appropriate place insert—
.
I716284
1 Schedule 2B (Directive 2005/36/EC: European professional card) is amended as follows.
2 In paragraph 8(1) (access to data) for “Directive 95/46/EC” substitute “ the GDPR ”.
3 In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).
I562285
1 The table in Schedule 3 (functions of the Council under Directive 2005/36) is amended as follows.
2 In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
3 In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
I173286In Schedule 4 (interpretation), omit the definition of “Directive 95/46/EC”.

Electronic Commerce (EC Directive) Regulations 2002 (S.I. 2002/2013)

I126287Regulation 3 of the Electronic Commerce (EC Directive) Regulations 2002 (exclusions) is amended as follows.
I295288In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “ the GDPR ”.
I41289In paragraph (3)—
a omit the definitions of “Data Protection Directive” and “Telecommunications Data Protection Directive”, and
b at the appropriate place insert—
.

Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 (S.I. 2002/2905)

I219290The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 is revoked.

Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426)

I356291The Privacy and Electronic Communications (EC Directive) Regulations 2003 are amended as follows.
I599292In regulation 2(1) (interpretation), in the definition of “the Information Commissioner” and “the Commissioner”, for “section 6 of the Data Protection Act 1998” substitute “ the Data Protection Act 2018 ”.
I296293
1 Regulation 4 (relationship between these Regulations and the Data Protection Act 1998) is amended as follows.
2 The existing text becomes sub-paragraph (1).
3 In that sub-paragraph, for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
4 After that sub-paragraph insert—
5 In the heading of that regulation, for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)

I258294The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 is amended as follows.
I298295In article 8(2) (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales)—
a for “The Data Protection Act 1998” substitute “ The Data Protection Act 2018 ”, and
b for “are” substitute “ is ”.
I633296In article 11(4) (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect)—
a for “The Data Protection Act 1998” substitute “ The Data Protection Act 2018 ”,
b for “are” substitute “ is ”,
c for “section 5” substitute “ section 207 ”,
d for “data controller” substitute “ controller ”, and
e after “in the context of” insert “ the activities of ”.

Pupils' Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)

I47297The Pupils' Educational Records (Scotland) Regulations 2003 are amended as follows.
I691298
1 Regulation 2 (interpretation) is amended as follows.
2 Omit the definition of “the 1998 Act”.
3 At the appropriate place insert—
.
I174299
1 Regulation 6 (circumstances where information should not be disclosed) is amended as follows.
2 After “any information” insert “ to the extent that any of the following conditions are satisfied ”.
3 For paragraphs (a) to (c) substitute—
.
4 In paragraph (d), for “to the extent that its disclosure” substitute “ the disclosure of the information ”.
5 In paragraph (e), for “that” substitute “ the information ”.
I91300In regulation 9 (fees), for paragraph (1) substitute—

European Parliamentary Elections (Northern Ireland) Regulations 2004 (S.I. 2004/1267)

I311301Schedule 1 to the European Parliamentary Elections (Northern Ireland) Regulations 2004 (European Parliamentary elections rules) is amended as follows.
I113302
1 Paragraph 74(1) (interpretation) is amended as follows.
2 Omit the definitions of “relevant conditions” and “research purposes”.
3 At the appropriate places insert—
;
.
I712303In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “ Article 89 GDPR purposes ”.

Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244)

I135304In regulation 3(1) of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, omit “the appropriate limit referred to in section 9A(3) and (4) of the 1998 Act and”.

Environmental Information Regulations 2004 (S.I. 2004/3391)

I81305The Environmental Information Regulations 2004 are amended as follows.
I160306
1 Regulation 2 (interpretation) is amended as follows.
2 In paragraph (1), at the appropriate places, insert—
;
;
;
.
3 For paragraph (4) substitute—
I715307
1 Regulation 13 (personal data) is amended as follows.
2 For paragraph (1) substitute—
3 For paragraph (2) substitute—
4 For paragraph (3) substitute—
5 Omit paragraph (4).
6 For paragraph (5) substitute—
7 After that paragraph insert—
I209308In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “ regulation 13(1)(b) or (5A) ”.
I383309In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “ regulation 13(5A) ”.

Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)

I194310The Environmental Information (Scotland) Regulations 2004 are amended as follows.
I282311
1 Regulation 2 (interpretation) is amended as follows.
2 In paragraph (1), at the appropriate places, insert—
;
;
;
.
3 For paragraph (3) substitute—
I454312
1 Regulation 11 (personal data) is amended as follows.
2 For paragraph (2) substitute—
3 For paragraph (3) substitute—
4 For paragraph (4) substitute—
5 Omit paragraph (5).
6 After paragraph (6) insert—

Licensing Act 2003 (Personal Licences) Regulations 2005 (S.I. 2005/41)

I115313
1 Regulation 7 of the Licensing Act 2003 (Personal Licences) Regulations 2005 (application for grant of a personal licence) is amended as follows.
2 In paragraph (1)(b)—
a for paragraph (iii) (but not the final “, and”) substitute—
, and
b in the words following paragraph (iii), omit “search”.
3 After paragraph (2) insert—

Education (Pupil Information) (England) Regulations 2005 (S.I. 2005/1437)

I549314The Education (Pupil Information) (England) Regulations 2005 are amended as follows.
I668315In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “ section 3(4) of the Data Protection Act 2018 ”.
I378316
1 Regulation 5 (disclosure of curricular and educational records) is amended as follows.
2 In paragraph (4)—
a in sub-paragraph (a), for “the Data Protection Act 1998” substitute “ the GDPR ”, and
b in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “ the GDPR ”.
3 After paragraph (6) insert—

Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)

I255317
1 Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information) is amended as follows.
2 In paragraph (1)(d)—
a omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and
b for “(2) or (3)” substitute “ (1A), (1B) or (1C) ”.
3 After paragraph (1) insert—
4 Omit paragraphs (2) to (4).

Register of Judgments, Orders and Fines Regulations 2005 (S.I. 2005/3595)

I542318In regulation 3 of the Register of Judgments, Orders and Fines Regulations 2005 (interpretation)—
a for the definition of “data protection principles” substitute—
, and
b at the appropriate place insert—
.

Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494)

I440319The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 are amended as follows.
I618320
1 Regulation 39 (sensitive information) is amended as follows.
2 In paragraph (1)(d)—
a omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and
b for “(2) or (3)” substitute “ (1A), (1B) or (1C) ”.
3 After paragraph (1) insert—
4 Omit paragraphs (2) to (4).

Data Protection (Processing of Sensitive Personal Data) Order 2006 (S.I. 2006/2068)

I637321The Data Protection (Processing of Sensitive Personal Data) Order 2006 is revoked.

National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)

I438322
1 Paragraph 14 of Schedule 1 to the National Assembly for Wales (Representation of the People) Order 2007 (absent voting at Assembly elections: conditions on the use, supply and inspection of absent vote records or lists) is amended as follows.
2 The existing text becomes sub-paragraph (1).
3 For paragraph (a) of that sub-paragraph (but not the final “or”) substitute—
.
4 After that sub-paragraph insert—

Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (S.I. 2007/679)

I449323In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant's loss of capacity), for paragraph (b) substitute—
.

National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118)

I270324For article 5 of the National Assembly for Wales Commission (Crown Status) Order 2007 substitute—

Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (S.I. 2007/837 (W.72))

I198325In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant's loss of capacity) —
a in the English language text, for paragraph (c) substitute—
, and
b in the Welsh language text, for paragraph (c) substitute—
.

Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (S.S.I. 2007/170)

I705326
1 Regulation 18 of the Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (conditions on the supply and inspection of absent voter records or lists) is amended as follows.
2 In paragraph (1), for sub-paragraph (a) (but not the final “or”) substitute—
.
3 After paragraph (1) insert—

Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (S.S.I. 2007/264)

I406327In regulation 5 of the Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (conditions on the use, supply and disclosure of documents open to public inspection)—
a in paragraph (2), for sub-paragraph (i) (but not the final “or”) substitute—
, and
b after paragraph (3) insert—

Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 (S.R. (N.I.) 2007 No. 43)

I100328The Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 are amended as follows.
I722329In regulation 2 (interpretation), at the appropriate place insert—
.
I486330In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “ information to which the pupil to whom the information relates would have no right of access under the GDPR ”.

Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)

I86331In regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)—
a in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “ purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics) ”, and
b after paragraph (3) insert—

Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (S.I. 2008/3122)

I534332In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act 1998 (c 29)” substitute “ the data protection legislation ”.

Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 (S.I. 2008/3239 (W.286))

I33333The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 are amended as follows.
I59334In regulation 2(1) (interpretation)—
a at the appropriate place in the English language text insert—
, and
b at the appropriate place in the Welsh language text insert—
I575335
1 Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.
2 In paragraph (7)—
a in the English language text, at the end insert “ or the GDPR ”, and
b in the Welsh language text, at the end insert “neu'r GDPR”.
3 For paragraph (8)—
a in the English language text substitute—
, and
b in the Welsh language text substitute—
I533336
1 Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.
2 In paragraph (6)—
a in the English language text, at the end insert “ or the GDPR ”, and
b in the Welsh language text, at the end insert “neu'r GDPR”.
3 For paragraph (7)—
a in the English language text substitute—
, and
b in the Welsh language text substitute—
I518337
1 Regulation 29 (occurrence reports) is amended as follows.
2 In paragraph (3)—
a in the English language text, at the end insert “ or the GDPR ”, and
b in the Welsh language text, at the end insert “neu'r GDPR”.
3 For paragraph (4)—
a in the English language text substitute—
, and
b in the Welsh language text substitute—

Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (S.R. (N.I.) 2008 No. 3)

I348338
1 Regulation 5 of the Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (information whose disclosure would be affected by the application of other legislation) is amended as follows.
2 In paragraph (3)—
a omit “within the meaning of section 1(1) of the Data Protection Act 1998”, and
b for the words from “where” to the end substitute “ if the condition in paragraph (3A) or (3B) is satisfied ”.
3 After paragraph (3) insert—
4 After paragraph (4) insert—

Companies (Disclosure of Address) Regulations 2009 (S.I. 2009/214)

I522339
1 Paragraph 6 of Schedule 2 to the Companies (Disclosure of Address) Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.
2 The existing text becomes sub-paragraph (1).
3 In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
.
4 In paragraph (c) of that sub-paragraph—
a omit “or” at the end of sub-paragraph (i), and
b at the end insert
.
5 After paragraph (c) of that sub-paragraph insert—
6 After sub-paragraph (1) insert—

Overseas Companies Regulations 2009 (S.I. 2009/1801)

I678340
1 Paragraph 6 of Schedule 2 to the Overseas Companies Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.
2 The existing text becomes sub-paragraph (1).
3 In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
.
4 In paragraph (c) of that sub-paragraph—
a omit “or” at the end of sub-paragraph (i), and
b at the end insert
.
5 After paragraph (c) of that sub-paragraph insert—
6 After sub-paragraph (1) insert—

Data Protection (Processing of Sensitive Personal Data) Order 2009 (S.I. 2009/1811)

I191341The Data Protection (Processing of Sensitive Personal Data) Order 2009 is revoked.

Provision of Services Regulations 2009 (S.I. 2009/2999)

I259342In regulation 25 of the Provision of Services Regulations 2009 (derogations from the freedom to provide services), for paragraph (d) substitute—
.

INSPIRE Regulations 2009 (S.I. 2009/3157)

I422343
1 Regulation 9 of the INSPIRE Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.
2 In paragraph (2)—
a omit “or” at the end of sub-paragraph (a),
b for sub-paragraph (b) substitute—
, and
c omit the words following sub-paragraph (b).
3 After paragraph (7) insert—

INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440)

I49344
1 Regulation 10 of the INSPIRE (Scotland) Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.
2 In paragraph (2)—
a omit “or” at the end of sub-paragraph (a),
b for sub-paragraph (b) substitute—
, and
c omit the words following sub-paragraph (b).
3 After paragraph (6) insert—

Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 (S.R (N.I.) 2009 No. 225)

I739345The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 are amended as follows.
I261346In regulation 2(2) (interpretation), at the appropriate place insert—
.”
I689347
1 Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.
2 In paragraph (7), at the end insert “ or the GDPR ”.
3 For paragraph (8) substitute—
I335348
1 Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.
2 In paragraph (6), at the end insert “ or the GDPR ”.
3 For paragraph (7) substitute—
I108349
1 Regulation 29 (occurrence reports) is amended as follows.
2 In paragraph (3), at the end insert “ or the GDPR ”.
3 For paragraph (4) substitute—

Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31)

I524350The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 are revoked.

Pharmacy Order 2010 (S.I. 2010/231)

I441351The Pharmacy Order 2010 is amended as follows.
I413352In article 3(1) (interpretation), omit the definition of “Directive 95/46/EC”.
I77353
1 Article 9 (inspection and enforcement) is amended as follows.
2 For paragraph (4) substitute—
3 After paragraph (4) insert—
I459354In article 33A (European professional card), after paragraph (2) insert—
I615355
1 Article 49 (disclosure of information: general) is amended as follows.
2 In paragraph (2)(a), after “enactment” insert “ or the GDPR ”.
3 For paragraph (3) substitute—
4 After paragraph (5) insert—
I435356
1 Article 55 (professional performance assessments) is amended as follows.
2 In paragraph (5)(a), after “enactment” insert “ or the GDPR ”.
3 For paragraph (6) substitute—
4 After paragraph (8) insert—
I744357In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.), after sub-paragraph (a) insert—
.
I695358
1 Schedule 2A (Directive 2005/36/EC: European professional card) is amended as follows.
2 In paragraph 8(1) (access to data), for “Directive 95/46/EC)” substitute “ the GDPR ”.
3 In paragraph 9 (processing data)—
a omit sub-paragraph (2) (deeming the Council to be the controller for the purposes of Directive 95/46/EC), and
b after sub-paragraph (2) insert—
I302359
1 The table in Schedule 3 (Directive 2005/36/EC: designation of competent authority etc.) is amended as follows.
2 In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
3 In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910)

I389360The Data Protection (Monetary Penalties) Order 2010 is revoked.

National Employment Savings Trust Order 2010 (S.I. 2010/917)

I301361The National Employment Savings Trust Order 2010 is amended as follows.
I401362In article 2 (interpretation)—
a omit the definition of “data” and “personal data”, and
b at the appropriate place insert—
I203363
1 Article 10 (disclosure of requested data to the Secretary of State) is amended as follows.
2 In paragraph (1)—
a for “disclosure of data” substitute “ disclosure of information ”, and
b for “requested data” substitute “ requested information ”.
3 In paragraph (2)—
a for “requested data” substitute “ requested information ”,
b for “those data are” substitute “ the information is ”, and
c for “receive those data” substitute “ receive that information ”.
4 In paragraph (3), for “requested data” substitute “ requested information ”.
5 In paragraph (4), for “requested data” substitute “ requested information ”.

Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)

I358364
1 Schedule 3 to the Local Elections (Northern Ireland) Order 2010 (access to marked registers and other documents open to public inspection after an election) is amended as follows.
2 In paragraph 1(1) (interpretation and general)—
a omit the definition of “research purposes”, and
b at the appropriate places insert—
;
.
3 In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “ Article 89 GDPR purposes ”.

Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))

I634365
1 Regulation 5 of the Pupil Information (Wales) Regulations 2011 (duties of head teacher - educational records) is amended as follows.
2 In paragraph (5)—
a in the English language text, for “documents which are subject to any order under section 30(2) of the Data Protection Act 1998” substitute
, and
b in the Welsh language text, for “ddogfennau sy'n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute
3 After paragraph (5)—
a in the English language text insert—
, and
b in the Welsh language text insert—

Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)

I369366In Schedule 4 to the Debt Arrangement Scheme (Scotland) Regulations 2011 (payments distributors), omit paragraph 2.

Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)

I513367The Police and Crime Commissioner Elections Order 2012 is amended as follows.
I35368
1 Schedule 2 (absent voting in Police and Crime Commissioner elections) is amended as follows.
2 In paragraph 20 (absent voter lists: supply of copies etc)—
a in sub-paragraph (8), for paragraph (a) (but not the final “or”) substitute—
, and
b after sub-paragraph (10) insert—
3 In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—
a in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
, and
b after that sub-paragraph insert—
I697369
1 Schedule 10 (access to marked registers and other documents open to public inspection after an election) is amended as follows.
2 In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).
3 In paragraph 5 (restriction on use of documents or of information contained in them)—
a in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
, and
b after sub-paragraph (4) insert—

Data Protection (Processing of Sensitive Personal Data) Order 2012 (S.I. 2012/1978)

I323370The Data Protection (Processing of Sensitive Personal Data) Order 2012 is revoked.

Neighbourhood Planning (Referendums) Regulations 2012 (S.I. 2012/2031)

I199371Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (registering to vote in a business referendum) is amended as follows.
I408372
1 Paragraph 29(1) (interpretation of Part 8) is amended as follows.
2 At the appropriate places insert—
;
.
3 For the definition of “relevant conditions” substitute—
.
4 Omit the definition of “research purposes”.
I541373In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.
I710374In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
I724375In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
I164376In paragraph 39(8) and (97) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
I331377In paragraph 45(2) (conditions on the use, supply and disclosure of documents open to public inspection), for paragraph (a) (but not the final “or”) substitute—
.

Controlled Drugs (Supervision of Management and Use) Regulations 2013 (S.I. 2013/373)

I494378
1 Regulation 20 of the Controlled Drugs (Supervision of Management and Use) Regulations 2013 (information management) is amended as follows.
2 For paragraph (4) substitute—
3 In paragraph (5), after “enactment” insert “ or the GDPR ”.
4 After paragraph (6) insert—

Communications Act 2003 (Disclosure of Information) Order 2014 (S.I. 2014/1825)

I256379
1 Article 3 of the Communications Act 2003 (Disclosure of Information) Order 2014 (specification of relevant functions) is amended as follows.
2 The existing text becomes paragraph (1).
3 In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
4 After that paragraph insert—

Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141)

I428380In the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014, omit Part 4 (data protection in relation to police and judicial co-operation in criminal matters).

Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 (S.I. 2014/3282)

I122381The Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 is revoked.

The Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (S.R. (N.I.) 2014 No. 224)

I448382In regulation 6 of the Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (applications)—
a in paragraph (9), omit sub-paragraph (b) and the word “and” before it, and
b in paragraph (11), omit the definition of “processing” and “sensitive personal data” and the word “and” before it.

Control of Poisons and Explosives Precursors Regulations 2015 (S.I. 2015/966)

I669383In regulation 3 of the Control of Poisons and Explosives Precursors Regulations 2015 (applications in relation to licences under section 4A of the Poisons Act 1972)—
a in paragraph (7), omit sub-paragraph (b) and the word “and” before it, and
b omit paragraph (8).

Companies (Disclosure of Date of Birth Information) Regulations 2015 (S.I. 2015/1694)

I238384
1 Paragraph 6 of Schedule 2 to the Companies (Disclosure of Date of Birth Information) Regulations 2015 (conditions for permitted disclosure to a credit reference agency) is amended as follows.
2 The existing text becomes sub-paragraph (1).
3 In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
.
4 In paragraph (c) of that sub-paragraph—
a omit “or” at the end of sub-paragraph (i), and
b at the end insert
.
5 After paragraph (c) of that sub-paragraph insert—
6 After sub-paragraph (1) insert—

Small and Medium Sized Business (Credit Information) Regulations 2015 (S.I. 2015/1945)

I685385The Small and Medium Sized Business (Credit Information) Regulations 2015 are amended as follows.
I377386
1 Regulation 12 (criteria for the designation of a credit reference agency) is amended as follows.
2 In paragraph (1)(b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 After paragraph (2) insert—
I660387
1 Regulation 15 (access to and correction of information for individuals and small firms) is amended as follows.
2 For paragraph (1) substitute—
3 After paragraph (3) insert—

European Union (Recognition of Professional Qualifications) Regulations 2015 (S.I. 2015/2059)

I317388The European Union (Recognition of Professional Qualifications) Regulations 2015 are amended as follows.
I741389
1 Regulation 2(1) (interpretation) is amended as follows.
2 Omit the definition of “Directive 95/46/EC”.
3 At the appropriate place insert—
.
I514390In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives 95/46/EC” substitute “ the GDPR and Directive ”.
I314391In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “ the GDPR ”.
I262392In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “ the GDPR ”.
I48393In regulation 48(2) (processing and access to data regarding the European Professional Card), omit paragraph (2) (deeming the relevant designated competent authorities to be controllers for the purposes of Directive 95/46/EC).
I622394In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute “ the GDPR and Directive ”.

Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)

I192395The Scottish Parliament (Elections etc) Order 2015 is amended as follows.
I641396
1 Schedule 3 (absent voting) is amended as follows.
2 In paragraph 16 (absent voting lists: supply of copies etc)—
a in sub-paragraph (4), for paragraph (a) (but not the final “or”) substitute—
, and
b after sub-paragraph (10) insert—
3 In paragraph 20 (restriction on use of absent voting lists)—
a in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
, and
b after that sub-paragraph insert—
I532397
1 Schedule 8 (access to marked registers and other documents open to public inspection after an election) is amended as follows.
2 In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).
3 In paragraph 5 (restriction on use of documents or of information contained in them)—
a in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
, and
b after sub-paragraph (4) insert—

Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (S.I. 2016/295)

I642398In paragraph 1(3) of Schedule 3 to the Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (access to marked registers after a petition), omit the definition of “relevant conditions”.

Register of People with Significant Control Regulations 2016 (S.I. 2016/339)

I249399Schedule 4 to the Register of People with Significant Control Regulations 2016 (conditions for permitted disclosure) is amended as follows.
I500400
1 Paragraph 6 (disclosure to a credit reference agency) is amended as follows.
2 In sub-paragraph (b), for paragraph (ii) (together with the final “; and”) substitute—
.
3 In sub-paragraph (c)—
a omit “or” at the end of paragraph (ii), and
b at the end insert—
4 After sub-paragraph (c) insert—
I63401In paragraph 12A (disclosure to a credit institution or a financial institution), for sub-paragraph (b) substitute—
I496402In Part 3 (interpretation), after paragraph 13 insert—

Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)

I94403The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 are amended as follows.
I163404In regulation 2(1) (interpretation), omit the definition of “the 1998 Act”.
I141405In regulation 3(3) (supervision), omit “under the 1998 Act”.
I217406For Schedule 2 substitute—

Court Files Privileged Access Rules (Northern Ireland) 2016 (S.R. (N.I.) 2016 No. 123)

I706407The Court Files Privileged Access Rules (Northern Ireland) 2016 are amended as follows.
I322408In rule 5 (information that may released) for “Schedule 1 of the Data Protection Act 1998” substitute
I251409In rule 7(2) (provision of information) for “Schedule 1 of the Data Protection Act 1998” substitute

Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (S.I. 2017/692)

I507410The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are amended as follows.
I169411In regulation 3(1) (interpretation), at the appropriate places insert—
;
.
I584412In regulation 16(8) (risk assessment by the Treasury and Home Office), for “the Data Protection Act 1998 or any other enactment” substitute
I149413In regulation 17(9) (risk assessment by supervisory authorities), for “the Data Protection Act 1998 or any other enactment” substitute
I351414For regulation 40(9)(c) (record keeping) substitute—
I308415
1 Regulation 41 (data protection) is amended as follows.
2 Omit paragraph (2).
3 In paragraph (3)(a), after “Regulations” insert “ or the GDPR ”.
4 Omit paragraphs (4) and (5).
5 After those paragraphs insert—
I92416
1 Regulation 84 (publication: the Financial Conduct Authority) is amended as follows.
2 In paragraph (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 For paragraph (11) substitute—
I344417
1 Regulation 85 (publication: the Commissioners) is amended as follows.
2 In paragraph (9), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
3 For paragraph (10) substitute—
I436418For regulation 106(a) (general restrictions) substitute—
.
I501419After paragraph 27 of Schedule 3 (relevant offences) insert—

Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (S.I. 2017/694)

I318420
1 Paragraph 6 of Schedule 5 to the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (conditions for permitted disclosure to a credit institution or a financial institution) is amended as follows.
2 The existing text becomes sub-paragraph (1).
3 For paragraph (b) of that sub-paragraph substitute—
4 After sub-paragraph (1) insert—

Data Protection (Charges and Information) Regulations 2018 (S.I. 2018/480)

I101421In regulation 1(2) of the Data Protection (Charges and Information) Regulations 2018 (interpretation), at the appropriate places insert—
;
.

National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 (S.S.I. 2018/66)

I373422The National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 are amended as follows.
I215423
1 Regulation 1 (citation and commencement) is amended as follows.
2 In paragraph (2), omit “Subject to paragraph (3),”.
3 Omit paragraph (3).
I492424In regulation 3(1) (interpretation)—
a omit the definition of “the 1998 Act”,
b at the appropriate place insert—
, and
c omit the definition of “GDPR”.
I228425
1 Schedule 6 (other contractual terms) is amended as follows.
2 In paragraph 63(2) (interpretation: general), for “the 1998 Act or any directly applicable EU instrument relating to data protection” substitute
3 For paragraph 64 (meaning of data controller etc.) substitute—
4 In paragraph 65(2)(b) (roles, responsibilities and obligations: general), for “data controllers” substitute “ controllers ”.
5 In paragraph 69(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute
.
6 In paragraph 94(4) (variation of a contract: general)—
a omit paragraph (b), and
b after paragraph (d) (but before the final “and”) insert—
.

National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 (S.S.I. 2018/67)

I366426The National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 are amended as follows.
I104427
1 Regulation 1 (citation and commencement) is amended as follows.
2 In paragraph (2), omit “Subject to paragraph (3),”.
3 Omit paragraph (3).
I604428In regulation 3(1) (interpretation)—
a omit the definition of “the 1998 Act”, and
b at the appropriate place insert—
, and
c omit the definition of “GDPR”.
I280429
1 Schedule 1 (content of agreements) is amended as follows.
2 In paragraph 34 (interpretation)—
a in sub-paragraph (1)—
i omit “Subject to sub-paragraph (3),”,
ii before paragraph (a) insert—
, and
iii for paragraph (d) substitute—
,
b omit sub-paragraphs (2) and (3),
c in sub-paragraph (4), for “the 1998 Act and any directly applicable EU instrument relating to data protection” substitute
, and
d in sub-paragraph (6)(b), for “data controllers” substitute “ controllers ”.
3 In paragraph 37(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute
.
4 In paragraph 61(3) (variation of agreement: general)—
a omit paragraph (b), and
b after paragraph (d) (but before the final “and”) insert—
.

PART 3 Modifications

Introduction

I677430
1 Unless the context otherwise requires, legislation described in sub-paragraph (2) has effect on and after the day on which this Part of this Schedule comes into force as if it were modified in accordance with this Part of this Schedule.
2 That legislation is—
a subordinate legislation made before the day on which this Part of this Schedule comes into force;
b primary legislation that is passed or made before the end of the Session in which this Act is passed.
3 In this Part of this Schedule—
  • primary legislation” has the meaning given in section 211(7);
  • references” includes any references, however expressed.

General modifications

431
1 References to a particular provision of, or made under, the Data Protection Act 1998 have effect as references to the equivalent provision or provisions of, or made under, the data protection legislation.
2 Other references to the Data Protection Act 1998 have effect as references to the data protection legislation.
3 References to disclosure, use or other processing of information that is prohibited or restricted by an enactment which include disclosure, use or other processing of information that is prohibited or restricted by the Data Protection Act 1998 have effect as if they included disclosure, use or other processing of information that is prohibited or restricted by the UK GDPR.

Specific modification of references to terms used in the Data Protection Act 1998

432
1 References to personal data, and to the processing of such data, as defined in the Data Protection Act 1998, have effect as references to personal data, and to the processing of such data, as defined for the purposes of Parts 5 to 7 of this Act (see section 3(2), (4) and (14)).
2 References to processing as defined in the Data Protection Act 1998, in relation to information, have effect as references to processing as defined in section 3(4).
3 References to a data subject as defined in the Data Protection Act 1998 have effect as references to a data subject as defined in section 3(5).
4 References to a data controller as defined in the Data Protection Act 1998 have effect as references to a controller as defined for the purposes of Parts 5 to 7 of this Act (see section 3(6) and (14)).
5 References to the data protection principles set out in the Data Protection Act 1998 have effect as references to the principles set out in—
a Article 5(1) of the UK GDPR, and
b sections 34(1) and 85(1) of this Act.
6 References to direct marketing as defined in section 11 of the Data Protection Act 1998 have effect as references to direct marketing as defined in section 122 of this Act.
7 References to a health professional within the meaning of section 69(1) of the Data Protection Act 1998 have effect as references to a health professional within the meaning of section 204 of this Act.
8 References to a health record within the meaning of section 68(2) of the Data Protection Act 1998 have effect as references to a health record within the meaning of section 205 of this Act.

PART 4 Supplementary

Definitions

I569433Section 3(14) does not apply to this Schedule.

Provision inserted in subordinate legislation by this Schedule

I28I188434Provision inserted into subordinate legislation by this Schedule may be amended or revoked as if it had been inserted using the power under which the subordinate legislation was originally made.

SCHEDULE 20 

Transitional provision etc

Section 213

PART 1 General

Interpretation

I1061
1 In this Schedule—
  • the 1984 Act” means the Data Protection Act 1984;
  • the 1998 Act” means the Data Protection Act 1998;
  • the 2014 Regulations” means the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141);
  • data controller” has the same meaning as in the 1998 Act (see section 1 of that Act);
  • the old data protection principles” means the principles set out in—
    1. Part 1 of Schedule 1 to the 1998 Act, and
    2. regulation 30 of the 2014 Regulations.
2 A provision of the 1998 Act that has effect by virtue of this Schedule is not, by virtue of that, part of the data protection legislation (as defined in section 3).

PART 2 Rights of data subjects

Right of access to personal data under the 1998 Act

I1252
1 The repeal of sections 7 to 9A of the 1998 Act (right of access to personal data) does not affect the application of those sections after the relevant time in a case in which a data controller received a request under section 7 of that Act (right of access to personal data) before the relevant time.
2 The repeal of sections 7 and 8 of the 1998 Act and the revocation of regulation 44 of the 2014 Regulations (which applies those sections with modifications) do not affect the application of those sections and that regulation after the relevant time in a case in which a UK competent authority received a request under section 7 of the 1998 Act (as applied by that regulation) before the relevant time.
3 The revocation of the relevant regulations, or their amendment by Schedule 19 to this Act, and the repeals and revocation mentioned in sub-paragraphs (1) and (2), do not affect the application of the relevant regulations after the relevant time in a case described in those sub-paragraphs.
4 In this paragraph—
  • the relevant regulations” means—
    1. the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (S.I. 2000/191);
    2. regulation 4 of, and Schedule 1 to, the Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290);
    3. regulation 3 of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244);
  • the relevant time” means the time when the repeal of section 7 of the 1998 Act comes into force;
  • UK competent authority” has the same meaning as in Part 4 of the 2014 Regulations (see regulation 27 of those Regulations).

Right to prevent processing likely to cause damage or distress under the 1998 Act

I7113
1 The repeal of section 10 of the 1998 Act (right to prevent processing likely to cause damage or distress) does not affect the application of that section after the relevant time in a case in which an individual gave notice in writing to a data controller under that section before the relevant time.
2 In this paragraph, “the relevant time” means the time when the repeal of section 10 of the 1998 Act comes into force.

Right to prevent processing for purposes of direct marketing under the 1998 Act

I6964
1 The repeal of section 11 of the 1998 Act (right to prevent processing for purposes of direct marketing) does not affect the application of that section after the relevant time in a case in which an individual gave notice in writing to a data controller under that section before the relevant time.
2 In this paragraph, “the relevant time” means the time when the repeal of section 11 of the 1998 Act comes into force.

Automated processing under the 1998 Act

I2935
1 The repeal of section 12 of the 1998 Act (rights in relation to automated decision-taking) does not affect the application of that section after the relevant time in relation to a decision taken by a person before that time if—
a in taking the decision the person failed to comply with section 12(1) of the 1998 Act, or
b at the relevant time—
i the person had not taken all of the steps required under section 12(2) or (3) of the 1998 Act, or
ii the period specified in section 12(2)(b) of the 1998 Act (for an individual to require a person to reconsider a decision) had not expired.
2 In this paragraph, “the relevant time” means the time when the repeal of section 12 of the 1998 Act comes into force.

Compensation for contravention of the 1998 Act or Part 4 of the 2014 Regulations

I4266
1 The repeal of section 13 of the 1998 Act (compensation for failure to comply with certain requirements) does not affect the application of that section after the relevant time in relation to damage or distress suffered at any time by reason of an act or omission before the relevant time.
2 The revocation of regulation 45 of the 2014 Regulations (right to compensation) does not affect the application of that regulation after the relevant time in relation to damage or distress suffered at any time by reason of an act or omission before the relevant time.
3 The relevant time” means—
a in sub-paragraph (1), the time when the repeal of section 13 of the 1998 Act comes into force;
b in sub-paragraph (2), the time when the revocation of regulation 45 of the 2014 Regulation comes into force.

Rectification, blocking, erasure and destruction under the 1998 Act

I6437
1 The repeal of section 14(1) to (3) and (6) of the 1998 Act (rectification, blocking, erasure and destruction of inaccurate personal data) does not affect the application of those provisions after the relevant time in a case in which an application was made under subsection (1) of that section before the relevant time.
2 The repeal of section 14(4) to (6) of the 1998 Act (rectification, blocking, erasure and destruction: risk of further contravention in circumstances entitling data subject to compensation under section 13 of the 1998 Act) does not affect the application of those provisions after the relevant time in a case in which an application was made under subsection (4) of that section before the relevant time.
3 In this paragraph, “the relevant time” means the time when the repeal of section 14 of the 1998 Act comes into force.

Jurisdiction and procedure under the 1998 Act

I4448The repeal of section 15 of the 1998 Act (jurisdiction and procedure) does not affect the application of that section in connection with sections 7 to 14 of the 1998 Act as they have effect by virtue of this Schedule.

Exemptions under the 1998 Act

I4649
1 The repeal of Part 4 of the 1998 Act (exemptions) does not affect the application of that Part after the relevant time in connection with a provision of Part 2 of the 1998 Act as it has effect after that time by virtue of paragraphs 2 to 7 of this Schedule.
2 The revocation of the relevant Orders, and the repeal mentioned in sub-paragraph (1), do not affect the application of the relevant Orders after the relevant time in connection with a provision of Part 2 of the 1998 Act as it has effect as described in sub-paragraph (1).
3 In this paragraph—
  • the relevant Orders” means—
    1. the Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184);
    2. the Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413);
    3. the Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414);
    4. the Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415);
    5. the Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416);
    6. Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419);
    7. Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864);
  • the relevant time” means the time when the repeal of the provision of Part 2 of the 1998 Act in question comes into force.
4 As regards certificates issued under section 28(2) of the 1998 Act, see Part 5 of this Schedule.

Prohibition by this Act of requirement to produce relevant records

I55210
1 In Schedule 18 to this Act, references to a record obtained in the exercise of a data subject access right include a record obtained at any time in the exercise of a right under section 7 of the 1998 Act.
2 In section 184 of this Act, references to a “relevant record” include a record which does not fall within the definition in Schedule 18 to this Act (read with sub-paragraph (1)) but which, immediately before the relevant time, was a “relevant record” for the purposes of section 56 of the 1998 Act.
3 In this paragraph, “the relevant time” means the time when the repeal of section 56 of the 1998 Act comes into force.

Avoidance under this Act of certain contractual terms relating to health records

I45111In section 185 of this Act, references to a record obtained in the exercise of a data subject access right include a record obtained at any time in the exercise of a right under section 7 of the 1998 Act.

PART 3 The UK GDPR and Part 2 of this Act

Exemptions from the GDPR: restrictions of rules in Articles 13 to 15 of the GDPR

I43912In paragraph 20(2) of Schedule 2 to this Act (self-incrimination), the reference to an offence under this Act includes an offence under the 1998 Act or the 1984 Act.

Manual unstructured data held by FOI public authorities

I21413Until the first regulations under section 24(8) of this Act come into force, “the appropriate maximum” for the purposes of that section is—
a where the controller is a public authority listed in Part 1 of Schedule 1 to the Freedom of Information Act 2000, £600, and
b otherwise, £450.

PART 4 Law enforcement and intelligence services processing

Logging

14
1 In relation to an automated processing system set up before 6 May 2016, subsections (1) to (3) of section 62 of this Act do not apply if and to the extent that compliance with them would involve disproportionate effort.
2 Sub-paragraph (1) ceases to have effect at the beginning of 6 May 2026.

Regulation 50 of the 2014 Regulations (disapplication of the 1998 Act)

I70315Nothing in this Schedule, read with the revocation of regulation 50 of the 2014 Regulations, has the effect of applying a provision of the 1998 Act to the processing of personal data to which Part 4 of the 2014 Regulations applies in a case in which that provision did not apply before the revocation of that regulation.

Maximum fee for data subject access requests to intelligence services

I49316Until the first regulations under section 94(4)(b) of this Act come into force, the maximum amount of a fee that may be required by a controller under that section is £10.

PART 5 National security certificates

National security certificates: processing of personal data under the 1998 Act

I74217
1 The repeal of section 28(2) to (12) of the 1998 Act does not affect the application of those provisions after the relevant time with respect to the processing of personal data to which the 1998 Act (including as it has effect by virtue of this Schedule) applies.
2 A certificate issued under section 28(2) of the 1998 Act continues to have effect after the relevant time with respect to the processing of personal data to which the 1998 Act (including as it has effect by virtue of this Schedule) applies.
3 Where a certificate continues to have effect under sub-paragraph (2) after the relevant time, it may be revoked or quashed in accordance with section 28 of the 1998 Act after the relevant time.
4 In this paragraph, “the relevant time” means the time when the repeal of section 28 of the 1998 Act comes into force.

National security certificates: processing of personal data under the 2018 Act

I94918
1 This paragraph applies to a certificate issued under section 28(2) of the 1998 Act (an “old certificate”) which has effect immediately before the relevant time.
2 If and to the extent that the old certificate provides protection with respect to personal data which corresponds to protection that could be provided by a certificate issued under section 27, 79 or 111 of this Act, the old certificate also has effect to that extent after the relevant time as if—
a it were a certificate issued under one or more of sections 27, 79 and 111 (as the case may be),
b it provided protection in respect of that personal data in relation to the corresponding provisions of this Act or the UK GDPR, and
c where it has effect as a certificate issued under section 79, it certified that each restriction in question is a necessary and proportionate measure to protect national security.
3 Where an old certificate also has effect as if it were a certificate issued under one or more of sections 27, 79 and 111, that section has, or those sections have, effect accordingly in relation to the certificate.
4 Where an old certificate has an extended effect because of sub-paragraph (2), section 130 of this Act does not apply in relation to it.
5 An old certificate that has an extended effect because of sub-paragraph (2) provides protection only with respect to the processing of personal data that occurs during the period of 1 year beginning with the relevant time (and a Minister of the Crown may curtail that protection by wholly or partly revoking the old certificate).
6 For the purposes of this paragraph—
a a reference to the protection provided by a certificate issued under—
i section 28(2) of the 1998 Act, or
ii section 27, 79 or 111 of this Act,
is a reference to the effect of the evidence that is provided by the certificate;
b protection provided by a certificate under section 28(2) of the 1998 Act is to be regarded as corresponding to protection that could be provided by a certificate under section 27, 79 or 111 of this Act where, in respect of provision in the 1998 Act to which the certificate under section 28(2) relates, there is corresponding provision in this Act or the UK GDPR to which a certificate under section 27, 79 or 111 could relate.
7 In this paragraph, “the relevant time” means the time when the repeal of section 28 of the 1998 Act comes into force.
8 In this paragraph, references to the UK GDPR do not include the EU GDPR as it was directly applicable to the United Kingdom before IP completion day (see paragraph 2 of Schedule 21).

PART 6 The Information Commissioner

Appointment etc

I53119
1 On and after the relevant day, the individual who was the Commissioner immediately before that day—
a continues to be the Commissioner,
b is to be treated as having been appointed under Schedule 12 to this Act, and
c holds office for the period—
i beginning with the relevant day, and
ii lasting for 7 years less a period equal to the individual's pre-commencement term.
2 On and after the relevant day, a resolution passed by the House of Commons for the purposes of paragraph 3 of Schedule 5 to the 1998 Act (salary and pension of Commissioner), and not superseded before that day, is to be treated as having been passed for the purposes of paragraph 4 of Schedule 12 to this Act.
3 In this paragraph—
  • pre-commencement term”, in relation to an individual, means the period during which the individual was the Commissioner before the relevant day;
  • the relevant day” means the day on which Schedule 12 to this Act comes into force.

Accounts

I22120
1 The repeal of paragraph 10 of Schedule 5 to the 1998 Act does not affect the duties of the Commissioner and the Comptroller and Auditor General under that paragraph in respect of the Commissioner's statement of account for the financial year beginning with 1 April 2017.
2 The Commissioner's duty under paragraph 11 of Schedule 12 to this Act to prepare a statement of account for each financial year includes a duty to do so for the financial year beginning with 1 April 2018.

Annual report

I60721
1 The repeal of section 52(1) of the 1998 Act (annual report) does not affect the Commissioner's duty under that subsection to produce a general report on the exercise of the Commissioner's functions under the 1998 Act during the period of 1 year beginning with 1 April 2017 and to lay it before Parliament.
2 The repeal of section 49 of the Freedom of Information Act 2000 (annual report) does not affect the Commissioner's duty under that section to produce a general report on the exercise of the Commissioner's functions under that Act during the period of 1 year beginning with 1 April 2017 and to lay it before Parliament.
3 The first report produced by the Commissioner under section 139 of this Act must relate to the period of 1 year beginning with 1 April 2018.

Fees etc received by the Commissioner

I43422
1 The repeal of Schedule 5 to the 1998 Act (Information Commissioner) does not affect the application of paragraph 9 of that Schedule after the relevant time to amounts received by the Commissioner before the relevant time.
2 In this paragraph, “the relevant time” means the time when the repeal of Schedule 5 to the 1998 Act comes into force.
I17923Paragraph 10 of Schedule 12 to this Act applies only to amounts received by the Commissioner after the time when that Schedule comes into force.

Functions in connection with the Data Protection Convention

I15924
1 The repeal of section 54(2) of the 1998 Act (functions to be discharged by the Commissioner for the purposes of Article 13 of the Data Protection Convention), and the revocation of the Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186), do not affect the application of articles 1 to 5 of that Order after the relevant time in relation to a request described in those articles which was made before that time.
2 The references in paragraph 9 of Schedule 14 to this Act (Data Protection Convention: restrictions on use of information) to requests made or received by the Commissioner under paragraph 6 or 7 of that Schedule include a request made or received by the Commissioner under article 3 or 4 of the Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186).
3 The repeal of section 54(7) of the 1998 Act (duty to notify the European Commission of certain approvals and authorisations) does not affect the application of that provision after the relevant time in relation to an approval or authorisation granted before the relevant time.
4 In this paragraph, “the relevant time” means the time when the repeal of section 54 of the 1998 Act comes into force.

Co-operation with the European Commission: transfers of personal data outside the EEA

I60325
1 The repeal of section 54(3) of the 1998 Act (co-operation by the Commissioner with the European Commission etc), and the revocation of the Data Protection (International Co-operation) Order 2000 (S.I. 2000/190), do not affect the application of articles 1 to 4 of that Order after the relevant time in relation to transfers that took place before the relevant time.
2 In this paragraph—
  • the relevant time” means the time when the repeal of section 54 of the 1998 Act comes into force;
  • transfer” has the meaning given in article 2 of the Data Protection (International Co-operation) Order 2000 (S.I. 2000/190).

Charges payable to the Commissioner by controllers

I53826
1 The Data Protection (Charges and Information) Regulations 2018 (S.I. 2018/480) have effect after the relevant time (until revoked) as if they were made under section 137 of this Act.
2 In this paragraph, “the relevant time” means the time when section 137 of this Act comes into force.

Requests for assessment

I41727
1 The repeal of section 42 of the 1998 Act (requests for assessment) does not affect the application of that section after the relevant time in a case in which the Commissioner received a request under that section before the relevant time, subject to sub-paragraph (2).
2 The Commissioner is only required to make an assessment of acts and omissions that took place before the relevant time.
3 In this paragraph, “the relevant time” means the time when the repeal of section 42 of the 1998 Act comes into force.

Codes of practice

I7028
1 The repeal of section 52E of the 1998 Act (effect of codes of practice) does not affect the application of that section after the relevant time in relation to legal proceedings or to the exercise of the Commissioner's functions under the 1998 Act as it has effect by virtue of this Schedule.
2 In section 52E of the 1998 Act, as it has effect by virtue of this paragraph, the references to the 1998 Act include that Act as it has effect by virtue of this Schedule.
3 For the purposes of subsection (3) of that section, as it has effect by virtue of this paragraph, the data-sharing code and direct marketing code in force immediately before the relevant time are to be treated as having continued in force after that time.
4 In this paragraph—
  • “the data-sharing code” and “the direct marketing code” mean the codes respectively prepared under sections 52A and 52AA of the 1998 Act and issued under section 52B(5) of that Act;
  • the relevant time” means the time when the repeal of section 52E of the 1998 Act comes into force.

PART 7 Enforcement etc under the 1998 Act

Interpretation of this Part

I33429
1 In this Part of this Schedule, references to contravention of the sixth data protection principle sections are to relevant contravention of any of sections 7, 10, 11 or 12 of the 1998 Act, as they continue to have effect by virtue of this Schedule after their repeal (and references to compliance with the sixth data protection principle sections are to be read accordingly).
2 In sub-paragraph (1), “relevant contravention” means contravention in a manner described in paragraph 8 of Part 2 of Schedule 1 to the 1998 Act (sixth data protection principle).

Information notices

I74030
1 The repeal of section 43 of the 1998 Act (information notices) does not affect the application of that section after the relevant time in a case in which—
a the Commissioner served a notice under that section before the relevant time (and did not cancel it before that time), or
b the Commissioner requires information after the relevant time for the purposes of—
i responding to a request made under section 42 of the 1998 Act before that time,
ii determining whether a data controller complied with the old data protection principles before that time, or
iii determining whether a data controller complied with the sixth data protection principle sections after that time.
2 In section 43 of the 1998 Act, as it has effect by virtue of this paragraph—
a the reference to an offence under section 47 of the 1998 Act includes an offence under section 144 of this Act, and
b the references to an offence under the 1998 Act include an offence under this Act.
3 In this paragraph, “the relevant time” means the time when the repeal of section 43 of the 1998 Act comes into force.

Special information notices

I26031
1 The repeal of section 44 of the 1998 Act (special information notices) does not affect the application of that section after the relevant time in a case in which—
a the Commissioner served a notice under that section before the relevant time (and did not cancel it before that time), or
b the Commissioner requires information after the relevant time for the purposes of—
i responding to a request made under section 42 of the 1998 Act before that time, or
ii ascertaining whether section 44(2)(a) or (b) of the 1998 Act was satisfied before that time.
2 In section 44 of the 1998 Act, as it has effect by virtue of this paragraph—
a the reference to an offence under section 47 of the 1998 Act includes an offence under section 144 of this Act, and
b the references to an offence under the 1998 Act include an offence under this Act.
3 In this paragraph, “the relevant time” means the time when the repeal of section 44 of the 1998 Act comes into force.

Assessment notices

I67032
1 The repeal of sections 41A and 41B of the 1998 Act (assessment notices) does not affect the application of those sections after the relevant time in a case in which—
a the Commissioner served a notice under section 41A of the 1998 Act before the relevant time (and did not cancel it before that time), or
b the Commissioner considers it appropriate, after the relevant time, to investigate—
i whether a data controller complied with the old data protection principles before that time, or
ii whether a data controller complied with the sixth data protection principle sections after that time.
2 The revocation of the Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 (S.I. 2014/3282), and the repeals mentioned in sub-paragraph (1), do not affect the application of that Order in a case described in sub-paragraph (1).
3 Sub-paragraph (1) does not enable the Secretary of State, after the relevant time, to make an order under section 41A(2)(b) or (c) of the 1998 Act (data controllers on whom an assessment notice may be served) designating a public authority or person for the purposes of that section.
4 Section 41A of the 1998 Act, as it has effect by virtue of sub-paragraph (1), has effect as if subsections (8) and (11) (duty to review designation orders) were omitted.
5 The repeal of section 41C of the 1998 Act (code of practice about assessment notice) does not affect the application, after the relevant time, of the code issued under that section and in force immediately before the relevant time in relation to the exercise of the Commissioner's functions under and in connection with section 41A of the 1998 Act, as it has effect by virtue of sub-paragraph (1).
6 In this paragraph, “the relevant time” means the time when the repeal of section 41A of the 1998 Act comes into force.

Enforcement notices

I33733
1 The repeal of sections 40 and 41 of the 1998 Act (enforcement notices) does not affect the application of those sections after the relevant time in a case in which—
a the Commissioner served a notice under section 40 of the 1998 Act before the relevant time (and did not cancel it before that time), or
b the Commissioner is satisfied, after that time, that a data controller —
i contravened the old data protection principles before that time, or
ii contravened the sixth data protection principle sections after that time.
2 In this paragraph, “the relevant time” means the time when the repeal of section 40 of the 1998 Act comes into force.

Determination by Commissioner as to the special purposes

I58534
1 The repeal of section 45 of the 1998 Act (determination by Commissioner as to the special purposes) does not affect the application of that section after the relevant time in a case in which—
a the Commissioner made a determination under that section before the relevant time, or
b the Commissioner considers it appropriate, after the relevant time, to make a determination under that section.
2 In this paragraph, “the relevant time” means the time when the repeal of section 45 of the 1998 Act comes into force.

Restriction on enforcement in case of processing for the special purposes

I8435
1 The repeal of section 46 of the 1998 Act (restriction on enforcement in case of processing for the special purposes) does not affect the application of that section after the relevant time in relation to an enforcement notice or information notice served under the 1998 Act—
a before the relevant time, or
b after the relevant time in reliance on this Schedule.
2 In this paragraph, “the relevant time” means the time when the repeal of section 46 of the 1998 Act comes into force.

Offences

I72836
1 The repeal of sections 47, 60 and 61 of the 1998 Act (offences of failing to comply with certain notices and of providing false information etc in response to a notice) does not affect the application of those sections after the relevant time in connection with an information notice, special information notice or enforcement notice served under Part 5 of the 1998 Act—
a before the relevant time, or
b after that time in reliance on this Schedule.
2 In this paragraph, “the relevant time” means the time when the repeal of section 47 of the 1998 Act comes into force.

Powers of entry

I7137
1 The repeal of sections 50, 60 and 61 of, and Schedule 9 to, the 1998 Act (powers of entry) does not affect the application of those provisions after the relevant time in a case in which—
a a warrant issued under that Schedule was in force immediately before the relevant time,
b before the relevant time, the Commissioner supplied information on oath for the purposes of obtaining a warrant under that Schedule but that had not been considered by a circuit judge or a District Judge (Magistrates' Courts), or
c after the relevant time, the Commissioner supplies information on oath to a circuit judge or a District Judge (Magistrates' Courts) in respect of—
i a contravention of the old data protection principles before the relevant time;
ii a contravention of the sixth data protection principle sections after the relevant time;
iii the commission of an offence under a provision of the 1998 Act (including as the provision has effect by virtue of this Schedule);
iv a failure to comply with a requirement imposed by an assessment notice issued under section 41A the 1998 Act (including as it has effect by virtue of this Schedule).
2 In paragraph 16 of Schedule 9 to the 1998 Act, as it has effect by virtue of this paragraph, the reference to an offence under paragraph 12 of that Schedule includes an offence under paragraph 15 of Schedule 15 to this Act.
3 In this paragraph, “the relevant time” means the time when the repeal of Schedule 9 to the 1998 Act comes into force.
4 Paragraphs 14 and 15 of Schedule 9 to the 1998 Act (application of that Schedule to Scotland and Northern Ireland) apply for the purposes of this paragraph as they apply for the purposes of that Schedule.

Monetary penalties

I22038
1 The repeal of sections 55A, 55B, 55D and 55E of the 1998 Act (monetary penalties) does not affect the application of those provisions after the relevant time in a case in which—
a the Commissioner served a monetary penalty notice under section 55A of the 1998 Act before the relevant time,
b the Commissioner served a notice of intent under section 55B of the 1998 Act before the relevant time, or
c the Commissioner considers it appropriate, after the relevant time, to serve a notice mentioned in paragraph (a) or (b) in respect of—
i a contravention of section 4(4) of the 1998 Act before the relevant time, or
ii a contravention of the sixth data protection principle sections after the relevant time.
2 The revocation of the relevant subordinate legislation, and the repeals mentioned in sub-paragraph (1), do not affect the application of the relevant subordinate legislation (or of provisions of the 1998 Act applied by them) after the relevant time in a case described in sub-paragraph (1).
3 Guidance issued under section 55C of the 1998 Act (guidance about monetary penalty notices) which is in force immediately before the relevant time continues in force after that time for the purposes of the Commissioner's exercise of functions under sections 55A and 55B of the 1998 Act as they have effect by virtue of this paragraph.
4 In this paragraph—
  • the relevant subordinate legislation” means—
    1. the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31);
    2. the Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910);
  • the relevant time” means the time when the repeal of section 55A of the 1998 Act comes into force.

Appeals

I52739
1 The repeal of sections 48 and 49 of the 1998 Act (appeals) does not affect the application of those sections after the relevant time in relation to a notice served under the 1998 Act or a determination made under section 45 of that Act—
a before the relevant time, or
b after that time in reliance on this Schedule.
2 In this paragraph, “the relevant time” means the time when the repeal of section 48 of the 1998 Act comes into force.

Exemptions

I73040
1 The repeal of section 28 of the 1998 Act (national security) does not affect the application of that section after the relevant time for the purposes of a provision of Part 5 of the 1998 Act as it has effect after that time by virtue of the preceding paragraphs of this Part of this Schedule.
2 In this paragraph, “the relevant time” means the time when the repeal of the provision of Part 5 of the 1998 Act in question comes into force.
3 As regards certificates issued under section 28(2) of the 1998 Act, see Part 5 of this Schedule.

Tribunal Procedure Rules

I28841
1 The repeal of paragraph 7 of Schedule 6 to the 1998 Act (Tribunal Procedure Rules) does not affect the application of that paragraph, or of rules made under that paragraph, after the relevant time in relation to the exercise of rights of appeal conferred by section 28 or 48 of the 1998 Act, as they have effect by virtue of this Schedule.
2 Part 3 of Schedule 19 to this Act does not apply for the purposes of Tribunal Procedure Rules made under paragraph 7(1)(a) of Schedule 6 to the 1998 Act as they apply, after the relevant time, in relation to the exercise of rights of appeal described in sub-paragraph (1).
3 In this paragraph, “the relevant time” means the time when the repeal of paragraph 7 of Schedule 6 to the 1998 Act comes into force.

Obstruction etc

I56642
1 The repeal of paragraph 8 of Schedule 6 to the 1998 Act (obstruction etc in proceedings before the Tribunal) does not affect the application of that paragraph after the relevant time in relation to an act or omission in relation to proceedings under the 1998 Act (including as it has effect by virtue of this Schedule).
2 In this paragraph, “the relevant time” means the time when the repeal of paragraph 8 of Schedule 6 to the 1998 Act comes into force.

Enforcement etc under the 2014 Regulations

I36743
1 The references in the preceding paragraphs of this Part of this Schedule to provisions of the 1998 Act include those provisions as applied, with modifications, by regulation 51 of the 2014 Regulations (other functions of the Commissioner).
2 The revocation of regulation 51 of the 2014 Regulations does not affect the application of those provisions of the 1998 Act (as so applied) as described in those paragraphs.

PART 8 Enforcement etc under this Act

Information notices

I39444In section 143 of this Act—
a the reference to an offence under section 144 of this Act includes an offence under section 47 of the 1998 Act (including as it has effect by virtue of this Schedule), and
b the references to an offence under this Act include an offence under the 1998 Act (including as it has effect by virtue of this Schedule) or the 1984 Act.

Powers of entry

I20245In paragraph 16 of Schedule 15 to this Act (powers of entry: self-incrimination), the reference to an offence under paragraph 15 of that Schedule includes an offence under paragraph 12 of Schedule 9 to the 1998 Act (including as it has effect by virtue of this Schedule).

Tribunal Procedure Rules

I4646
1 Tribunal Procedure Rules made under paragraph 7(1)(a) of Schedule 6 to the 1998 Act (appeal rights under the 1998 Act) and in force immediately before the relevant time have effect after that time as if they were also made under section 203 of this Act.
2 In this paragraph, “the relevant time” means the time when the repeal of paragraph 7(1)(a) of Schedule 6 to the 1998 Act comes into force.

PART 9 Other enactments

Powers to disclose information to the Commissioner

I24847
1 The following provisions (as amended by Schedule 19 to this Act) have effect after the relevant time as if the matters they refer to included a matter in respect of which the Commissioner could exercise a power conferred by a provision of Part 5 of the 1998 Act, as it has effect by virtue of this Schedule—
a section 11AA(1)(a) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner);
b sections 33A(1)(a) and 34O(1)(a) of the Local Government Act 1974 (disclosure of information by Local Commissioner);
c section 18A(1)(a) of the Health Service Commissioners Act 1993 (disclosure of information by Health Service Commissioner);
d paragraph 1 of the entry for the Information Commissioner in Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (asp 11) (disclosure of information by the Ombudsman);
e section 34X(3)(a) of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information by the Ombudsman);
f section 18(6)(a) of the Commissioner for Older People (Wales) Act 2006 (disclosure of information by the Commissioner);
g section 22(3)(a) of the Welsh Language (Wales) Measure 2011 (nawm 1) (disclosure of information by the Welsh Language Commissioner);
h section 49(3)(a) of the Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))(disclosure of information by the Ombudsman);
i section 44(3)(a) of the Justice Act (Northern Ireland) 2016 (c. 21 (N.I.)) (disclosure of information by the Prison Ombudsman for Northern Ireland).
2 The following provisions (as amended by Schedule 19 to this Act) have effect after the relevant time as if the offences they refer to included an offence under any provision of the 1998 Act other than paragraph 12 of Schedule 9 to that Act (obstruction of execution of warrant)—
a section 11AA(1)(b) of the Parliamentary Commissioner Act 1967;
b sections 33A(1)(b) and 34O(1)(b) of the Local Government Act 1974;
c section 18A(1)(b) of the Health Service Commissioners Act 1993;
d paragraph 2 of the entry for the Information Commissioner in Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (asp 11);
e section 34X(5) of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information by the Ombudsman);
f section 18(8) of the Commissioner for Older People (Wales) Act 2006;
g section 22(5) of the Welsh Language (Wales) Measure 2011 (nawm 1);
h section 49(5) of the Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.));
i section 44(3)(b) of the Justice Act (Northern Ireland) 2016 (c. 21 (N.I.)).
3 In this paragraph, “the relevant time”, in relation to a provision of a section or Schedule listed in sub-paragraph (1) or (2), means the time when the amendment of the section or Schedule by Schedule 19 to this Act comes into force.

Codes etc required to be consistent with the Commissioner's data-sharing code

I5748
1 This paragraph applies in relation to the code of practice issued under each of the following provisions—
a section 19AC of the Registration Service Act 1953 (code of practice about disclosure of information by civil registration officials);
b section 43 of the Digital Economy Act 2017 (code of practice about disclosure of information to improve public service delivery);
c section 52 of that Act (code of practice about disclosure of information to reduce debt owed to the public sector);
d section 60 of that Act (code of practice about disclosure of information to combat fraud against the public sector);
e section 70 of that Act (code of practice about disclosure of information for research purposes).
2 During the relevant period, the code of practice does not have effect to the extent that it is inconsistent with the code of practice prepared under section 121 of this Act (data-sharing code) and issued under section 125(4) of this Act (as altered or replaced from time to time).
3 In this paragraph, “the relevant period”, in relation to a code issued under a section mentioned in sub-paragraph (1), means the period—
a beginning when the amendments of that section in Schedule 19 to this Act come into force, and
b ending when the code is first reissued under that section.
I40549
1 This paragraph applies in relation to the original statement published under section 45E of the Statistics and Registration Service Act 2007 (statement of principles and procedures in connection with access to information by the Statistics Board).
2 During the relevant period, the statement does not have effect to the extent that it is inconsistent with the code of practice prepared under section 121 of this Act (data-sharing code) and issued under section 125(4) of this Act (as altered or replaced from time to time).
3 In this paragraph, “the relevant period” means the period—
a beginning when the amendments of section 45E of the Statistics and Registration Service Act 2007 in Schedule 19 to this Act come into force, and
b ending when the first revised statement is published under that section.

Consumer Credit Act 1974

I84650In section 159(1)(a) of the Consumer Credit Act 1974 (correction of wrong information) (as amended by Schedule 19 to this Act), the reference to information given under Article 15(1) to (3) of the UK GDPR includes information given at any time under section 7 of the 1998 Act.

Freedom of Information Act 2000

I34651Paragraphs 52 to 55 make provision about the Freedom of Information Act 2000 (“the 2000 Act”).
I70152
1 This paragraph applies where a request for information was made to a public authority under the 2000 Act before the relevant time.
2 To the extent that the request is dealt with after the relevant time, the amendments of sections 2 and 40 of the 2000 Act in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2000 Act.
3 To the extent that the request was dealt with before the relevant time—
a the amendments of sections 2 and 40 of the 2000 Act in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with Part 1 of the 2000 Act, but
b the powers of the Commissioner and the Tribunal, on an application or appeal under the 2000 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2000 Act as amended by Schedule 19 to this Act.
4 In this paragraph—
  • public authority” has the same meaning as in the 2000 Act;
  • the relevant time” means the time when the amendments of sections 2 and 40 of the 2000 Act in Schedule 19 to this Act come into force.
I24253
1 Tribunal Procedure Rules made under paragraph 7(1)(b) of Schedule 6 to the 1998 Act (appeal rights under the 2000 Act) and in force immediately before the relevant time have effect after that time as if they were also made under section 61 of the 2000 Act (as inserted by Schedule 19 to this Act).
2 In this paragraph, “the relevant time” means the time when the repeal of paragraph 7(1)(b) of Schedule 6 to the 1998 Act comes into force.
I25454
1 The repeal of paragraph 8 of Schedule 6 to the 1998 Act (obstruction etc in proceedings before the Tribunal) does not affect the application of that paragraph after the relevant time in relation to an act or omission before that time in relation to an appeal under the 2000 Act.
2 In this paragraph, “the relevant time” means the time when the repeal of paragraph 8 of Schedule 6 to the 1998 Act comes into force.
I66455
1 The amendment of section 77 of the 2000 Act in Schedule 19 to this Act (offence of altering etc record with intent to prevent disclosure: omission of reference to section 7 of the 1998 Act) does not affect the application of that section after the relevant time in relation to a case in which—
a the request for information mentioned in section 77(1) of the 2000 Act was made before the relevant time, and
b when the request was made, section 77(1)(b) of the 2000 Act was satisfied by virtue of section 7 of the 1998 Act.
2 In this paragraph, “the relevant time” means the time when the repeal of section 7 of the 1998 Act comes into force.

Freedom of Information (Scotland) Act 2002

I48156
1 This paragraph applies where a request for information was made to a Scottish public authority under the Freedom of Information (Scotland) Act 2002 (“the 2002 Act”) before the relevant time.
2 To the extent that the request is dealt with after the relevant time, the amendments of the 2002 Act in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act.
3 To the extent that the request was dealt with before the relevant time—
a the amendments of the 2002 Act in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with Part 1 of the 2002 Act, but
b the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2002 Act as amended by Schedule 19 to this Act.
4 In this paragraph—
  • Scottish public authority” has the same meaning as in the 2002 Act;
  • the relevant time” means the time when the amendments of the 2002 Act in Schedule 19 to this Act come into force.

Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))

I59457Until the first regulations under Article 5(4)(a) of the Access to Health Records (Northern Ireland) Order 1993 (as amended by Schedule 19 to this Act) come into force, the maximum amount of a fee that may be required for giving access under that Article is £10.

Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2450)

I27358
1 The repeal of a provision of the 1998 Act does not affect its operation for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the PECR 2003”) (see regulation 2 of those Regulations).
2 Where subordinate legislation made under a provision of the 1998 Act is in force immediately before the repeal of that provision, neither the revocation of the subordinate legislation nor the repeal of the provision of the 1998 Act affect the application of the subordinate legislation for the purposes of the PECR 2003 after that time.
3 Part 3 of Schedule 19 to this Act (modifications) does not have effect in relation to the PECR 2003.
4 Part 7 of this Schedule does not have effect in relation to the provisions of the 1998 Act as applied by the PECR 2003.

Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland) Order 2003 (S.I. 2003/431 (N.I. 9))

I21859Part 3 of Schedule 19 to this Act (modifications) does not have effect in relation to the reference to an accessible record within the meaning of section 68 of the 1998 Act in Article 43 of the Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland) Order 2003.

Environmental Information Regulations 2004 (S.I. 2004/3391)

I40360
1 This paragraph applies where a request for information was made to a public authority under the Environmental Information Regulations 2004 (“the 2004 Regulations”) before the relevant time.
2 To the extent that the request is dealt with after the relevant time, the amendments of the 2004 Regulations in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Parts 2 and 3 of those Regulations.
3 To the extent that the request was dealt with before the relevant time—
a the amendments of the 2004 Regulations in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with Parts 2 and 3 of those Regulations, but
b the powers of the Commissioner and the Tribunal, on an application or appeal under the 2000 Act (as applied by the 2004 Regulations), do not include power to require the authority to take steps which it would not be required to take in order to comply with Parts 2 and 3 of those Regulations as amended by Schedule 19 to this Act.
4 In this paragraph—
  • public authority” has the same meaning as in the 2004 Regulations;
  • the relevant time” means the time when the amendments of the 2004 Regulations in Schedule 19 to this Act come into force.

Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)

I60061
1 This paragraph applies where a request for information was made to a Scottish public authority under the Environmental Information (Scotland) Regulations 2004 (“the 2004 Regulations”) before the relevant time.
2 To the extent that the request is dealt with after the relevant time, the amendments of the 2004 Regulations in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with those Regulations.
3 To the extent that the request was dealt with before the relevant time—
a the amendments of the 2004 Regulations in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with those Regulations, but
b the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act (as applied by the 2004 Regulations), do not include power to require the authority to take steps which it would not be required to take in order to comply with those Regulations as amended by Schedule 19 to this Act.
4 In this paragraph—
  • Scottish public authority” has the same meaning as in the 2004 Regulations;
  • the relevant time” means the time when the amendments of the 2004 Regulations in Schedule 19 to this Act come into force.

C7SCHEDULE 21 

Further transitional provision etc

Section 213

Part 1 Interpretation

1 The applied GPDR

In this Schedule, “the applied GDPR” means the EU GDPR as applied by Chapter 3 of Part 2 before IP completion day.

Part 2 Continuation of existing acts etc

2 Merger of the directly applicable GDPR and the applied GDPR

1 On and after IP completion day, references in an enactment to the UK GDPR (including the reference in the definition of “the data protection legislation” in section 3(9)) include—
a the EU GDPR as it was directly applicable to the United Kingdom before IP completion day, read with Chapter 2 of Part 2 of this Act as it had effect before IP completion day, and
b the applied GDPR, read with Chapter 3 of Part 2 of this Act as it had effect before IP completion day.
2 On and after IP completion day, references in an enactment to, or to a provision of, Chapter 2 of Part 2 of this Act (including general references to this Act or to Part 2 of this Act) include that Chapter or that provision as applied by Chapter 3 of Part 2 of this Act as it had effect before IP completion day.
3 Sub-paragraphs (1) and (2) have effect—
a in relation to references in this Act, except as otherwise provided;
b in relation to references in other enactments, unless the context otherwise requires.
3
1 Anything done in connection with the EU GDPR as it was directly applicable to the United Kingdom before IP completion day, the applied GDPR or this Act—
a if in force or effective immediately before IP completion day, continues to be in force or effective on and after IP completion day, and
b if in the process of being done immediately before IP completion day, continues to be done on and after IP completion day.
2 References in this paragraph to anything done include references to anything omitted to be done.

Part 3 Transfers to third countries and international organisations

4 UK GDPR: transfers approved by regulations

1 On and after IP completion day, for the purposes of the UK GDPR and Part 2 of this Act, a transfer of personal data to a third country or an international organisation is to be treated as approved by regulations made under Article 45A of the UK GDPR if, at the time of the transfer, paragraph 5 specifies, or specifies a description which includes—
a in the case of a third country, the country or a relevant territory or sector within the country, or
b in the case of an international organisation, the organisation.
2 Sub-paragraph (1) has effect subject to provision in paragraph 5 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 5 for the purposes of sub-paragraph (1).
3 The Secretary of State may by regulations—
a repeal sub-paragraphs (1) and (2) and paragraph 5;
b amend paragraph 5 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;
c amend paragraph 5 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and making provision described in sub-paragraph (2).
4 Regulations under this paragraph may, among other things——
a identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time;
b confer a discretion on a person.
5 Regulations under this paragraph are subject to the negative resolution procedure.
F3566 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
1 The following are specified for the purposes of paragraph 4(1)—
a an EEA state;
b Gibraltar;
c a Union institution, body, office or agency set up by, or on the basis of, the Treaty on the European Union, the Treaty on the Functioning of the European Union or the Euratom Treaty;
d an equivalent institution, body, office or agency set up by, or on the basis of, the Treaties establishing the European Economic Area;
e a third country which is the subject of a decision listed in sub-paragraph (2), other than a decision that, immediately before IP completion day, had been repealed or was suspended;
f a third country, territory or sector within a third country or international organisation which is the subject of an adequacy decision made by the European Commission before IP completion day on the basis of Article 45(3) of the EU GDPR, other than a decision that, immediately before IP completion day, had been repealed or was suspended.
2 The decisions mentioned in sub-paragraph (1)(e) are the following—
a Commission Decision 2000/518/EC of 26th July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland;
b Commission Decision 2002/2/EC of 20th December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act;
c Commission Decision 2003/490/EC of 30th June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina;
d Commission Decision 2003/821/EC of 21st November 2003 on the adequate protection of personal data in Guernsey;
e Commission Decision 2004/411/EC of 28th April 2004 on the adequate protection of personal data in the Isle of Man;
f Commission Decision 2008/393/EC of 8th May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey;
g Commission Decision 2010/146/EU of 5th March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data;
h Commission Decision 2010/625/EU of 19th October 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Andorra;
i Commission Decision 2011/61/EU of 31st January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data;
j Commission Implementing Decision 2012/484/EU of 21st August 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data;
k Commission Implementing Decision 2013/65/EU of 19th December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand;
m Commission Implementing Decision (EU) 2019/419 of 23rd January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information.
3 Where a decision described in sub-paragraph (1)(e) or (f) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 4(1).
4 The references to a decision in sub-paragraphs (1)(e) and (f) and (2) are to the decision as it had effect in EU law immediately before IP completion day, subject to sub-paragraphs (5) and (6).
5 For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(e) or (f) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.
6 For the purposes of this paragraph, where a decision described in sub-paragraph (1)(e) or (f) relates to—
a transfers from the European Union (or the European Community) or the European Economic Area, or
b transfers to which the EU GDPR applies,
it is to be treated as relating to equivalent transfers to or from the United Kingdom or transfers to which the UK GDPR applies (as appropriate).
6
1 In the provisions listed in sub-paragraph (2)—
a references to regulations made under Article 45A of the UK GDPR (other than references to making such regulations) include the provision made in paragraph 5;
b references to the revocation of such regulations include the repeal of all or part of paragraph 5.
2 Those provisions are Articles 13(1)(f), 14(1)(f), 45C, 49(1) and 49A(1) of the UK GDPR.
3 In its application to transfers treated as approved by virtue of paragraph 1, Article 45C(5) of the UK GDPR (transfers approved by regulations: monitoring) has effect as if the reference to Article 45A(4)(b) were omitted.

F4547 UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F798. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9 UK GDPR: transfers subject to appropriate safeguards provided by binding corporate rules

1 The requirement for safeguards to be provided under Article 46(1A)(a)(i) of the UK GDPR may be satisfied on and after IP completion day as described in sub-paragraphs (2) to (4), subject to sub-paragraph (5).
2 The safeguards may be provided for by any binding corporate rules authorised by the Commissioner which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR.
3 The safeguards may be provided for by a version of binding corporate rules described in sub-paragraph (2) incorporating changes where—
a all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU , of provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 or of the amendment of Chapter 5 of the UK GDPR by the Data (Use and Access) Act 2025, and
b none of the changes alters the effect of the rules.
4 The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—
a changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;
aa changing references to provision made by regulations under section 17A into references to provision made by regulations made under Article 45A of the UK GDPR;
b changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.
5 Sub-paragraphs (2) to (4) cease to apply in relation to binding corporate rules if, on or after IP completion day, the Commissioner withdraws the authorisation of the rules (or, where sub-paragraph (3) is relied on, the authorisation of the rules mentioned in sub-paragraph (2)).
5A For the purposes of sub-paragraph (2), binding corporate rules which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR but which were authorised other than by the Commissioner are to be treated as authorised by the Commissioner where—
a a valid notification of the rules has been made to the Commissioner,
b the Commissioner has approved them, and
c that approval has not been withdrawn.
5B A notification is valid if it—
a is made by a controller or processor established in the United Kingdom,
b is made to the Commissioner before the end of the period of 6 months beginning with IP completion day, and
c includes—
i the name and contact details of the data protection officer or other contact point for the controller or processor, and
ii such other information as the Commissioner may reasonably require.
5C Where a valid notification is made the Commissioner must, without undue delay—
a decide whether or not to approve the rules, and
b notify the controller or processor of that decision.
6 The Commissioner must keep the operation of this paragraph under review.
7 In this paragraph—
  • adequacy decision” means a decision made on the basis of—
    1. Article 45(3) of the EU GDPR, or
    2. Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  • binding corporate rules” has the meaning given in Article 4(20) of the UK GDPR.
8 This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.

10 Part 3 (law enforcement processing): transfers approved by regulations

1 On and after IP completion day, for the purposes of Part 3 of this Act, a transfer of personal data to a third country or an international organisation is to be treated as approved by regulations made under section 74AA if, at the time of the transfer, paragraph 11 specifies, or specifies a description which includes—
a in the case of a third country, the country or a relevant territory or sector within the country, or
b in the case of an international organisation, the organisation.
2 Sub-paragraph (1) has effect subject to provision in paragraph 11 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 11 for the purposes of sub-paragraph (1).
3 The Secretary of State may by regulations—
a repeal sub-paragraphs (1) and (2) and paragraph 11;
b amend paragraph 11 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;
c amend paragraph 11 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and by making provision described in sub-paragraph (2).
4 Regulations under this paragraph may, among other things—
a identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time;
b confer a discretion on a person.
5 Regulations under this paragraph are subject to the negative resolution procedure.
F746 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
1 The following are specified for the purposes of paragraph 10(1)—
a an EEA state;
aa Switzerland;
b Gibraltar;
c a third country, a territory or sector within a third country or an international organisation which is the subject of an adequacy decision made by the European Commission before IP completion day on the basis of Article 36(3) of the Law Enforcement Directive, other than a decision that, immediately before IP completion day, had been repealed or was suspended.
2 Where a decision described in sub-paragraph (1)(c) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 10(1).
3 The reference to a decision in sub-paragraph (1)(c) is to the decision as it had effect in EU law immediately before IP completion day, subject to sub-paragraphs (4) and (5).
4 For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(c) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.
5 For the purposes of this paragraph, where a decision described in sub-paragraph (1)(c) relates to—
a transfers from the European Union (or the European Community) or the European Economic Area, or
b transfers to which the Law Enforcement Directive applies,
it is to be treated as relating to equivalent transfers from the United Kingdom or transfers to which Part 3 of this Act applies (as appropriate).
12
1 In sections 74B and 76(A1)—
a references to regulations made under section 74AA (other than references to making such regulations) include the provision made in paragraph 11;
b references to the revocation of such regulations include the repeal of all or part of paragraph 11.
2 In its application to transfers treated as approved by virtue of paragraph 10, section 74B(7) (transfers approved by regulations: monitoring) has effect as if the reference to section 74AA(4)(b) were omitted.

Part 4 Repeal of provisions in Chapter 3 of Part 2

13 Applied GDPR: power to make provision in consequence of GDPR regulations

1 Regulations made under section 23 before IP completion day continue in force until they are revoked, despite the repeal of that section by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
2 The provisions listed in section 186(3) include regulations made under section 23 before IP completion day (and not revoked).
3 Sub-paragraphs (1) and (2) do not have effect so far as otherwise provided by the law of England and Wales, Scotland or Northern Ireland.

14 Applied GDPR: national security certificates

1 This paragraph applies to a certificate issued under section 27 of this Act which has effect immediately before IP completion day.
2 A reference in the certificate to a provision of the applied GDPR has effect, on and after IP completion day, as it if were a reference to the corresponding provision of the UK GDPR or this Act.

Part 5 The Information Commissioner

15 Confidentiality of information

The repeal of section 132(2)(d) by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 has effect only in relation to a disclosure of information made on or after IP completion day.

Part 6 Enforcement

16 GDPR: maximum amount of penalties

In relation to an infringement, before IP completion day, of a provision of the EU GDPR (as it was directly applicable to the United Kingdom) or the applied GDPR—
a Article 83(5) and (6) of the UK GDPR and section 157(5)(a) and (b) of this Act have effect as if for “£17,500,000” there were substituted “ 20 million Euros ”;
b Article 83(4) of the UK GDPR and section 157(6)(a) and (b) of this Act have effect as if for “£8,700,000” there were substituted “ 10 million Euros ”;
c the maximum amount of a penalty in sterling must be determined by applying the spot rate of exchange set by the Bank of England on the day on which the penalty notice is given under section 155 of this Act.

17 GDPR: right to an effective remedy against the Commissioner

1 This paragraph applies where—
a proceedings are brought against a decision made by the Commissioner before IP completion day, and
b the Commissioner's decision was preceded by an opinion or decision of the European Data Protection Board in accordance with the consistency mechanism referred to in Article 63 of the EU GDPR.
2 The Commissioner must forward the Board's opinion or decision to the court or tribunal dealing with the proceedings.

Footnotes

  1. I1
    S. 7 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  2. I2
    S. 10 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  3. I3
    S. 12 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  4. I4
    S. 16 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  5. I5
    S. 24 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  6. I6
    S. 30 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  7. I7
    S. 35 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  8. I8
    S. 53 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  9. I9
    S. 54 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  10. I10
    S. 86 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  11. I11
    S. 94 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  12. I12
    S. 113 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  13. I13
    S. 137 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  14. I14
    S. 138 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  15. I15
    S. 149 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  16. I16
    S. 155 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  17. I17
    S. 159 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  18. I18
    S. 183 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  19. I19
    S. 188 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  20. I20
    S. 190 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  21. I21
    S. 191 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  22. I22
    S. 203 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  23. I23
    S. 211 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  24. I24
    S. 213(2) in force and s. 213(3) in force for specified purposes at Royal Assent, see s. 212(2)(e)(f)
  25. I25
    Sch. 2 para. 26 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  26. I26
    Sch. 18 para. 7 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  27. I27
    Sch. 19 para. 60 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  28. I28
    Sch. 19 para. 434 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  29. I29
    Sch. 2 para. 15 in force at Royal Assent for specified purposes, see s. 212(2)(f)
  30. I30
    S. 125 not in force at Royal Assent; s. 125 in force at 23.7.2018 for specified purposes, see s. 212(3)(b)
  31. I31
    S. 126 not in force at Royal Assent; s. 126 in force at 23.7.2018 for specified purposes, see s. 212(3)(b)
  32. I32
    S. 127 not in force at Royal Assent; s. 127 in force at 23.7.2018 for specified purposes, see s. 212(3)(b)
  33. I33
    Sch. 19 para. 333 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  34. F1
    S. 119A(3)(aa) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 20(3) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  35. F2
    Words in s. 124(5) omitted (20.8.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 18(a); S.I. 2025/904, reg. 2(y)
  36. F3
    Words in s. 78(2) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(5)(a); S.I. 2026/82, reg. 2(z10)
  37. I34
    S. 103 in force at 16.9.2019 by S.I. 2019/1188, reg. 2(c)
  38. I35
    Sch. 19 para. 368 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  39. I36
    Sch. 1 para. 40 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  40. F4
    Words in Sch. 2 Pt. 6 heading omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(22) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  41. F5
    S. 180A inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 104(3), 142(1); S.I. 2025/904, reg. 2(j)
  42. F6
    Words in s. 26(2)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  43. F7
    Words in s. 17(7) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 22(5)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  44. I37
    Sch. 19 para. 26 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  45. I38
    Sch. 19 para. 257 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  46. F8
    S. 66(3) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 84(5), 142(1); S.I. 2025/904, reg. 2(d)
  47. I39
    Sch. 19 para. 139 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  48. F9
    Words in Sch. 2 para. 26(9)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(21)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  49. I40
    Sch. 19 para. 32 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  50. I41
    Sch. 19 para. 289 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  51. F10
    Words in s. 78(1) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(3)(a); S.I. 2026/82, reg. 2(z10)
  52. I42
    Sch. 14 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  53. I43
    Sch. 19 para. 270 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  54. F11
    S. 3(9)(b) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  55. I44
    Sch. 1 para. 29 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  56. I45
    Sch. 19 para. 69 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  57. F12
    S. 33(6A) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 74(3), 142(1); S.I. 2025/904, reg. 2(c)
  58. I46
    Sch. 20 para. 46 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  59. F13
    Words in Sch. 21 para. 10(4)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(8)(b) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  60. F14
    S. 182(9)(10) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 22(6) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  61. I47
    Sch. 19 para. 297 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  62. F15
    Words in s. 187(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 81(5)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  63. F16
    Words in Sch. 2 para. 4(2) substituted (8.3.2024) by The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (S.I. 2024/342), regs. 1(2), 2(5)
  64. F17
    Words in s. 161(6) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 21; S.I. 2025/904, reg. 2(y)
  65. F18
    Word in s. 165(5)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 66(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  66. F19
    Words in s. 24(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  67. F20
    S. 136(1)(b) and word omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 94(3), 142(1); S.I. 2026/82, reg. 2(p)
  68. F21
    Words in s. 149(2)(e) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  69. I48
    Sch. 19 para. 393 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  70. I49
    Sch. 19 para. 344 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  71. F22
    Sch. 16 para. 4(A1)(A2) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 101(3)(a), 142(1); S.I. 2026/82, reg. 2(t) (with reg. 6)
  72. I50
    Sch. 19 para. 204 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  73. F23
    Words in s. 190(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 84 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  74. F24
    Words in s. 183(2)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 78(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  75. C1
    Sch. 2 para. 11 table modified (28.1.2021 for specified purposes, 30.7.2022 in so far as not already in force) by The Financial Services and Markets Act 2000 (Regulated Activities) (Amendment) Order 2021 (S.I. 2021/90), arts. 1(2)(3), 15(2)
  76. F25
    S. 135(A1) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 94(2)(a), 142(1); S.I. 2026/82, reg. 2(p)
  77. I51
    Sch. 19 para. 224 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  78. F26
    Words in Sch. 2 para. 1(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(5)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  79. F27
    S. 83(A1) inserted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(4)(a), 142(1); S.I. 2025/996, reg. 2(2)(b)
  80. F28
    S. 205(3) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 85(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  81. I52
    Sch. 19 para. 44 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  82. F29
    Words in s. 206 Table inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 74(9), 142(1); S.I. 2025/904, reg. 2(c)
  83. F30
    Words in s. 1(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 2(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  84. I53
    Sch. 19 para. 104 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  85. F31
    Words in s. 6(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 9 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  86. F32
    Words in Sch. 2 Pt. 3 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(13) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  87. I54
    Sch. 7 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  88. F33
    S. 84(2A) inserted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(5)(a), 142(1); S.I. 2025/996, reg. 2(2)(b)
  89. F34
    Words in Sch. 4 para. 1 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 94(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  90. I55
    Sch. 12 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  91. I56
    Sch. 19 para. 88 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  92. F35
    S. 45(4)(d) omitted (5.9.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 88(4)(a), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  93. I57
    Sch. 20 para. 48 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  94. F36
    Words in s. 115(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  95. F37
    Word in s. 171(3)(a) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 23(2); S.I. 2026/82, reg. 2(z12)
  96. I58
    Sch. 19 para. 140 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  97. I59
    Sch. 19 para. 334 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  98. F38
    Words in s. 74B(7) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(9)(a); S.I. 2026/82, reg. 2(z10)
  99. I60
    Sch. 16 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  100. F39
    S. 124A inserted (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 92(2), 142(1)(2)(h); S.I. 2025/904, reg. 2(f)
  101. I61
    Sch. 19 para. 239 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  102. I62
    Sch. 19 para. 222 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  103. I63
    Sch. 19 para. 401 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  104. I64
    Sch. 7 para. 13 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  105. I65
    Sch. 19 para. 48 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  106. C2
    Sch. 16 applied (with modifications) by S.I. 2016/696, Sch. 2 (as substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 406 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g) (with reg. 4))
  107. I66
    Sch. 9 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  108. I67
    Sch. 10 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  109. I68
    S. 176 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  110. I69
    Sch. 19 para. 19 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  111. F40
    Words in s. 78(1) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(3)(d); S.I. 2026/82, reg. 2(z10)
  112. F41
    Words in Sch. 21 para. 12(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(9)(b)(i) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  113. I70
    Sch. 20 para. 28 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  114. I71
    Sch. 20 para. 37 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  115. I72
    Sch. 19 para. 55 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  116. I73
    Sch. 19 para. 42 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  117. F42
    S. 162(1)(ba) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(7), 142(1); S.I. 2026/82, reg. 2(s)
  118. F43
    Words in s. 149(2)(b) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 6 para. 15(a); S.I. 2026/82, reg. 2(z8) (with reg. 5)
  119. F44
    Words in s. 15(2)(e) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(7)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  120. I74
    Sch. 19 para. 101 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  121. I75
    Sch. 19 para. 127 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  122. F45
    Sch. 1 para. 23(3)(e) repealed (31.12.2020) by The European Parliamentary Elections Etc. (Repeal, Revocation, Amendment and Saving Provisions) (United Kingdom and Gibraltar) (EU Exit) Regulations 2018 (S.I. 2018/1310), reg. 1, Sch. 1 Pt. 1 (as amended by S.I. 2019/1389, regs. 1, 2(2))
  123. I76
    Sch. 7 para. 26 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  124. F46
    Words in s. 186(3) substituted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 106(4)(d)(i), 142(1); S.I. 2025/904, reg. 2(k)
  125. I77
    Sch. 19 para. 353 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  126. F47
    S. 146(3A) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 98(2)(b), 142(1); S.I. 2026/82, reg. 2(q)
  127. I78
    Sch. 1 para. 34 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  128. I79
    Sch. 19 para. 217 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  129. I80
    Sch. 19 para. 95 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  130. I81
    Sch. 19 para. 305 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  131. F48
    Words in s. 171(8)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 72 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  132. F49
    Words in Sch. 2 para. 4(1) substituted (8.3.2024) by The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (S.I. 2024/342), regs. 1(2), 2(2)
  133. F50
    Words in Sch. 3 para. 20(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(19) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  134. F51
    Sch. 2 para. 1(b)(ii) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 71(10), 142(1); S.I. 2026/82, reg. 2(d)
  135. F52
    Word in Sch. 2 para. 3(2)(b)(ii) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 29(3); S.I. 2026/82, reg. 2(z12)
  136. F53
    Words in s. 205(1) substituted (1.1.2024) by The Retained EU Law (Revocation and Reform) Act 2023 (Consequential Amendment) Regulations 2023 (S.I. 2023/1424), reg. 1(2), Sch. para. 87(a)
  137. I82
    Sch. 19 para. 210 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  138. I83
    Sch. 11 para. 10 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  139. I84
    Sch. 20 para. 35 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  140. F54
    Word in s. 196(2) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(10), 142(1); S.I. 2026/82, reg. 2(s)
  141. F55
    S. 161A inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 102(4), 142(1); S.I. 2025/904, reg. 2(i)
  142. I85
    Sch. 7 para. 18 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  143. I86
    Sch. 19 para. 331 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  144. C3
    Sch. 1 para. 6 modified by S.I. 1999/677, art. 7(1)(2) (as substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 237 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g))
  145. F56
    S. 51(1)(ba) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 79(7)(a), 142(1); S.I. 2025/996, reg. 2(1)(a) (with reg. 3)
  146. I87
    Sch. 19 para. 214 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  147. I88
    Sch. 19 para. 38 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  148. F57
    Words in s. 189(4)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 83(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  149. F58
    Words in s. 115(10) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(10) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  150. I89
    Sch. 1 para. 20 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  151. F59
    Words in s. 155(1)(b) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(4), 142(1); S.I. 2026/82, reg. 2(s)
  152. I90
    Sch. 9 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  153. I91
    Sch. 19 para. 300 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  154. I92
    Sch. 19 para. 416 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  155. I93
    Sch. 19 para. 59 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  156. F60
    Words in s. 53(5) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 75(2)(b), 142(1); S.I. 2026/82, reg. 2(g)
  157. I94
    Sch. 19 para. 403 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  158. I95
    Sch. 19 para. 241 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  159. F61
    Words in s. 110(2)(a) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(9)(a), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  160. I96
    Sch. 19 para. 180 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  161. I97
    Sch. 8 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  162. I98
    Sch. 7 para. 11 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  163. I99
    Sch. 19 para. 196 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  164. I100
    Sch. 19 para. 328 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  165. I101
    Sch. 19 para. 421 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  166. I102
    Sch. 7 para. 42 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  167. I103
    Sch. 5 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  168. I104
    Sch. 19 para. 427 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  169. F62
    S. 45 cross-heading omitted (5.9.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 79(5), 142(1); S.I. 2025/996, reg. 2(1)(a) (with reg. 3)
  170. I105
    Sch. 19 para. 267 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  171. F63
    Words in s. 5(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 6(2)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  172. F64
    Words in s. 181 omitted (20.8.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 24; S.I. 2025/904, reg. 2(y)
  173. C4
    S. 206: power to amend conferred (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Regulation (EU) 679/2016, Art. 11A(3) (as inserted by Data (Use and Access) Act 2025 (c. 18), ss. 74(1), 142(1)(2)(h); S.I. 2025/904, reg. 2(c))
  174. I106
    Sch. 20 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  175. F65
    Word in s. 205(5) substituted (1.1.2024) by The Retained EU Law (Revocation and Reform) Act 2023 (Consequential Amendment) Regulations 2023 (S.I. 2023/1424), reg. 1(2), Sch. para. 87(b)
  176. F66
    S. 155(1)(c) and word inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 98(4)(b), 142(1); S.I. 2026/82, reg. 2(q)
  177. I107
    Sch. 19 para. 134 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  178. I108
    Sch. 19 para. 349 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  179. F67
    Words in s. 213(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 90(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  180. F68
    S. 24(4)(ba) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 87(2)(a), 142(1); S.I. 2026/82, reg. 2(o)
  181. I109
    Sch. 7 para. 28 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  182. I110
    Sch. 3 para. 18 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  183. F69
    Words in s. 26(2)(f) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  184. I111
    Sch. 9 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  185. F70
    Words in s. 205(2)(e) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 23 (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  186. F71
    Sch. 20 para. 18(8) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 101(4)(b) (with reg. 5) (as amended by S.I. 2020/1586, regs. 1(2), 5(3)); 2020 c. 1, Sch. 5 para. 1(1)
  187. I112
    Sch. 7 para. 35 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  188. F72
    Words in s. 15(2)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(5)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  189. I113
    Sch. 19 para. 302 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  190. I114
    Sch. 7 para. 47 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  191. F73
    S. 165(6) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 66(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  192. F74
    Sch. 21 para. 10(6) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(8)(c) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  193. I115
    Sch. 19 para. 313 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  194. F75
    Words in s. 16(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 20(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  195. I116
    Sch. 19 para. 63 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  196. C5
    Pts. 5-7 applied in part (with modifications) (5.2.2026) by S.I. 2003/2426, reg. 31, Sch. 1 (as substituted by Data (Use and Access) Act 2025 (c. 18), ss. 115(5)(8), 142(1), Sch. 13; S.I. 2026/82, reg. 2(y)(z14) (with regs. 8-11))
  197. F76
    Words in s. 115(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  198. I117
    Sch. 19 para. 135 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  199. F77
    Words in s. 142(9) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 59(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  200. F78
    S. 182(3)(a) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 77 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  201. I118
    Sch. 19 para. 111 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  202. I119
    Sch. 13 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  203. I120
    Sch. 12 para. 12 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  204. I121
    Sch. 19 para. 97 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  205. F79
    Sch. 21 para. 8 omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(5) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  206. I122
    Sch. 19 para. 381 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  207. I123
    Sch. 19 para. 110 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  208. I124
    Sch. 19 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  209. F80
    Words in s. 87(1)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 71(9)(a), 142(1); S.I. 2026/82, reg. 2(d)
  210. F81
    S. 74A omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 4(1); S.I. 2026/82, reg. 2(z10)
  211. F82
    Words in Sch. 3 para. 6(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(9) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  212. I125
    Sch. 20 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  213. F83
    Words in s. 15(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(3)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  214. I126
    Sch. 19 para. 287 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  215. F84
    Ss. 74AA, 74AB inserted (19.6.2025 for specified purposes, 5.2.2026 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), s. 142(1)(2)(h), Sch. 8 para. 4(2); S.I. 2026/82, reg. 2(z10)
  216. I127
    Sch. 7 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  217. I128
    S. 158 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  218. F85
    S. 19 and cross-heading omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 86(6), 142(1); S.I. 2026/82, reg. 2(n)
  219. F86
    Word in s. 171(6)(a) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 23(3); S.I. 2026/82, reg. 2(z12)
  220. I129
    Sch. 19 para. 122 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  221. F87
    Words in s. 5(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 6(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  222. I130
    Sch. 15 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  223. I131
    Sch. 19 para. 232 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  224. I132
    Sch. 19 para. 207 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  225. I133
    Sch. 16 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  226. F88
    Words in Sch. 5 para. 4(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 95(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  227. F89
    Words in s. 24(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(4)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  228. I134
    Sch. 7 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  229. I135
    Sch. 19 para. 304 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  230. F90
    Words in s. 79(8) substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(8)(f)(ii), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  231. F91
    Word in s. 104(1) substituted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(6), 142(1); S.I. 2025/996, reg. 2(2)(b)
  232. F92
    Words in s. 75(3) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 6(6); S.I. 2026/82, reg. 2(z10)
  233. I136
    Sch. 2 para. 27 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  234. F93
    Words in Sch. 3 para. 8(1)(b) substituted (30.11.2022) by The Health and Social Care Act (Northern Ireland) 2022 (Consequential Amendments) Order 2022 (S.I. 2022/1174), arts. 1(2), 12(3)(a)
  235. I137
    Sch. 19 para. 33 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  236. F94
    Words in s. 26(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  237. F95
    S. 205(2)(za) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 85(5)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  238. I138
    Sch. 19 para. 118 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  239. F96
    Words in s. 72(1)(b) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 2(b); S.I. 2026/82, reg. 2(z10)
  240. F97
    Words in s. 206 Table inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 86(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  241. I139
    Sch. 19 para. 11 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  242. I140
    Sch. 19 para. 149 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  243. I141
    Sch. 19 para. 405 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  244. C6
    Sch. 15 applied (with modifications) by S.I. 2016/696, Sch. 2 (as substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 406 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g) (with reg. 4))
  245. I142
    Sch. 19 para. 121 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  246. F98
    Words in s. 157(4) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(5), 142(1); S.I. 2026/82, reg. 2(s)
  247. F99
    Word in Sch. 16 para. 4(1) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 101(3)(b)(i), 142(1); S.I. 2026/82, reg. 2(t) (with reg. 6)
  248. I143
    Sch. 2 para. 19 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  249. I144
    Sch. 19 para. 280 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  250. F100
    Words in s. 26(2)(g)(ii) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(e)(i) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  251. I145
    Sch. 8 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  252. I146
    Sch. 1 para. 24 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  253. I147
    Sch. 19 para. 78 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  254. I148
    Sch. 19 para. 106 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  255. I149
    Sch. 19 para. 413 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  256. I150
    Sch. 19 para. 205 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  257. I151
    S. 112 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  258. I152
    Sch. 10 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  259. I153
    Sch. 19 para. 141 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  260. I154
    S. 110 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  261. F101
    S. 4(3) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 5(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  262. F102
    Pt. 2 Ch. 3 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 27 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  263. I155
    Sch. 9 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  264. F103
    Word in s. 21(5)(a) omitted (25.1.2023) by virtue of Advanced Research and Invention Agency Act 2022 (c. 4), s. 13(1), Sch. 3 para. 15(2)(a); S.I. 2023/58, reg. 2
  265. I156
    Sch. 19 para. 151 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  266. F104
    Words in Sch. 2 para. 26(9) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(21)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  267. F105
    Words in Sch. 3 para. 19 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(17) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  268. F106
    Words in s. 1(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 2(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  269. I157
    Sch. 15 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  270. I158
    Sch. 19 para. 120 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  271. I159
    Sch. 20 para. 24 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  272. F107
    Words in s. 181 inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(9), 142(1); S.I. 2026/82, reg. 2(s)
  273. F108
    Words in s. 24(2)(c) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 16(a) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  274. I160
    Sch. 19 para. 306 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  275. I161
    Sch. 19 para. 250 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  276. I162
    S. 161 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  277. I163
    Sch. 19 para. 404 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  278. I164
    Sch. 19 para. 376 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  279. C7
    Sch. 21: power to amend conferred (19.6.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 142(2)(g), 143(2)
  280. I165
    Sch. 19 para. 192 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  281. F109
    Words in s. 72(1)(b) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 2(a); S.I. 2026/82, reg. 2(z10)
  282. F110
    Word in Sch. 21 para. 12(1)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(9)(b)(ii) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  283. I166
    Sch. 19 para. 243 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  284. I167
    Sch. 19 para. 34 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  285. I168
    Sch. 19 para. 87 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  286. I169
    Sch. 19 para. 411 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  287. I170
    Sch. 19 para. 10 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  288. F111
    Words in s. 24(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  289. F112
    S. 139A inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 95, 142(1); S.I. 2025/904, reg. 2(h)
  290. F113
    S. 82(A1) inserted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 89(2)(a), 142(1); S.I. 2025/996, reg. 2(2)(a)
  291. I171
    Sch. 15 para. 11 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  292. F114
    Words in Sch. 2 para. 1(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(5)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  293. I172
    S. 154 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  294. F115
    Words in s. 5(1) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 6(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  295. I173
    Sch. 19 para. 286 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  296. F116
    S. 77 cross-heading substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 8; S.I. 2026/82, reg. 2(z10)
  297. F117
    S. 183(2A) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 78(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  298. F118
    Words in s. 24(5)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(5)(d) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  299. I174
    Sch. 19 para. 299 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  300. F119
    Words in Sch. 21 para. 6(1)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(4)(a) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  301. F120
    S. 128 omitted (20.8.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 92(5), 142(1); S.I. 2025/904, reg. 2(f)
  302. F121
    Words in s. 77(8) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 44 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  303. I175
    Sch. 19 para. 169 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  304. I176
    Sch. 19 para. 143 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  305. I177
    Sch. 19 para. 46 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  306. F122
    Words in Sch. 18 para. 1(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 99(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  307. I178
    Sch. 1 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  308. F123
    Word in s. 86(7) substituted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 74(7)(b), 142(1); S.I. 2025/904, reg. 2(c)
  309. F124
    Words in s. 125(8) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 19(3); S.I. 2025/904, reg. 2(y)
  310. I179
    Sch. 20 para. 23 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  311. F125
    Words in s. 26(2)(e) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  312. I180
    Sch. 11 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  313. I181
    Sch. 19 para. 157 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  314. I182
    Sch. 19 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  315. F126
    Words in Sch. 4 para. 1 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 94(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  316. I183
    Sch. 19 para. 123 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  317. F127
    Words in s. 36(1)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 71(8)(a), 142(1); S.I. 2026/82, reg. 2(d)
  318. I184
    S. 163 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  319. I185
    Sch. 19 para. 103 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  320. I186
    Sch. 19 para. 228 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  321. I187
    Sch. 7 para. 27 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  322. F128
    S. 120(2A) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 52(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  323. F129
    S. 139(2A) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 102(2), 142(1); S.I. 2025/904, reg. 2(i)
  324. F130
    Words in s. 205(2) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 85(5)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  325. F131
    Words in s. 25(2)(a) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 33(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  326. F132
    Words in s. 115(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  327. F133
    Words in Sch. 2 Pt. 1 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  328. I188
    Sch. 19 para. 434 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(g)
  329. I189
    Sch. 7 para. 46 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  330. I190
    Sch. 19 para. 66 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  331. I191
    Sch. 19 para. 341 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  332. F134
    Words in s. 115(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  333. I192
    Sch. 19 para. 395 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  334. F135
    Words in s. 17(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 22(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  335. F136
    S. 76(A1) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 7(3); S.I. 2026/82, reg. 2(z10)
  336. I193
    Sch. 19 para. 131 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  337. F137
    Words in s. 25(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 33(2)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  338. F138
    Words in s. 169(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 70 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  339. I194
    Sch. 19 para. 310 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  340. I195
    Sch. 12 para. 10 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  341. F139
    Words in s. 26(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  342. I196
    S. 125 in force at 23.7.2018 for specified purposes by S.I. 2018/625, reg. 3(b)
  343. F140
    Words in s. 187(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 81(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  344. I197
    Sch. 7 para. 17 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  345. I198
    Sch. 19 para. 325 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  346. F141
    Words in s. 115(2) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(4)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  347. F142
    Words in s. 3(9)(d) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 107(2), 142(1); S.I. 2025/904, reg. 2(l)
  348. F143
    Words in s. 74B(4) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(5); S.I. 2026/82, reg. 2(z10)
  349. F144
    Words in s. 120(6) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 52(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  350. I199
    Sch. 19 para. 371 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  351. I200
    Sch. 19 para. 223 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  352. F145
    S. 73(1)(c) and word inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 3(3)(c); S.I. 2026/82, reg. 2(z10)
  353. F146
    Words in Sch. 2 Pt. 4 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(15) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  354. F147
    S. 84(6B) inserted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(5)(b), 142(1); S.I. 2025/996, reg. 2(2)(b)
  355. F148
    Words in s. 15(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  356. F149
    Sum in s. 157(6) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 64(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  357. I201
    Sch. 7 para. 10 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  358. I202
    Sch. 20 para. 45 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  359. I203
    Sch. 19 para. 363 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  360. F150
    Words in s. 3(10) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  361. F151
    S. 3(14)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(7)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  362. I204
    Sch. 7 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  363. F152
    Words in s. 125(3) substituted (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 92(3)(c), 142(1)(2)(h); S.I. 2025/904, reg. 2(f)
  364. F153
    Words in Sch. 2 Pt. 2 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(9) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  365. I205
    Sch. 19 para. 27 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  366. F154
    Words in s. 80(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 46(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  367. F155
    Words in Sch. 1 para. 39(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 91(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  368. I206
    Sch. 19 para. 215 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  369. F156
    Words in Sch. 2 para. 4(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(8)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  370. I207
    Sch. 19 para. 176 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  371. F157
    Word in s. 135(3) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 94(2)(d), 142(1); S.I. 2026/82, reg. 2(p)
  372. I208
    Sch. 19 para. 43 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  373. F158
    S. 2(2) omitted (20.8.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 91(2), 142(1); S.I. 2025/904, reg. 2(e)
  374. F159
    S. 75(4)-(7) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 6(7); S.I. 2026/82, reg. 2(z10)
  375. F160
    Ss. 82A-82E inserted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 89(3), 142(1); S.I. 2025/996, reg. 2(2)(a)
  376. F161
    Words in Sch. 21 para. 9(3)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(6)(b)(ii) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  377. I209
    Sch. 19 para. 308 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  378. I210
    Sch. 2 para. 17 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  379. F162
    Words in s. 17(6) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 22(4)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  380. F163
    Words in Sch. 13 para. 1(1)(g) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 97(2)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  381. F164
    S. 15(4A) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(11) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  382. F165
    S. 48(8) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 38 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  383. F166
    Words in s. 124(5) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 18(b); S.I. 2025/904, reg. 2(y)
  384. I211
    Sch. 1 para. 27 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  385. F167
    Word in s. 16(2)(a)(ii) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 20(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  386. I212
    Sch. 1 para. 15 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  387. F168
    Sch. 19 para. 76 omitted (29.3.2019) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(3), Sch. 4 para. 3
  388. F169
    S. 71A and cross-heading inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 84(6), 142(1); S.I. 2025/904, reg. 2(d)
  389. F170
    Words in s. 185(4)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 79 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  390. F171
    Sch. 7 para. 15A inserted (1.5.2022 for specified purposes, 5.12.2022 in so far as not already in force) by Armed Forces Act 2021 (c. 35), s. 24(1), Sch. 5 para. 49; S.I. 2022/471, reg. 2(e); S.I. 2022/1095, reg. 4
  391. I213
    S. 123 in force at 23.7.2018 by S.I. 2018/625, reg. 3(a)
  392. C8
    Sch. 1 para. 6 modified by S.I. 2007/1118, art. 5(1)(2) (as substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 324 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g))
  393. F172
    Words in s. 15(2)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(6)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  394. F173
    Words in s. 45(7)(a) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(4)(c), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  395. F174
    Words in s. 115(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  396. F175
    Word in s. 155(1)(a) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 98(4)(a), 142(1); S.I. 2026/82, reg. 2(q)
  397. F176
    Word in s. 129(3) substituted (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 92(6), 142(1)(2)(h); S.I. 2025/904, reg. 2(f)
  398. F177
    Words in s. 28(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  399. I214
    Sch. 20 para. 13 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  400. F178
    Words in s. 73(4)(b)(i) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 3(5)(b); S.I. 2026/82, reg. 2(z10)
  401. F179
    Words in s. 15(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(10)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  402. I215
    Sch. 19 para. 423 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  403. F180
    Words in s. 182(6) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 22(3) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  404. F181
    Sch. 2 para. 28(4) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(24)(d) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  405. I216
    Sch. 19 para. 40 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  406. I217
    Sch. 19 para. 406 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g) (with reg. 4)
  407. I218
    Sch. 20 para. 59 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  408. I219
    Sch. 19 para. 290 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  409. I220
    Sch. 20 para. 38 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  410. I221
    Sch. 20 para. 20 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  411. I222
    Sch. 19 para. 45 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  412. F182
    Words in s. 5(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 6(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  413. F183
    Word in s. 16(1)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 20(2)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  414. F184
    Words in s. 7(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 10(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  415. I223
    Sch. 19 para. 102 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  416. F185
    Words in s. 187(1)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 81(3)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  417. F186
    Sch. 21 para. 12 renumbered as Sch. 21 para. 12(1) (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(9)(a) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  418. I224
    Sch. 19 para. 252 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  419. I225
    Sch. 2 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  420. I226
    Sch. 10 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  421. I227
    S. 127 in force at 23.7.2018 for specified purposes by S.I. 2018/625, reg. 3(d)
  422. I228
    Sch. 19 para. 425 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  423. I229
    Sch. 1 para. 21 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  424. I230
    Sch. 8 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  425. F187
    S. 78A inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(7), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  426. I231
    Sch. 10 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  427. I232
    Sch. 19 para. 230 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  428. I233
    Sch. 7 para. 30 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  429. F188
    Pt. 2 Ch. 2 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 7 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  430. F189
    S. 78(7) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(10); S.I. 2026/82, reg. 2(z10)
  431. I234
    Sch. 19 para. 119 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  432. I235
    Sch. 19 para. 12 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  433. F190
    Words in s. 207(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 87(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  434. F191
    Words in s. 24(2)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  435. F192
    Words and comma in s. 117 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 49(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  436. C9
    Sch. 1 para. 6 modified by S.I. 1999/3145, art. 9(1)(2) (as substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 238 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g))
  437. I236
    Sch. 19 para. 162 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  438. F193
    S. 82(4) inserted (19.6.2025 for specified purposes, 17.11.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 89(2)(d), 142(1)(2)(h); S.I. 2025/996, reg. 2(2)(a)
  439. F194
    Words in s. 7(4) substituted (25.1.2023) by Advanced Research and Invention Agency Act 2022 (c. 4), s. 13(1), Sch. 3 para. 14(b); S.I. 2023/58, reg. 2
  440. F195
    Words in s. 8 omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 70(7), 142(1); S.I. 2026/82, reg. 2(c)
  441. F196
    Words in Sch. 21 para. 10(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(8)(a) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  442. F197
    Word in s. 203(1) inserted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(8), 142(1); S.I. 2025/996, reg. 2(2)(b)
  443. F198
    S. 79(3A) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(8)(b), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  444. F199
    Words in Sch. 2 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  445. F200
    S. 54(3A)-(3D) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 76(6)(c), 142(1); S.I. 2026/82, reg. 2(h) (with reg. 4)
  446. F201
    Words in Sch. 2 para. 27(3)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 87(2)(c)(i), 142(1); S.I. 2026/82, reg. 2(o)
  447. I237
    S. 175 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  448. F202
    Words in s. 15(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(4)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  449. F203
    Sch. 2 para. 4(1A)-(1C) inserted (31.1.2022) by The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (S.I. 2022/76), regs. 1(2), 2(2)(b)
  450. F204
    Words in s. 1(5) inserted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(2), 142(1); S.I. 2025/996, reg. 2(2)(b)
  451. I238
    Sch. 19 para. 384 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  452. I239
    Sch. 19 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  453. I240
    Sch. 19 para. 184 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  454. F205
    Words in s. 206 Table inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(11), 142(1); S.I. 2026/82, reg. 2(s)
  455. F206
    Sch. 21 para. 6(3) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(4)(c) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  456. F207
    Words in Sch. 3 para. 11 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(12) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  457. F208
    Word in Sch. 11 para. 2(a) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 31; S.I. 2026/82, reg. 2(z12)
  458. I241
    Sch. 11 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  459. F209
    Words in s. 206 Table inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 117(5), 142(1); S.I. 2025/904, reg. 2(r)
  460. I242
    Sch. 20 para. 53 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  461. I243
    Sch. 19 para. 71 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  462. I244
    Sch. 19 para. 96 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  463. F210
    S. 3(11) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  464. F211
    Words in s. 18 heading inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 24(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  465. F212
    Words in s. 78(2) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(5)(b); S.I. 2026/82, reg. 2(z10)
  466. I245
    Sch. 7 para. 50 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  467. F213
    Word in s. 205(1) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 85(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  468. I246
    Sch. 19 para. 277 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  469. F214
    Words in s. 202(1)(a)(i) inserted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(7), 142(1); S.I. 2025/996, reg. 2(2)(b)
  470. F215
    Words in s. 5(7) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 6(6)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  471. I247
    Sch. 1 para. 18 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  472. F216
    Words in s. 16(1)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 20(2)(b)(ii) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  473. I248
    Sch. 20 para. 47 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  474. I249
    Sch. 19 para. 399 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  475. F217
    Words in s. 110(2)(b) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(9)(b), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  476. I250
    Sch. 15 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  477. F218
    Words in s. 44(7)(a) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(3)(c), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  478. I251
    Sch. 19 para. 409 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  479. F219
    Words in Sch. 1 para. 2(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 91(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  480. I252
    Sch. 19 para. 226 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  481. I253
    Sch. 19 para. 93 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  482. I254
    Sch. 20 para. 54 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  483. F220
    Words in s. 75(2) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 6(5); S.I. 2026/82, reg. 2(z10)
  484. F221
    Words in s. 79(7) substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(8)(e)(i), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  485. F222
    Words in s. 79(7) substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(8)(e)(ii), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  486. I255
    Sch. 19 para. 317 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  487. I256
    Sch. 19 para. 379 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  488. F223
    Words in s. 125(9) substituted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 19(4); S.I. 2025/904, reg. 2(y)
  489. F224
    Words in Sch. 19 para. 431(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 100(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  490. F225
    Words in s. 155(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 63 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  491. F226
    Words in s. 76(1)(e) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 7(4)(d); S.I. 2026/82, reg. 2(z10)
  492. I257
    Sch. 19 para. 61 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  493. I258
    Sch. 19 para. 294 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  494. F227
    Words in s. 28(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  495. F228
    S. 186(3)(ca) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(10), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  496. I259
    Sch. 19 para. 342 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  497. F229
    Words in Sch. 2 para. 28(3) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 87(2)(c)(ii), 142(1); S.I. 2026/82, reg. 2(o)
  498. F230
    Words in s. 159(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 65 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  499. F231
    S. 3(9)(e) and word omitted (20.8.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 14(b); S.I. 2025/904, reg. 2(y)
  500. I260
    Sch. 20 para. 31 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  501. I261
    Sch. 19 para. 346 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  502. F232
    Words in s. 15(2)(e) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(7)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  503. F233
    Words in s. 74B(6)(a) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(7)(a); S.I. 2026/82, reg. 2(z10)
  504. F234
    Words in s. 83(1) substituted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(4)(b), 142(1); S.I. 2025/996, reg. 2(2)(b)
  505. I262
    Sch. 19 para. 392 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  506. I263
    Sch. 19 para. 91 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  507. F235
    S. 16(2)(c) and word inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 20(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  508. F236
    Words in s. 165(7) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 66(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  509. F237
    Words in s. 54(2) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 76(6)(b)(i), 142(1); S.I. 2026/82, reg. 2(h) (with reg. 4)
  510. I264
    Sch. 19 para. 21 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  511. F238
    Words in s. 87(1)(b) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 71(9)(b)(i), 142(1); S.I. 2026/82, reg. 2(d)
  512. F239
    S. 3(9)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  513. I265
    Sch. 19 para. 231 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  514. I266
    Sch. 19 para. 264 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  515. F240
    Words in s. 13(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 16 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  516. I267
    Sch. 19 para. 114 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  517. I268
    Sch. 10 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  518. F241
    Words in Sch. 16 para. 4(1) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 101(3)(b)(ii), 142(1); S.I. 2026/82, reg. 2(t) (with reg. 6)
  519. I269
    Sch. 19 para. 236 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  520. F242
    Words in s. 185(4)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 79 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  521. I270
    Sch. 19 para. 324 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  522. I271
    Sch. 3 para. 15 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  523. I272
    Sch. 19 para. 200 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  524. F243
    Words in s. 79(5) substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(8)(d), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  525. I273
    Sch. 20 para. 58 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  526. I274
    Sch. 7 para. 33 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  527. I275
    Sch. 7 para. 16 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  528. F244
    Words in Sch. 2 para. 18 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(17) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  529. I276
    Sch. 9 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  530. F245
    Words in s. 78(6) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(9)(a); S.I. 2026/82, reg. 2(z10)
  531. F246
    Words in Sch. 21 para. 9(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(6)(a)(i) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  532. I277
    Sch. 15 para. 16 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  533. I278
    Sch. 7 para. 19 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  534. I279
    S. 190 in force at 23.7.2018 in so far as not already in force by S.I. 2018/625, reg. 3(g)
  535. F247
    Words in s. 16(1)(a) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 20(2)(b)(i) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  536. I280
    Sch. 19 para. 429 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  537. I281
    Sch. 19 para. 36 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  538. I282
    Sch. 19 para. 311 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  539. F248
    Words in Sch. 2 para. 28(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(24)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  540. F249
    Words in s. 78(4) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 45(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  541. F250
    S. 48(3)(d) omitted (5.9.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 88(5)(a), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  542. I283
    Sch. 1 para. 14 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  543. I284
    Sch. 19 para. 253 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  544. F251
    Words in s. 7(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 10(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  545. I285
    Sch. 12 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  546. I286
    S. 148 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  547. F252
    S. 9A and cross-heading inserted (19.6.2025 for specified purposes, 20.8.2025 for specified purposes, 5.2.2026 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 72(7), 142(1)(2)(h); S.I. 2025/904, reg. 2(b); S.I. 2026/82, reg. 2(e)
  548. I287
    Sch. 1 para. 30 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  549. F253
    Words in s. 115 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  550. F254
    Words in s. 13(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 16 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  551. I288
    Sch. 20 para. 41 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  552. F255
    Words in s. 206 Table omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 86(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  553. I289
    Sch. 7 para. 40 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  554. F256
    S. 77 heading substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 9(2); S.I. 2026/82, reg. 2(z10)
  555. I290
    Sch. 19 para. 272 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  556. F257
    Words in s. 10(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 13(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  557. F258
    S. 67(8) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 39 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  558. F259
    Sch. 18 para. 4(3)(a)(ia) inserted (1.12.2020) by Sentencing Act 2020 (c. 17), s. 416(1), Sch. 24 para. 297 (with Sch. 27); S.I. 2020/1236, reg. 2
  559. F260
    Words in Sch. 13 para. 1(1)(f) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 97(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  560. F261
    Words in Sch. 2 para. 4(1C) substituted (8.3.2024) by The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (S.I. 2024/342), regs. 1(2), 2(4)(b)
  561. I291
    Sch. 19 para. 60 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(g)
  562. F262
    Words in Sch. 3 para. 7(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(10) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  563. F263
    S. 21(5)(c) and word inserted (25.1.2023) by Advanced Research and Invention Agency Act 2022 (c. 4), s. 13(1), Sch. 3 para. 15(2)(b); S.I. 2023/58, reg. 2
  564. I292
    Sch. 19 para. 82 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  565. I293
    Sch. 20 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  566. F264
    Words in Sch. 5 para. 6(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 95(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  567. I294
    Sch. 19 para. 67 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  568. F265
    S. 73(A1) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 3(2); S.I. 2026/82, reg. 2(z10)
  569. F266
    Words in Sch. 4 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 94(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  570. I295
    Sch. 19 para. 288 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  571. F267
    Words in Sch. 1 para. 23(4) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 73, 142(1); S.I. 2026/82, reg. 2(f)
  572. F268
    Words in s. 168(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 69(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  573. I296
    Sch. 19 para. 293 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  574. I297
    Sch. 19 para. 254 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  575. I298
    Sch. 19 para. 295 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  576. F269
    Words in s. 166(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 67 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  577. F270
    S. 205(1A) substituted (31.12.2023 immediately before the end of 2023) by The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 (S.I. 2023/1417), regs. 1(2), 3(3)
  578. F271
    S. 78A(2)(e)(ia) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 19 (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  579. F272
    Words in s. 8 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 11 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  580. F273
    Sch. 21 inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 102 (with reg. 5, Sch. 3 para. 111(6)) (as amended by S.I. 2020/1586, regs. 1(2), 5(4)); 2020 c. 1, Sch. 5 para. 1(1)
  581. I299
    Sch. 18 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  582. I300
    Sch. 19 para. 164 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  583. F274
    Words in s. 24(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  584. F275
    Words in s. 24(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(2)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  585. I301
    Sch. 19 para. 361 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  586. I302
    Sch. 19 para. 359 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  587. F276
    Words in s. 74B(3) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(4); S.I. 2026/82, reg. 2(z10)
  588. I303
    Sch. 7 para. 12 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  589. I304
    Sch. 5 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  590. F277
    Words in s. 26(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  591. F278
    S. 84(6A) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 74(6), 142(1); S.I. 2025/904, reg. 2(c)
  592. I305
    Sch. 19 para. 126 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  593. F279
    Words in s. 15(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(10)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  594. F280
    Words in s. 33(7) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 37 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  595. F281
    S. 75(1) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 6(3); S.I. 2026/82, reg. 2(z10)
  596. I306
    S. 144 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  597. F282
    Words in s. 125(1) substituted (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 92(3)(b), 142(1)(2)(h); S.I. 2025/904, reg. 2(f)
  598. F283
    Words in Sch. 2 para. 3(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(7)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  599. F284
    Words in s. 53(3) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 6 para. 14(3); S.I. 2026/82, reg. 2(z8) (with reg. 5)
  600. F285
    Words in Sch. 1 para. 24(1)(a) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 28(6); S.I. 2026/82, reg. 2(z12)
  601. F286
    Words in s. 115(8)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(9) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  602. F287
    S. 22 and cross-heading omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 30 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  603. I307
    Sch. 15 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  604. I308
    Sch. 19 para. 415 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  605. F288
    Words in s. 183A(4) substituted (29.1.2026) by The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 (S.I. 2026/82), reg. 12(2)
  606. I309
    Sch. 19 para. 108 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  607. C10
    S. 205: power to amend conferred (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Regulation (EU) 679/2016, Art. 11A(3) (as inserted by Data (Use and Access) Act 2025 (c. 18), ss. 74(1), 142(1)(2)(h); S.I. 2025/904, reg. 2(c))
  608. I310
    Sch. 7 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  609. I311
    Sch. 19 para. 301 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  610. I312
    Sch. 19 para. 18 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  611. I313
    Sch. 16 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  612. I314
    Sch. 19 para. 391 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  613. F289
    Words in s. 115(8)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(9) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  614. I315
    Sch. 12 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  615. I316
    Sch. 19 para. 259 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  616. F290
    Words in Sch. 17 para. 4 substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(12)(b)(iii), 142(1); S.I. 2026/82, reg. 2(s)
  617. I317
    Sch. 19 para. 388 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  618. F291
    Words in s. 24(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(4)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  619. F292
    Words in s. 10(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 13(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  620. F293
    Words in s. 10(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 13(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  621. F294
    S. 183B inserted (1.1.2024) by Data (Use and Access) Act 2025 (c. 18), ss. 106(3)(7), 142(1); S.I. 2025/904, reg. 2(k)
  622. I318
    Sch. 19 para. 420 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  623. F295
    Sch. 3 para. 8(1)(c)(i)(ia) substituted for Sch. 3 para. 8(1)(c)(i) (30.11.2022) by The Health and Social Care Act (Northern Ireland) 2022 (Consequential Amendments) Order 2022 (S.I. 2022/1174), arts. 1(2), 12(3)(b)
  624. I319
    Sch. 12 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  625. F296
    Words in s. 15(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(9)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  626. I320
    Sch. 19 para. 128 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  627. I321
    Sch. 12 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  628. I322
    Sch. 19 para. 408 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  629. F297
    Sch. 18 para. 4(8) inserted (17.12.2021) by The Age of Criminal Responsibility (Scotland) Act 2019 (Consequential Provisions and Modifications) Order 2021 (S.I. 2021/1458), arts. 1(1), 8(b)
  630. F298
    Words in s. 165(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 66(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  631. F299
    S. 80(5)(6)(7) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 46(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  632. I323
    Sch. 19 para. 370 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  633. F300
    Words in s. 205(1) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 85(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  634. I324
    Sch. 19 para. 15 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  635. I325
    Sch. 19 para. 154 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  636. F301
    Words in s. 74B(6)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(7)(c); S.I. 2026/82, reg. 2(z10)
  637. I326
    Sch. 5 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  638. I327
    Sch. 2 para. 21 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  639. F302
    Words in s. 79(11) substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(8)(h), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  640. I328
    Sch. 15 para. 14 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  641. I329
    Sch. 11 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  642. F303
    Words in s. 25(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 33(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  643. F304
    Words in s. 73(1)(b) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 40(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  644. F305
    Word in s. 157(2)(a) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 64(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  645. F306
    Words in s. 3(6) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  646. I330
    Sch. 19 para. 152 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  647. I331
    Sch. 19 para. 377 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  648. F307
    Words in s. 97(4)(b) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 80(5)(b), 142(1); S.I. 2026/82, reg. 2(j) (with reg. 5)
  649. I332
    Sch. 1 para. 32 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  650. I333
    Sch. 7 para. 36 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  651. I334
    Sch. 20 para. 29 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  652. I335
    Sch. 19 para. 348 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  653. F308
    Words in Sch. 2 Pt. 5 heading omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(20) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  654. I336
    Sch. 19 para. 178 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  655. I337
    Sch. 20 para. 33 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  656. F309
    Words in s. 12(1)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 15 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  657. I338
    Sch. 7 para. 31 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  658. I339
    Sch. 7 para. 55 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  659. C11
    Act applied (18.3.2022) by The Cumbria (Structural Changes) Order 2022 (S.I. 2022/331), arts. 1(1), 18(2)(e)
  660. I340
    Sch. 19 para. 271 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  661. F310
    Sch. 2 para. 26(9)(e) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(21)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  662. F311
    S. 17B omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 13 (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  663. F312
    Words in Sch. 2 para. 25(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(19)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  664. I341
    Sch. 19 para. 138 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  665. I342
    Sch. 19 para. 158 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  666. F313
    S. 204(2)(a) substituted (2.12.2019 at 00:01) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 227(3) (with ss. 117, 209, 210); S.I. 2019/1434, reg. 2(b)
  667. I343
    Sch. 19 para. 90 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  668. I344
    Sch. 19 para. 417 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  669. I345
    Sch. 11 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  670. F314
    Word in s. 78(1) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(3)(b); S.I. 2026/82, reg. 2(z10)
  671. F315
    Ss. 164A, 164B inserted (19.6.2025 for specified purposes) by Data (Use and Access) Act 2025 (c. 18), ss. 103(2), 142(1)(2)(h)
  672. F316
    Words in s. 167(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 68 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  673. F317
    Words in Sch. 3 para. 12(1)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(14) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  674. I346
    Sch. 20 para. 51 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  675. F318
    Words in Sch. 2 para. 12 omitted (31.12.2020) by virtue of The Consumer Protection (Enforcement) (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/203), regs. 1, 5(b); 2020 c. 1, Sch. 5 para. 1(1)
  676. F319
    Words in s. 187(1)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 81(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  677. F320
    Words in s. 117 inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 49(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  678. I347
    Sch. 19 para. 203 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  679. I348
    Sch. 19 para. 338 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  680. I349
    Sch. 19 para. 22 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  681. F321
    S. 186 heading substituted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 106(4)(a), 142(1); S.I. 2025/904, reg. 2(k)
  682. I350
    Sch. 15 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  683. I351
    Sch. 19 para. 414 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  684. F322
    Words in s. 210(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 89 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  685. I352
    Sch. 19 para. 124 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  686. I353
    Sch. 1 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  687. I354
    Sch. 19 para. 175 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  688. F323
    Sch. 2 para. 4(1B) omitted (8.3.2024) by virtue of The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (S.I. 2024/342), regs. 1(2), 2(3)
  689. I355
    Sch. 15 para. 12 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  690. F324
    Words in s. 187(1)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 81(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  691. F325
    Words in s. 79(4) substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(8)(c), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  692. I356
    Sch. 19 para. 291 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  693. F326
    Word in s. 170(2)(a) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 22; S.I. 2026/82, reg. 2(z12)
  694. F327
    S. 114A and cross-heading inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 117(2), 142(1); S.I. 2025/904, reg. 2(r)
  695. I357
    Sch. 19 para. 283 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  696. I358
    Sch. 19 para. 364 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  697. F328
    Words in Sch. 2 para. 10(2)(c)(iv) inserted (E.W.) (23.7.2019) by Public Services Ombudsman (Wales) Act 2019 (anaw 3), s. 77(1), Sch. 5 para. 28; S.I. 2019/1096, reg. 2
  698. F329
    S. 14 omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 6 para. 11; S.I. 2026/82, reg. 2(z8) (with reg. 5)
  699. I359
    S. 146 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  700. F330
    S. 205(2)(la) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 117(4)(b), 142(1); S.I. 2025/904, reg. 2(r)
  701. F331
    Words in s. 52(6) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 6 para. 13(6); S.I. 2026/82, reg. 2(z8) (with reg. 5)
  702. F332
    Words in s. 151(8)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 62 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  703. F333
    Words in s. 168 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 69(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  704. F334
    Words in s. 76(1)(d) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 7(4)(c); S.I. 2026/82, reg. 2(z10)
  705. F335
    Words in s. 204(1)(g) omitted (2.12.2019 at 00:01) by virtue of Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 227(2)(b) (with ss. 117, 209, 210); S.I. 2019/1434, reg. 2(b)
  706. I360
    Sch. 19 para. 245 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  707. F336
    Words in Sch. 21 para. 4(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(3)(a) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  708. I361
    Sch. 10 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  709. F337
    Words in s. 143(9) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 60 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  710. F338
    S. 160(5A) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(6)(b), 142(1); S.I. 2026/82, reg. 2(s)
  711. I362
    Sch. 19 para. 260 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  712. F339
    Words in s. 189(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 83(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  713. I363
    S. 102 in force at 16.9.2019 by S.I. 2019/1188, reg. 2(b)
  714. F340
    Word in s. 120(1)(b) omitted (31.12.2023 immediately before the end of 2023) by virtue of The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 (S.I. 2023/1417), regs. 1(2), 3(2)
  715. F341
    Words in s. 209(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 88 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  716. I364
    Sch. 14 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  717. F342
    Words in Sch. 2 para. 2(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(6)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  718. I365
    Sch. 19 para. 62 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  719. I366
    Sch. 19 para. 426 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  720. F343
    S. 17C omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 14 (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  721. I367
    Sch. 20 para. 43 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  722. F344
    Words in s. 7(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 10(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  723. F345
    Words in Sch. 17 para. 4 substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(12)(b)(ii), 142(1); S.I. 2026/82, reg. 2(s)
  724. I368
    Sch. 2 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  725. F346
    Words in s. 76(2) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 7(5); S.I. 2026/82, reg. 2(z10)
  726. F347
    Words in s. 16(1)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 20(2)(d) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  727. F348
    Words in Sch. 3 para. 1 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  728. F349
    Words in s. 15(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  729. I369
    Sch. 19 para. 366 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  730. I370
    Sch. 7 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  731. I371
    Sch. 19 para. 57 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  732. I372
    Sch. 19 para. 17 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  733. F350
    Words in s. 186A(5) substituted (29.1.2026) by The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 (S.I. 2026/82), reg. 12(4)
  734. I373
    Sch. 19 para. 422 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  735. F351
    Words in s. 183B(5)(b) substituted (29.1.2026) by The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 (S.I. 2026/82), reg. 12(3)
  736. F352
    Words in s. 6(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 9 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  737. F353
    Words in s. 43(1)(a) substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 79(2)(a), 142(1); S.I. 2025/996, reg. 2(1)(a) (with reg. 3)
  738. I374
    Sch. 10 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  739. I375
    Sch. 2 para. 22 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  740. F354
    Words in Sch. 2 para. 26(9)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(21)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  741. F355
    Words in s. 5(7) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 6(6)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  742. F356
    Sch. 21 para. 4(6) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(3)(c) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  743. F357
    Word in s. 3(9)(c) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 14(a); S.I. 2025/904, reg. 2(y)
  744. F358
    Words in s. 149(9)(b) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(3)(b), 142(1); S.I. 2026/82, reg. 2(s)
  745. I376
    Sch. 12 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  746. I377
    Sch. 19 para. 386 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  747. F359
    Words in s. 15(2)(f) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(8)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  748. F360
    Words in s. 188(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 82 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  749. F361
    Word in s. 125 heading substituted (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 92(3)(a), 142(1)(2)(h); S.I. 2025/904, reg. 2(f)
  750. I378
    Sch. 19 para. 316 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  751. I379
    Sch. 19 para. 81 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  752. I380
    Sch. 2 para. 24 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  753. F362
    Words in s. 15(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(10)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  754. F363
    Sch. 2 para. 4(4) omitted (31.1.2022) by virtue of The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (S.I. 2022/76), regs. 1(2), 2(2)(d)
  755. I381
    Sch. 19 para. 107 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  756. F364
    Words in s. 28(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  757. I382
    Sch. 19 para. 255 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  758. I383
    Sch. 19 para. 309 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  759. F365
    Words in s. 149(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  760. F366
    Words in Sch. 1 para. 41 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 91(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  761. I384
    Sch. 19 para. 133 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  762. I385
    Sch. 18 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  763. I386
    Sch. 19 para. 229 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  764. F367
    Words in s. 5(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 6(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  765. I387
    Sch. 14 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  766. F368
    Words in s. 15(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(4)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  767. F369
    Words in s. 149(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  768. F370
    Words in Sch. 20 para. 50 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 101(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  769. F371
    S. 54(4)-(6) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 76(6)(d), 142(1); S.I. 2026/82, reg. 2(h) (with reg. 4)
  770. F372
    Words in s. 79(12) substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(8)(i), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  771. I388
    Sch. 19 para. 166 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  772. I389
    Sch. 19 para. 360 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  773. I390
    Sch. 7 para. 23 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  774. I391
    Sch. 19 para. 186 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  775. F373
    Words in s. 207(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 87(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  776. F374
    S. 20 omitted (20.8.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 15; S.I. 2025/904, reg. 2(y)
  777. I392
    Sch. 19 para. 51 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  778. F375
    Sch. 17 para. 3A and cross-heading inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(12)(a), 142(1); S.I. 2026/82, reg. 2(s)
  779. F376
    S. 9 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 12 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  780. I393
    Sch. 3 para. 16 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  781. F377
    S. 207(1A) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 87(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  782. I394
    Sch. 20 para. 44 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  783. I395
    Sch. 19 para. 242 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  784. F378
    Words in Sch. 2 para. 13 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(12) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  785. F379
    Words in s. 26(2)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  786. I396
    Sch. 1 para. 25 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  787. F380
    Word in Sch. 1 para. 10 heading substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 28(2); S.I. 2026/82, reg. 2(z12)
  788. F381
    Ss. 148A-148C and cross-heading inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(2), 142(1); S.I. 2026/82, reg. 2(s)
  789. F382
    Words in s. 3(10) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(4)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  790. F383
    S. 79(13) omitted (5.9.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 88(8)(j), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  791. I397
    Sch. 19 para. 206 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  792. I398
    Sch. 19 para. 83 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  793. I399
    Sch. 19 para. 235 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  794. F384
    Words in Sch. 16 para. 4(2) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 101(3)(c), 142(1); S.I. 2026/82, reg. 2(t) (with reg. 6)
  795. I400
    Sch. 19 para. 129 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  796. F385
    Words in s. 17(7) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 22(5)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  797. I401
    Sch. 19 para. 362 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  798. F386
    Sch. 8 para. 8(1)(b)(iia) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 30; S.I. 2026/82, reg. 2(z12)
  799. I402
    Sch. 10 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  800. F387
    S. 115(1) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  801. I403
    Sch. 20 para. 60 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  802. F388
    S. 51(4)(aa) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 79(7)(c), 142(1); S.I. 2025/996, reg. 2(1)(a) (with reg. 3)
  803. I404
    Sch. 19 para. 189 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  804. F389
    Words in s. 43(1)(d) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 6 para. 12; S.I. 2026/82, reg. 2(z8) (with reg. 5)
  805. F390
    Words in s. 15(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(9)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  806. F391
    Words in s. 17(1)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 22(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  807. F392
    Word in s. 51(6) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 79(7)(d), 142(1); S.I. 2025/996, reg. 2(1)(a) (with reg. 3)
  808. F393
    Words in s. 129(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 54 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  809. F394
    Words in s. 182(7) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 22(4) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  810. F395
    S. 139(1A)(1B) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 91(4), 142(1) (with s. 91(5)); S.I. 2025/904, reg. 2(e)
  811. I405
    Sch. 20 para. 49 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  812. I406
    Sch. 19 para. 327 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  813. F396
    Words in s. 3(14)(c) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(7)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  814. I407
    Sch. 10 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  815. F397
    Words in s. 205(1) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 85(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  816. I408
    Sch. 19 para. 372 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  817. C12
    Act modified (6.6.2022) by Dormant Assets Act 2022 (c. 5), ss. 25, 34(3); S.I. 2022/582, reg. 2
  818. F398
    Words in s. 206 Table substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 86(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  819. I409
    Sch. 19 para. 247 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  820. I410
    Sch. 19 para. 65 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  821. F399
    Words in Sch. 17 para. 4 substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(12)(b)(i), 142(1); S.I. 2026/82, reg. 2(s)
  822. I411
    Sch. 19 para. 144 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  823. F400
    Words in s. 43(1)(b) substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 79(2)(b), 142(1); S.I. 2025/996, reg. 2(1)(a) (with reg. 3)
  824. F401
    Words in Sch. 3 substituted (1.7.2022) by Health and Care Act 2022 (c. 31), s. 186(6), Sch. 1 para. 1(1)(2); S.I. 2022/734, reg. 2(a), Sch. (with regs. 13, 29, 30)
  825. I412
    Sch. 14 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  826. F402
    Words in s. 96(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 80(4)(a), 142(1); S.I. 2026/82, reg. 2(j) (with reg. 5)
  827. F403
    Words in Sch. 1 para. 4(b) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 87(2)(b), 142(1); S.I. 2026/82, reg. 2(o)
  828. F404
    Words in s. 28 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  829. I413
    Sch. 19 para. 352 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  830. I414
    Sch. 16 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  831. I415
    Sch. 8 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  832. I416
    Sch. 19 para. 53 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  833. F405
    Words in Sch. 2 para. 11 table omitted (31.12.2020) by virtue of The Consumer Protection (Enforcement) (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/203), regs. 1, 5(a); 2020 c. 1, Sch. 5 para. 1(1)
  834. F406
    S. 205(4)(5) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 85(7) (with reg. 5) (as amended by S.I. 2020/1586, regs. 1(2), 5(2)); 2020 c. 1, Sch. 5 para. 1(1)
  835. F407
    Words in s. 4(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 5(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  836. I417
    Sch. 20 para. 27 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  837. I418
    Sch. 19 para. 238 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  838. I419
    Sch. 19 para. 261 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  839. F408
    Words in s. 6 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 8 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  840. I420
    Sch. 19 para. 198 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  841. I421
    Sch. 7 para. 48 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  842. I422
    Sch. 19 para. 343 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  843. F409
    Ss. 50A-50D substituted for ss. 49, 50 (19.6.2025 for specified purposes, 5.2.2026 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 80(3), 142(1)(2)(h); S.I. 2026/82, reg. 2(j) (with reg. 5)
  844. F410
    Words in s. 3(14)(d) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(7)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  845. I423
    Sch. 7 para. 25 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  846. F411
    Words in Sch. 20 para. 18(6)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 101(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  847. F412
    Words in s. 24(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(5)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  848. I424
    S. 126 in force at 23.7.2018 for specified purposes by S.I. 2018/625, reg. 3(c)
  849. F413
    S. 15 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 18 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  850. F414
    S. 51(2)(aa) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 79(7)(b), 142(1); S.I. 2025/996, reg. 2(1)(a) (with reg. 3)
  851. F415
    Words in s. 76(1)(c) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 7(4)(b)(ii); S.I. 2026/82, reg. 2(z10)
  852. I425
    Sch. 15 para. 10 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  853. F416
    Words in s. 168(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 69(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  854. F417
    Word in Sch. 2 para. 2(1)(a) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 29(2); S.I. 2026/82, reg. 2(z12)
  855. I426
    Sch. 20 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  856. F418
    Words in s. 149(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  857. I427
    Sch. 1 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  858. I428
    Sch. 19 para. 380 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  859. F419
    Words in s. 80(2) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 46(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  860. F420
    Word in s. 184(4) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 25; S.I. 2026/82, reg. 2(z12)
  861. I429
    Sch. 19 para. 167 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  862. I430
    Sch. 19 para. 94 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  863. F421
    S. 160(7)(e) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 101(4), 142(1); S.I. 2026/82, reg. 2(t) (with reg. 6)
  864. F422
    Words in s. 76(1)(c) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 43 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  865. I431
    Sch. 7 para. 29 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  866. I432
    Sch. 19 para. 28 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  867. F423
    Words in s. 77(7)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 9(4); S.I. 2026/82, reg. 2(z10)
  868. F424
    Words in Sch. 18 para. 5(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 99(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  869. F425
    S. 5(4)(5)(6) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 6(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  870. I433
    Sch. 19 para. 142 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  871. F426
    Words in Sch. 2 para. 6 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(10) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  872. F427
    Words in s. 24(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  873. I434
    Sch. 20 para. 22 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  874. F428
    S. 3(8A) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 117(3), 142(1); S.I. 2025/904, reg. 2(r)
  875. I435
    Sch. 19 para. 356 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  876. F429
    Words in Sch. 3 para. 12 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(13) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  877. I436
    Sch. 19 para. 418 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  878. F430
    S. 73(4)(aa) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 3(5)(a); S.I. 2026/82, reg. 2(z10)
  879. I437
    Sch. 7 para. 39 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  880. F431
    Words in s. 24(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(5)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  881. I438
    Sch. 19 para. 322 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  882. I439
    Sch. 20 para. 12 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  883. F432
    Words in s. 52(1) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 6 para. 13(2); S.I. 2026/82, reg. 2(z8) (with reg. 5)
  884. I440
    Sch. 19 para. 319 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  885. F433
    S. 160(4)(aa)(ab) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 98(5), 142(1); S.I. 2026/82, reg. 2(q)
  886. I441
    Sch. 19 para. 351 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  887. F434
    S. 140 cross-heading inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 95, 142(1); S.I. 2025/904, reg. 2(h)
  888. I442
    Sch. 19 para. 246 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  889. F435
    Words in Sch. 5 para. 1(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 95(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  890. F436
    S. 204(1)(l) inserted (13.12.2024) by The Anaesthesia Associates and Physician Associates Order 2024 (S.I. 2024/374), art. 1(3), Sch. 5 para. 7
  891. F437
    Words in s. 149(2)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  892. F438
    Words in s. 110(2)(c) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(9)(c), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  893. F439
    Words in Sch. 1 para. 1(3) substituted (15.12.2021) by The UK Statistics (Amendment etc.) (EU Exit) Regulations 2021 (S.I. 2021/1300), regs. 1, 2
  894. F440
    S. 78(A1) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(2); S.I. 2026/82, reg. 2(z10)
  895. C13
    Act excluded (30.9.2020) by The Channel Tunnel (Arrangements with the Kingdom of the Netherlands) Order 2020 (S.I. 2020/916), arts. 1(2)(b)4(4)
  896. I443
    Sch. 19 para. 132 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  897. F441
    S. 119A inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 51 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  898. F442
    Words in s. 149(4)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  899. I444
    Sch. 20 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  900. F443
    Words in s. 206 Table omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 86(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  901. F444
    Words in Sch. 3 para. 21 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(20) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  902. I445
    S. 145 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  903. I446
    S. 193 in force at 23.7.2018 by S.I. 2018/625, reg. 3(j)
  904. I447
    Sch. 19 para. 117 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  905. I448
    Sch. 19 para. 382 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  906. F445
    Words in Sch. 18 para. 4(6)(a) substituted (1.4.2025) by The Disclosure (Scotland) Act 2020 (Consequential Provisions and Modifications) Order 2025 (S.I. 2025/423), art. 2(1), Sch. 2 para. 3(3)
  907. I449
    Sch. 19 para. 323 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  908. F446
    Words in Sch. 2 para. 20(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(18) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  909. I450
    Sch. 19 para. 150 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  910. I451
    Sch. 20 para. 11 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  911. I452
    Sch. 16 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  912. I453
    S. 191 in force at 23.7.2018 in so far as not already in force by S.I. 2018/625, reg. 3(h)
  913. I454
    Sch. 19 para. 312 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  914. I455
    Sch. 19 para. 29 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  915. F447
    S. 18 omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 15 (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  916. F448
    Words in s. 77(6) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 9(3); S.I. 2026/82, reg. 2(z10)
  917. F449
    Words in Sch. 21 para. 10 heading substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(7) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  918. F450
    Words in Sch. 18 para. 5(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 99(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  919. I456
    Sch. 1 para. 38 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  920. I457
    S. 108 in force at 16.9.2019 by S.I. 2019/1188, reg. 2(f)
  921. I458
    Sch. 19 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  922. I459
    Sch. 19 para. 354 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  923. F451
    Words in s. 1(4) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 2(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  924. I460
    Sch. 19 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  925. F452
    Words in s. 159(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 65 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  926. I461
    Sch. 19 para. 25 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  927. I462
    Sch. 7 para. 45 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  928. I463
    Sch. 19 para. 39 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  929. I464
    Sch. 20 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  930. I465
    Sch. 7 para. 15 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  931. I466
    Sch. 1 para. 33 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  932. I467
    Sch. 11 para. 11 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  933. I468
    Sch. 19 para. 193 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  934. I469
    Sch. 19 para. 146 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  935. F453
    Words in s. 119A(11) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 17; S.I. 2025/904, reg. 2(y)
  936. I470
    Sch. 15 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  937. F454
    Sch. 21 para. 7 omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(5) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  938. I471
    Sch. 2 para. 23 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  939. F455
    Sch. 12A inserted (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), s. 142(1)(2)(h), Sch. 14 para. 1 (with Sch. 14 paras. 2, 3); S.I. 2025/904, reg. 2(z) (with reg. 1(3))
  940. F456
    Words in s. 17(8) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 22(6)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  941. F457
    Words in s. 151(1)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 62 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  942. F458
    Words in s. 135(1) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 94(2)(b), 142(1); S.I. 2026/82, reg. 2(p)
  943. I472
    Sch. 19 para. 100 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  944. F459
    Word in s. 44 heading omitted (5.9.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 79(4), 142(1); S.I. 2025/996, reg. 2(1)(a) (with reg. 3)
  945. I473
    Sch. 12 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  946. F460
    Sch. 19 para. 49 omitted (21.7.2019) by virtue of The Financial Services and Markets Act 2000 (Prospectus) Regulations 2019 (S.I. 2019/1043), regs. 1(1), 37
  947. F461
    Words in s. 149(9)(b) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(3)(a), 142(1); S.I. 2026/82, reg. 2(s)
  948. I474
    Sch. 19 para. 279 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  949. F462
    S. 146(2)(j)(k) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 98(2)(a), 142(1); S.I. 2026/82, reg. 2(q)
  950. F463
    Sch. 2 para. 4(3) omitted (31.1.2022) by virtue of The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (S.I. 2022/76), regs. 1(2), 2(2)(d)
  951. F464
    Word in Sch. 2 para. 26(9)(d) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 24 (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  952. F465
    S. 17 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 21 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  953. F466
    Words in s. 157(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 64(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  954. I475
    Sch. 19 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  955. F467
    Words in s. 182(8)(b) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 22(5)(d) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  956. I476
    Sch. 19 para. 213 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  957. F468
    Words in Sch. 3 para. 20(1)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(19) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  958. I477
    Sch. 19 para. 85 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  959. I478
    Sch. 19 para. 221 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  960. F469
    S. 3(10A) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  961. F470
    S. 96(4) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 80(4)(c), 142(1); S.I. 2026/82, reg. 2(j) (with reg. 5)
  962. I479
    Sch. 19 para. 174 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  963. I480
    Sch. 19 para. 20 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  964. I481
    Sch. 20 para. 56 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  965. F471
    Words in Sch. 3 para. 2(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  966. F472
    Words in Sch. 21 para. 4 heading substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(2) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  967. F473
    Words in s. 79(10) substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(8)(g), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  968. F474
    Sch. 7 para. 18A inserted (1.11.2022 for specified purposes) by Armed Forces Act 2021 (c. 35), s. 24(1), Sch. 4 para. 9; S.I. 2022/1095, reg. 3
  969. F475
    Words in s. 206 Table substituted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(9)(a)(ii), 142(1); S.I. 2025/996, reg. 2(2)(b)
  970. F476
    Words in s. 75 heading substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 6(2); S.I. 2026/82, reg. 2(z10)
  971. I482
    S. 104 in force at 16.9.2019 by S.I. 2019/1188, reg. 2(d)
  972. I483
    Sch. 19 para. 14 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  973. F477
    Words in s. 5(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 6(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  974. I484
    Sch. 7 para. 56 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  975. F478
    S. 45A inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 79(6), 142(1); S.I. 2025/996, reg. 2(1)(a) (with reg. 3)
  976. F479
    Words in s. 76(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 7(4)(a); S.I. 2026/82, reg. 2(z10)
  977. F480
    Words in s. 74B(7) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(9)(b); S.I. 2026/82, reg. 2(z10)
  978. I485
    Sch. 7 para. 52 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  979. F481
    Words in s. 182(8)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 22(5)(c) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  980. I486
    Sch. 19 para. 330 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  981. I487
    Sch. 3 para. 13 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  982. I488
    Sch. 19 para. 190 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  983. I489
    Sch. 2 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  984. F482
    Ss. 124B, 124C inserted (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 93, 142(1)(2)(h); S.I. 2025/904, reg. 2(g)
  985. I490
    Sch. 19 para. 282 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  986. I491
    Sch. 19 para. 263 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  987. F483
    Words in s. 186(1) omitted (20.8.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 106(4)(b), 142(1); S.I. 2025/904, reg. 2(k)
  988. F484
    S. 75(1A) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 6(4); S.I. 2026/82, reg. 2(z10)
  989. F485
    S. 29(1A) inserted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(3), 142(1); S.I. 2025/996, reg. 2(2)(b)
  990. I492
    Sch. 19 para. 424 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  991. I493
    Sch. 20 para. 16 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  992. F486
    Words in Sch. 2 para. 25(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(19)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  993. I494
    Sch. 19 para. 378 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  994. I495
    Sch. 1 para. 28 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  995. F487
    S. 157(7) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 64(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  996. I496
    Sch. 19 para. 402 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  997. I497
    Sch. 19 para. 156 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  998. F488
    Words in s. 187(1)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 81(4)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  999. I498
    Sch. 19 para. 145 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1000. F489
    Words in s. 94(10) substituted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 16; S.I. 2025/904, reg. 2(y)
  1001. I499
    Sch. 11 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1002. I500
    Sch. 19 para. 400 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1003. I501
    Sch. 19 para. 419 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1004. F490
    Words in Sch. 2 para. 3(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(7)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1005. F491
    S. 125(5) substituted (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 92(3)(d), 142(1)(2)(h); S.I. 2025/904, reg. 2(f)
  1006. I502
    Sch. 19 para. 171 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1007. I503
    Sch. 1 para. 12 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1008. F492
    Words in Sch. 3 para. 6 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(8) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1009. F493
    Word in Sch. 20 para. 14(2) substituted (5.5.2023) by The Data Protection Act 2018 (Transitional Provision) Regulations 2023 (S.I. 2023/414), regs. 1(1), 2(2)
  1010. F494
    Words in s. 146(12) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 98(2)(d), 142(1); S.I. 2026/82, reg. 2(q)
  1011. F495
    S. 146(11A) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 98(2)(c), 142(1); S.I. 2026/82, reg. 2(q)
  1012. I504
    Sch. 19 para. 179 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1013. F496
    Words in s. 10(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 13(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1014. I505
    S. 160 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1015. I506
    Sch. 19 para. 47 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1016. F497
    Words in s. 157(2)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 6 para. 16; S.I. 2026/82, reg. 2(z8) (with reg. 5)
  1017. F498
    Words in s. 78(4) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(7); S.I. 2026/82, reg. 2(z10)
  1018. I507
    Sch. 19 para. 410 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1019. F499
    Words in s. 116(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 48(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1020. I508
    S. 164 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1021. F500
    Words in s. 180(2)(e) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 75 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1022. I509
    S. 189 in force at 23.7.2018 by S.I. 2018/625, reg. 3(f)
  1023. F501
    Words in s. 15(2)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(5)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1024. I510
    Sch. 19 para. 216 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1025. I511
    Sch. 15 para. 18 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1026. I512
    Sch. 7 para. 43 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1027. F502
    S. 182(14) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 22(8) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1028. I513
    Sch. 19 para. 367 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1029. I514
    Sch. 19 para. 390 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1030. I515
    Sch. 19 para. 194 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1031. I516
    Sch. 11 para. 13 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1032. F503
    S. 204(4)(p) omitted (30.11.2022) by virtue of The Health and Social Care Act (Northern Ireland) 2022 (Consequential Amendments) Order 2022 (S.I. 2022/1174), arts. 1(2), 12(2)
  1033. I517
    Sch. 19 para. 37 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1034. I518
    Sch. 19 para. 337 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1035. C14
    S. 5: power to amend conferred (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Regulation (EU) 679/2016, Art. 11A(3) (as inserted by Data (Use and Access) Act 2025 (c. 18), ss. 74(1), 142(1)(2)(h); S.I. 2025/904, reg. 2(c))
  1036. F504
    S. 180 cross-heading substituted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 104(2), 142(1); S.I. 2025/904, reg. 2(j)
  1037. I519
    Sch. 12 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1038. I520
    Sch. 19 para. 148 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1039. I521
    Sch. 19 para. 24 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1040. I522
    Sch. 19 para. 339 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1041. I523
    Sch. 1 para. 11 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1042. F505
    Words in Sch. 2 para. 4(1) inserted (31.1.2022) by The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (S.I. 2022/76), regs. 1(2), 2(2)(a)
  1043. I524
    Sch. 19 para. 350 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1044. I525
    Sch. 19 para. 199 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1045. F506
    Words in Sch. 1 para. 1(3) substituted (31.12.2020) by The UK Statistics (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/489), regs. 1, 3; 2020 c. 1, Sch. 5 para. 1(1)
  1046. F507
    Words in s. 78(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(3)(c); S.I. 2026/82, reg. 2(z10)
  1047. I526
    Sch. 16 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1048. F508
    S. 26(2)(fa) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 17 (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1049. I527
    Sch. 20 para. 39 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1050. I528
    Sch. 19 para. 274 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1051. I529
    Sch. 19 para. 30 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1052. I530
    Sch. 19 para. 251 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1053. F509
    S. 213(4) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 90(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1054. F510
    Sch. 3 para. 8(2)(d) substituted (1.7.2022) by Health and Care Act 2022 (c. 31), s. 186(6), Sch. 4 para. 229; S.I. 2022/734, reg. 2(a), Sch. (with regs. 13, 29, 30)
  1055. I531
    Sch. 20 para. 19 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1056. F511
    Words in Sch. 2 para. 28(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(24)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1057. F512
    Words in s. 17(8) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 22(6)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1058. F513
    S. 118(1)-(4) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 50(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1059. I532
    Sch. 19 para. 397 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1060. I533
    Sch. 19 para. 336 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1061. F514
    Words in Sch. 2 para. 18 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(16) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1062. C15
    S. 207 modified (30.9.2020) by The Channel Tunnel (Arrangements with the Kingdom of the Netherlands) Order 2020 (S.I. 2020/916), arts. 1(2)(b), 4(3)(4)
  1063. I534
    Sch. 19 para. 332 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1064. I535
    Sch. 3 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1065. I536
    Sch. 3 para. 14 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1066. F515
    Words in Sch. 13 para. 3 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 97(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1067. I537
    Sch. 19 para. 181 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1068. F516
    Words in Sch. 2 para. 26(9)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(21)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1069. I538
    Sch. 20 para. 26 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1070. F517
    Word in Sch. 2 para. 4(1C) omitted (8.3.2024) by virtue of The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (S.I. 2024/342), regs. 1(2), 2(4)(a)
  1071. F518
    Words in s. 142(9) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 59(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1072. F519
    Words in s. 186(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 80(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1073. I539
    Sch. 1 para. 36 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1074. I540
    Sch. 19 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1075. F520
    S. 24(2)(ca) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 16(b) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1076. I541
    Sch. 19 para. 373 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1077. F521
    Word in s. 149(2)(b) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 6 para. 15(b); S.I. 2026/82, reg. 2(z8) (with reg. 5)
  1078. F522
    S. 79(1)-(3) omitted (5.9.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 88(8)(a), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  1079. C16
    Sch. 2 para. 7 modified by S.I. 1999/677, art. 7(1)(2) (as substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 237 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g))
  1080. I542
    Sch. 19 para. 318 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1081. C17
    Sch. 2 para. 7 modified by S.I. 1999/3145, art. 9(1)(2) (as substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 238 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g))
  1082. I543
    Sch. 11 para. 14 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1083. F523
    S. 186(2A) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 106(4)(c), 142(1); S.I. 2025/904, reg. 2(k)
  1084. I544
    Sch. 19 para. 225 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1085. I545
    Sch. 19 para. 64 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1086. F524
    Words in s. 187(1)(a) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 81(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1087. I546
    Sch. 1 para. 31 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1088. F525
    Words in s. 206 Table omitted (20.8.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 27; S.I. 2025/904, reg. 2(y)
  1089. I547
    Sch. 19 para. 278 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1090. F526
    Words in s. 204(1)(g) omitted (2.12.2019 at 00:01) by virtue of Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 227(2)(a) (with ss. 117, 209, 210); S.I. 2019/1434, reg. 2(b)
  1091. F527
    Words in Sch. 3 para. 11 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(11) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1092. F528
    Words in s. 25(2)(b) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 33(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1093. I548
    Sch. 19 para. 72 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1094. F529
    Words in s. 206 Table inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 86(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1095. I549
    Sch. 19 para. 314 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1096. I550
    Sch. 1 para. 13 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1097. F530
    Words in s. 189(4)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 83(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1098. F531
    Sch. 1 para. 14(1)(b)(iia) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 28(5); S.I. 2026/82, reg. 2(z12)
  1099. I551
    Sch. 16 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1100. I552
    Sch. 20 para. 10 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1101. F532
    Words in Sch. 21 para. 4(4)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(3)(b) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1102. F533
    S. 73(3) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 3(4); S.I. 2026/82, reg. 2(z10)
  1103. F534
    Words in s. 170(7) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 71 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1104. F535
    Word in s. 82(1)(b) substituted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 89(2)(b)(iii), 142(1); S.I. 2025/996, reg. 2(2)(a)
  1105. F536
    S. 42A inserted (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 74(5), 142(1)(2)(h); S.I. 2025/904, reg. 2(c)
  1106. F537
    Words in s. 126(4) substituted (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 92(4), 142(1)(2)(h); S.I. 2025/904, reg. 2(f)
  1107. I553
    S. 188 in force at 23.7.2018 in so far as not already in force by S.I. 2018/625, reg. 3(e)
  1108. I554
    Sch. 19 para. 125 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1109. I555
    Sch. 19 para. 75 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1110. I556
    S. 93 in force at 16.9.2019 by S.I. 2019/1188, reg. 2(a)
  1111. I557
    Sch. 1 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1112. F538
    Words in Sch. 3 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1113. I558
    Sch. 19 para. 256 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1114. I559
    Sch. 19 para. 50 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1115. I560
    Sch. 19 para. 275 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1116. I561
    Sch. 19 para. 105 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1117. F539
    S. 21(1)-(4) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 29(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1118. F540
    Words in s. 79(8) substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(8)(f)(i), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  1119. F541
    S. 139(2) omitted (20.8.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 20; S.I. 2025/904, reg. 2(y)
  1120. I562
    Sch. 19 para. 285 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1121. I563
    Sch. 12 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1122. F542
    S. 21(8) inserted (25.1.2023) by Advanced Research and Invention Agency Act 2022 (c. 4), s. 13(1), Sch. 3 para. 15(3); S.I. 2023/58, reg. 2
  1123. I564
    Sch. 2 para. 28 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1124. I565
    Sch. 19 para. 172 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1125. F543
    Sch. 2 para. 4(1A) omitted (8.3.2024) by virtue of The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (S.I. 2024/342), regs. 1(2), 2(3)
  1126. I566
    Sch. 20 para. 42 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1127. I567
    Sch. 19 para. 52 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1128. I568
    Sch. 7 para. 54 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1129. I569
    Sch. 19 para. 433 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1130. F544
    S. 21 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 29(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1131. F545
    S. 164(5)(ba) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(8)(b), 142(1); S.I. 2026/82, reg. 2(s)
  1132. I570
    Sch. 1 para. 19 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1133. F546
    Words in Sch. 2 para. 26(9)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(21)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1134. I571
    Sch. 15 para. 13 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1135. I572
    Sch. 19 para. 113 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1136. F547
    Words in s. 182(11) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 22(7) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1137. I573
    Sch. 19 para. 208 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1138. I574
    Sch. 11 para. 12 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1139. I575
    Sch. 19 para. 335 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1140. F548
    Word in s. 35(8) substituted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 74(4)(b), 142(1); S.I. 2025/904, reg. 2(c)
  1141. F549
    Words in s. 125(9) substituted (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 92(3)(e), 142(1)(2)(h); S.I. 2025/904, reg. 2(f)
  1142. F550
    Words in s. 36(1)(b) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 71(8)(b)(ii), 142(1); S.I. 2026/82, reg. 2(d)
  1143. F551
    Words in s. 41(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 86(7), 142(1); S.I. 2026/82, reg. 2(n)
  1144. I576
    Sch. 19 para. 68 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1145. I577
    Sch. 19 para. 147 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1146. F552
    S. 135(5) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 94(2)(f), 142(1); S.I. 2026/82, reg. 2(p)
  1147. I578
    Sch. 1 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1148. F553
    S. 74B(7)(a) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(9)(c); S.I. 2026/82, reg. 2(z10)
  1149. I579
    Sch. 19 para. 220 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1150. I580
    Sch. 7 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1151. I581
    Sch. 19 para. 79 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1152. I582
    Sch. 11 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1153. F554
    Words in s. 74B(6)(b) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(8)(a); S.I. 2026/82, reg. 2(z10)
  1154. I583
    Sch. 19 para. 13 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1155. I584
    Sch. 19 para. 412 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1156. I585
    Sch. 20 para. 34 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1157. I586
    Sch. 19 para. 248 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1158. F555
    Words in s. 78(5)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(8); S.I. 2026/82, reg. 2(z10)
  1159. F556
    Words in s. 45(5) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(4)(b), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  1160. F557
    Words in s. 27(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 35 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1161. I587
    Sch. 7 para. 24 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1162. I588
    Sch. 15 para. 19 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1163. I589
    Sch. 19 para. 109 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1164. I590
    Sch. 19 para. 31 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1165. I591
    Sch. 19 para. 170 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1166. I592
    Sch. 19 para. 92 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1167. F558
    S. 24(2)(ca)(cb) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1168. I593
    Sch. 1 para. 26 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1169. I594
    Sch. 20 para. 57 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1170. F559
    Words in s. 173(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 73 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1171. I595
    Sch. 1 para. 22 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1172. F560
    Words in s. 4(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 5(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1173. F561
    Words in s. 17(6) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 22(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1174. F562
    Words in s. 54(1) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 76(6)(a), 142(1); S.I. 2026/82, reg. 2(h) (with reg. 4)
  1175. F563
    Words in s. 78(3) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(6); S.I. 2026/82, reg. 2(z10)
  1176. F564
    Words in s. 74B(6)(b) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(8)(c); S.I. 2026/82, reg. 2(z10)
  1177. F565
    Words in s. 76 heading substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 7(2); S.I. 2026/82, reg. 2(z10)
  1178. I596
    Sch. 19 para. 244 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1179. F566
    Words in s. 54(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 75(3), 142(1); S.I. 2026/82, reg. 2(g)
  1180. F567
    Words in Sch. 3 para. 5 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1181. I597
    S. 162 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1182. I598
    Sch. 7 para. 53 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1183. I599
    Sch. 19 para. 292 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1184. I600
    Sch. 20 para. 61 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1185. I601
    Sch. 15 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1186. F568
    Words in s. 209(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 88 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1187. F569
    Words in Sch. 20 para. 18(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 101(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1188. F570
    S. 147(6)(b) and word omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 99, 142(1); S.I. 2026/82, reg. 2(r)
  1189. I602
    Sch. 19 para. 187 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1190. F571
    Words in Sch. 1 para. 13(1)(a) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 28(4); S.I. 2026/82, reg. 2(z12)
  1191. I603
    Sch. 20 para. 25 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1192. I604
    Sch. 19 para. 428 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1193. F572
    S. 186A inserted (1.1.2024) by Data (Use and Access) Act 2025 (c. 18), ss. 106(5)(7), 142(1); S.I. 2025/904, reg. 2(k)
  1194. C18
    Act applied (31.12.2020) by Regulation (EU) No. 625/2017, Art. 143 (as substituted by The Official Controls (Animals, Feed and Food, Plant Health etc.) (Amendment) (EU Exit) Regulations 2020 (S.I. 2020/1481), regs. 1, 27(3) (with reg. 46))
  1195. I605
    Sch. 19 para. 185 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1196. F573
    S. 26(2)(g)(iv) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(e)(ii) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1197. I606
    Sch. 3 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1198. F574
    Words in s. 52(3) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 6 para. 13(3); S.I. 2026/82, reg. 2(z8) (with reg. 5)
  1199. I607
    Sch. 20 para. 21 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1200. F575
    Words in s. 206 Table inserted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(9)(b), 142(1); S.I. 2025/996, reg. 2(2)(b)
  1201. I608
    Sch. 19 para. 89 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1202. F576
    Words in s. 35(6)(b) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 74(4)(a), 142(1); S.I. 2025/904, reg. 2(c)
  1203. I609
    Sch. 19 para. 281 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1204. I610
    Sch. 19 para. 58 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1205. F577
    Words in s. 28(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1206. I611
    Sch. 19 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1207. I612
    Sch. 7 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1208. I613
    Sch. 19 para. 273 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1209. I614
    Sch. 1 para. 35 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1210. F578
    Words in s. 52(5) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 6 para. 13(5); S.I. 2026/82, reg. 2(z8) (with reg. 5)
  1211. F579
    S. 68(7)(d) omitted (5.9.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 88(6), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  1212. F580
    Sch. 18 para. 3(2)(fa) inserted (1.12.2023) by Northern Ireland Troubles (Legacy and Reconciliation) Act 2023 (c. 41), s. 63(4), Sch. 13 para. 10 (with s. 61); S.I. 2023/1293, reg. 2(k)
  1213. C19
    Pt. 2 Ch. 3 applied (31.12.2020) by Regulation (EU) No. 625/2017, Art. 143 (as substituted by The Official Controls (Animals, Feed and Food, Plant Health etc.) (Amendment) (EU Exit) Regulations 2020 (S.I. 2020/1481), regs. 1, 27(3) (with reg. 46))
  1214. I615
    Sch. 19 para. 355 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1215. C20
    Act applied (30.9.2020) by The Channel Tunnel (Arrangements with the Kingdom of the Netherlands) Order 2020 (S.I. 2020/916), arts. 1(2)(b), 4(3)
  1216. F581
    Sch. 2 para. 27(4) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(23)(d) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1217. I616
    Sch. 7 para. 32 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1218. I617
    Sch. 7 para. 20 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1219. F582
    Sch. A1 inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 72(8), 142(1); S.I. 2025/904, reg. 2(b)
  1220. F583
    Words in s. 76(1)(c) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 7(4)(b)(i); S.I. 2026/82, reg. 2(z10)
  1221. F584
    Words in s. 80(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 46(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1222. I618
    Sch. 19 para. 320 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1223. I619
    Sch. 19 para. 54 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1224. I620
    Sch. 19 para. 240 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1225. F585
    Words in s. 187(1) substituted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 81(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1226. I621
    Sch. 19 para. 84 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1227. I622
    Sch. 19 para. 394 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1228. I623
    Sch. 19 para. 233 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1229. F586
    Words in s. 115(6) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(7) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1230. F587
    Words in Sch. 2 para. 1 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1231. F588
    Word in s. 82(1) inserted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 89(2)(b)(i), 142(1); S.I. 2025/996, reg. 2(2)(a)
  1232. I624
    Sch. 3 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1233. F589
    S. 44 cross-heading substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 79(3), 142(1); S.I. 2025/996, reg. 2(1)(a) (with reg. 3)
  1234. F590
    S. 23 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 31 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1235. F591
    Words in Sch. 19 para. 432(5)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 100(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1236. I625
    Sch. 1 para. 17 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1237. F592
    Words in s. 11(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 14 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1238. I626
    Sch. 14 para. 10 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1239. I627
    Sch. 7 para. 51 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1240. I628
    Sch. 19 para. 35 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1241. I629
    Sch. 3 para. 10 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1242. I630
    Sch. 5 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1243. F593
    S. 74 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 41 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1244. F594
    Words in s. 173(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 73 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1245. F595
    Words in s. 45(5) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 76(5), 142(1); S.I. 2026/82, reg. 2(h) (with reg. 4)
  1246. I631
    Sch. 19 para. 99 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1247. I632
    Sch. 19 para. 262 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1248. I633
    Sch. 19 para. 296 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1249. I634
    Sch. 19 para. 365 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1250. F596
    Words in s. 15(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(9)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1251. I635
    Sch. 19 para. 137 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1252. F597
    Word in Sch. 1 para. 10(1)(a) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 28(3); S.I. 2026/82, reg. 2(z12)
  1253. F598
    S. 3(14)(b) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(7)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1254. F599
    Words in Sch. 21 para. 9(3)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(6)(b)(i) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1255. I636
    Sch. 7 para. 44 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1256. I637
    Sch. 19 para. 321 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1257. F600
    Words in s. 174(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 74 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1258. I638
    Sch. 11 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1259. F601
    Words in s. 52(4) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 6 para. 13(4); S.I. 2026/82, reg. 2(z8) (with reg. 5)
  1260. F602
    Words in s. 119A(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 20(2) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1261. F603
    S. 7(1)(ba) inserted (25.1.2023) by Advanced Research and Invention Agency Act 2022 (c. 4), s. 13(1), Sch. 3 para. 14(a); S.I. 2023/58, reg. 2
  1262. F604
    S. 146A inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 98(3), 142(1); S.I. 2026/82, reg. 2(q)
  1263. I639
    Sch. 15 para. 15 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1264. I640
    Sch. 19 para. 161 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1265. I641
    Sch. 19 para. 396 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1266. F605
    Word in s. 186(3)(b) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 80(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1267. I642
    Sch. 19 para. 398 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1268. I643
    Sch. 20 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1269. F606
    Words in s. 210(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 89 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1270. F607
    Words in s. 174(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 74 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1271. I644
    Sch. 19 para. 165 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1272. F608
    Words in s. 36(1)(b) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 71(8)(b)(i), 142(1); S.I. 2026/82, reg. 2(d)
  1273. I645
    Sch. 1 para. 16 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1274. F609
    Word in s. 6 substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 67(2), 142(1); S.I. 2026/82, reg. 2(a)
  1275. I646
    Sch. 2 para. 14 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1276. F610
    Words in s. 48(4) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(5)(b)(ii), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  1277. I647
    S. 195 in force at 23.7.2018 by S.I. 2018/625, reg. 3(l)
  1278. F611
    S. 17A and cross-heading omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 12 (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1279. I648
    Sch. 19 para. 258 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1280. I649
    Sch. 7 para. 38 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1281. F612
    Word in Sch. 21 para. 9(1) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(6)(a)(ii) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1282. I650
    Sch. 19 para. 188 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1283. I651
    Sch. 19 para. 41 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1284. I652
    Sch. 2 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1285. F613
    S. 53(4A) inserted (19.6.2025 for specified purposes, 5.2.2026 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 75(2)(a), 142(1)(2)(h); S.I. 2026/82, reg. 2(g)
  1286. F614
    Words in Sch. 3 Pt. 1 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1287. I653
    Sch. 19 para. 153 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1288. I654
    Sch. 7 para. 49 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1289. F615
    Words in Sch. 3 para. 17(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(15) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1290. F616
    Words in s. 53(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 6 para. 14(2); S.I. 2026/82, reg. 2(z8) (with reg. 5)
  1291. F617
    Words in s. 149(2)(e) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 21 (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1292. I655
    Sch. 8 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1293. I656
    Sch. 19 para. 77 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1294. I657
    Sch. 19 para. 276 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1295. F618
    S. 82(2A) inserted (19.6.2025 for specified purposes, 17.11.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 89(2)(c), 142(1)(2)(h); S.I. 2025/996, reg. 2(2)(a)
  1296. I658
    Sch. 7 para. 14 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1297. I659
    S. 111 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1298. F619
    Words in s. 207(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 87(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1299. I660
    Sch. 19 para. 387 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1300. I661
    Sch. 19 para. 70 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1301. F620
    S. 75(8) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 18 (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1302. I662
    Sch. 19 para. 249 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1303. F621
    S. 97(6) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 80(5)(c), 142(1); S.I. 2026/82, reg. 2(j) (with reg. 5)
  1304. F622
    Words in s. 78(6) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(9)(c); S.I. 2026/82, reg. 2(z10)
  1305. I663
    Sch. 19 para. 212 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1306. F623
    Words in s. 25(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 33(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1307. I664
    Sch. 20 para. 55 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1308. I665
    Sch. 19 para. 183 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1309. F624
    Words in s. 48(6)(a) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(5)(c), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  1310. F625
    S. 135(4) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 94(2)(e), 142(1); S.I. 2026/82, reg. 2(p)
  1311. I666
    Sch. 19 para. 218 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1312. I667
    S. 109 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1313. F626
    Sch. 16 para. 2(2)(3) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 101(2), 142(1); S.I. 2026/82, reg. 2(t) (with reg. 6)
  1314. I668
    Sch. 19 para. 315 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1315. F627
    Words in s. 96(3) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 80(4)(b), 142(1); S.I. 2026/82, reg. 2(j) (with reg. 5)
  1316. I669
    Sch. 19 para. 383 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1317. I670
    Sch. 20 para. 32 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1318. I671
    Sch. 19 para. 56 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1319. I672
    Sch. 19 para. 115 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1320. F628
    Words in s. 86(3)(b) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 74(7)(a), 142(1); S.I. 2025/904, reg. 2(c)
  1321. I673
    Sch. 19 para. 234 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1322. I674
    Sch. 1 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1323. F629
    Words in s. 12(1)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 15 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1324. F630
    S. 76(2A) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 7(6); S.I. 2026/82, reg. 2(z10)
  1325. F631
    Words in Sch. 2 para. 16(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(14) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1326. F632
    Words in s. 74B(5) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(6)(a); S.I. 2026/82, reg. 2(z10)
  1327. F633
    S. 183A and cross-heading inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 106(2), 142(1); S.I. 2025/904, reg. 2(k)
  1328. F634
    Words in s. 187(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 81(5)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1329. F635
    Words in s. 73(5)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 3(6); S.I. 2026/82, reg. 2(z10)
  1330. I675
    Sch. 19 para. 160 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1331. F636
    Words in s. 15(2)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(6)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1332. I676
    Sch. 19 para. 265 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1333. I677
    Sch. 19 para. 430 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1334. I678
    Sch. 19 para. 340 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1335. F637
    S. 74B heading substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(2); S.I. 2026/82, reg. 2(z10)
  1336. C21
    Act modified (14.2.2020) by The Northamptonshire (Structural Changes) Order 2020 (S.I. 2020/156), arts. 1, 17(2)(e)
  1337. I679
    S. 113 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(d)
  1338. I680
    Sch. 8 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1339. I681
    Sch. 8 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1340. F638
    Words in s. 180(2)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 75 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1341. F639
    Words in s. 15(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1342. F640
    S. 132(2)(d) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 55 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1343. I682
    Sch. 19 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1344. F641
    Words in s. 26(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1345. F642
    Words in s. 24(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(5)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1346. F643
    Words in Sch. 20 para. 58(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 115(9), 142(1); S.I. 2026/82, reg. 2(y) (with regs. 8-11)
  1347. I683
    Sch. 11 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1348. F644
    Words in s. 80(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 46(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1349. F645
    Words in Sch. 3 para. 5(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(7) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1350. F646
    Words in s. 120(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 52(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1351. F647
    Words in s. 74B(6)(b) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(8)(b); S.I. 2026/82, reg. 2(z10)
  1352. I684
    S. 105 in force at 16.9.2019 by S.I. 2019/1188, reg. 2(e)
  1353. F648
    Words in s. 28(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1354. I685
    Sch. 19 para. 385 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1355. F649
    Words in s. 182(8) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 22(5)(a) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1356. F650
    Words in s. 192(6) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 26; S.I. 2025/904, reg. 2(y)
  1357. I686
    Sch. 19 para. 268 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1358. I687
    Sch. 19 para. 136 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1359. F651
    Words in s. 73(1) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 3(3)(a); S.I. 2026/82, reg. 2(z10)
  1360. F652
    Sch. 2 paras. 4A, 4B and cross-headings substituted (8.3.2024) by The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (S.I. 2024/342), regs. 1(2), 3
  1361. I688
    S. 147 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1362. I689
    Sch. 19 para. 347 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1363. I690
    Sch. 19 para. 168 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1364. F653
    Sch. 19 para. 201 omitted (29.3.2019) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(3), Sch. 4 para. 3
  1365. F654
    Words in s. 15(2)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(5)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1366. F655
    Words in s. 206 Table substituted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(9)(a)(i), 142(1); S.I. 2025/996, reg. 2(2)(b)
  1367. I691
    Sch. 19 para. 298 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1368. F656
    Words in s. 160 cross-heading inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 102(3), 142(1); S.I. 2025/904, reg. 2(i)
  1369. I692
    Sch. 19 para. 202 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1370. F657
    Word in s. 48(4) substituted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(5)(b)(i), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  1371. F658
    Words in s. 2(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 3 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1372. F659
    Words in s. 115(7) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(8) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1373. I693
    Sch. 19 para. 163 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1374. I694
    Sch. 19 para. 269 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1375. F660
    Words in Sch. 2 para. 27(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(23)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1376. F661
    Ss. 74A, 74B inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 42 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1377. F662
    Words in s. 123(7) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 53 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1378. I695
    Sch. 19 para. 358 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1379. F663
    Ss. 120A-120D and cross-heading inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 91(3), 142(1) (with s. 91(5)); S.I. 2025/904, reg. 2(e)
  1380. F664
    Sch. 14 Pt. 1 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 98 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1381. I696
    Sch. 20 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1382. F665
    Words in s. 74B(5) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(6)(b); S.I. 2026/82, reg. 2(z10)
  1383. I697
    Sch. 19 para. 369 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1384. I698
    Sch. 7 para. 34 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1385. F666
    Words in s. 24(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1386. I699
    Sch. 19 para. 130 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1387. I700
    Sch. 19 para. 23 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1388. I701
    Sch. 20 para. 52 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1389. F667
    Sum in s. 157(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 64(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1390. C22
    Sch. 2 para. 7 modified by S.I. 2007/1118, art. 5(1)(2) (as substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 324 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g))
  1391. F668
    Words in Sch. 2 para. 27(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(23)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1392. I702
    Sch. 19 para. 177 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1393. I703
    Sch. 20 para. 15 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1394. F669
    S. 135(1A) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 94(2)(c), 142(1); S.I. 2026/82, reg. 2(p)
  1395. I704
    Sch. 8 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1396. F670
    S. 78(1A) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(4); S.I. 2026/82, reg. 2(z10)
  1397. F671
    Words in s. 15(2)(f) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(8)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1398. F672
    S. 160(1)(ba) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(6)(a), 142(1); S.I. 2026/82, reg. 2(s)
  1399. I705
    Sch. 19 para. 326 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1400. I706
    Sch. 19 para. 407 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1401. I707
    Sch. 15 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1402. F673
    Words in s. 7(1) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 10(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1403. F674
    S. 91A inserted (19.6.2025 for specified purposes, 20.8.2025 in so far as not already in force) by Data (Use and Access) Act 2025 (c. 18), ss. 74(8), 142(1)(2)(h); S.I. 2025/904, reg. 2(c)
  1404. I708
    Sch. 11 para. 9 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1405. F675
    Word in s. 82(1)(a) substituted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 89(2)(b)(ii), 142(1); S.I. 2025/996, reg. 2(2)(a)
  1406. F676
    S. 21 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 28 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1407. F677
    Words in Sch. 3 para. 20 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(18) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1408. F678
    Sch. 6 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 96 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1409. F679
    S. 204(4)(g) substituted (1.2.2023) by The Health and Social Care Information Centre (Transfer of Functions, Abolition and Transitional Provisions) Regulations 2023 (S.I. 2023/98), reg. 1(2), Sch. para. 20 (with reg. 3)
  1410. I709
    Sch. 8 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1411. I710
    Sch. 19 para. 374 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1412. I711
    Sch. 20 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1413. F680
    S. 44(4)(d) omitted (5.9.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 88(3)(a), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  1414. F681
    Words in s. 164(1) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 100(8)(a), 142(1); S.I. 2026/82, reg. 2(s)
  1415. I712
    Sch. 19 para. 303 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1416. I713
    Sch. 7 para. 37 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1417. I714
    Sch. 19 para. 86 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1418. I715
    Sch. 19 para. 307 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1419. F682
    Words in s. 15(2)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(6)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1420. I716
    Sch. 19 para. 284 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1421. I717
    Sch. 15 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1422. I718
    Sch. 9 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1423. I719
    Sch. 15 para. 17 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1424. F683
    Sch. 7 para. 57 inserted (5.1.2026) by Border Security, Asylum and Immigration Act 2025 (c. 31), ss. 11, 65(1) (with s. 10); S.I. 2025/1318, reg. 2(a)
  1425. I720
    Sch. 19 para. 73 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1426. F684
    Sch. 21 para. 12(2) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(9)(c) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1427. F685
    Word in s. 182(8) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 22(5)(b) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1428. I721
    Sch. 19 para. 159 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1429. I722
    Sch. 19 para. 329 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1430. I723
    Sch. 19 para. 195 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1431. I724
    Sch. 19 para. 375 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1432. I725
    Sch. 1 para. 10 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1433. F686
    S. 53(6)(7) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 75(2)(c), 142(1); S.I. 2026/82, reg. 2(g)
  1434. I726
    Sch. 19 para. 116 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1435. F687
    S. 182(4) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 22(2) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1436. I727
    Sch. 19 para. 237 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1437. F688
    Words in Sch. 20 Pt. 3 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 101(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1438. F689
    Words in s. 94(14) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 76(7)(a), 142(1); S.I. 2026/82, reg. 2(h) (with reg. 4)
  1439. I728
    Sch. 20 para. 36 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1440. F690
    Sch. 21 para. 9(4)(aa) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(6)(c) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1441. F691
    Words in s. 15(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1442. I729
    Sch. 19 para. 219 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1443. I730
    Sch. 20 para. 40 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1444. F692
    Words in s. 11(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 14 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1445. F693
    Word in s. 73(1)(a) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 3(3)(b); S.I. 2026/82, reg. 2(z10)
  1446. F694
    S. 116(A1) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 48(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1447. I731
    Sch. 7 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1448. I732
    Sch. 19 para. 16 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1449. I733
    Sch. 1 para. 37 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1450. I734
    Sch. 7 para. 41 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1451. F695
    Words in s. 83(2) substituted (17.11.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 90(4)(c), 142(1); S.I. 2025/996, reg. 2(2)(b)
  1452. F696
    Words in s. 209(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 88 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1453. F697
    S. 184(4)(a)(b) substituted for words (1.4.2025) by The Disclosure (Scotland) Act 2020 (Consequential Provisions and Modifications) Order 2025 (S.I. 2025/423), art. 2(1), Sch. 2 para. 3(2)
  1454. F698
    Words in s. 149(4)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1455. F699
    Words in s. 54(2) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 76(6)(b)(ii), 142(1); S.I. 2026/82, reg. 2(h) (with reg. 4)
  1456. F700
    S. 28(5) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1457. F701
    S. 207(3) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 87(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1458. I735
    S. 172 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1459. F702
    S. 55(1)(e) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 84(2), 142(1); S.I. 2025/904, reg. 2(d)
  1460. F703
    Words in s. 87(1)(b) substituted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 71(9)(b)(ii), 142(1); S.I. 2026/82, reg. 2(d)
  1461. F704
    S. 207(6) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 87(7) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1462. I736
    Sch. 16 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1463. F705
    S. 186(3)(c) omitted (20.8.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 106(4)(d)(ii), 142(1); S.I. 2025/904, reg. 2(k)
  1464. F706
    Words in s. 78(6) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 10(9)(b); S.I. 2026/82, reg. 2(z10)
  1465. C23
    Act modified (23.5.2019) by The Buckinghamshire (Structural Changes) Order 2019 (S.I. 2019/957), arts. 1, 15(2)
  1466. F707
    Words in s. 76(3) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 7(7); S.I. 2026/82, reg. 2(z10)
  1467. F708
    Words in Sch. 3 para. 12(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(14) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1468. F709
    Words in s. 97(1)(a) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 80(5)(a), 142(1); S.I. 2026/82, reg. 2(j) (with reg. 5)
  1469. F710
    Words in Sch. 3 para. 19 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(16) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1470. I737
    Sch. 7 para. 21 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1471. I738
    Sch. 16 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1472. I739
    Sch. 19 para. 345 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1473. I740
    Sch. 20 para. 30 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1474. I741
    Sch. 19 para. 389 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1475. I742
    Sch. 20 para. 17 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1476. F711
    Words in Sch. 2 para. 2(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(6)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1477. F712
    Words in s. 115(9) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(10) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1478. F713
    S. 94(14A)(14B) inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 76(7)(b), 142(1); S.I. 2026/82, reg. 2(h) (with reg. 4)
  1479. F714
    S. 26(2)(f)(ai) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(2), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  1480. F715
    S. 74B(1)(2) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(3); S.I. 2026/82, reg. 2(z10)
  1481. I743
    Sch. 19 para. 266 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1482. I744
    Sch. 19 para. 357 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1483. F716
    Sch. 1 para. 23(3)(ha) inserted (E.W.) (26.12.2023) by Levelling-up and Regeneration Act 2023 (c. 55), s. 255(2)(c), Sch. 4 para. 217 (with s. 247)
  1484. I745
    Sch. 19 para. 182 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1485. F717
    Words in Sch. 3 para. 21(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(21) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1486. F718
    Sch. 18 para. 4(2)(f) inserted (17.12.2021) by The Age of Criminal Responsibility (Scotland) Act 2019 (Consequential Provisions and Modifications) Order 2021 (S.I. 2021/1458), arts. 1(1), 8(a)
  1487. F719
    S. 125(2) omitted (20.8.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 19(2); S.I. 2025/904, reg. 2(y)
  1488. F720
    S. 118 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 50(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1489. I746
    Sch. 19 para. 209 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1490. I747
    S. 194 in force at 23.7.2018 by S.I. 2018/625, reg. 3(k)
  1491. F721
    Words in s. 15(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 19(12) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1492. I748
    Sch. 19 para. 155 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1493. I749
    Sch. 19 para. 173 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1494. F722
    Words in Sch. 2 para. 6 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(11) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1495. I750
    Sch. 19 para. 98 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1496. F723
    Sch. 21 para. 6(2) substituted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 9 para. 25(4)(b) (with Sch. 9 Pt. 2); S.I. 2026/82, reg. 2(z11)
  1497. F724
    Words in s. 44(5) inserted (5.9.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 88(3)(b), 142(1); S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
  1498. I751
    Sch. 19 para. 112 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1499. F725
    S. 24(2)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(3)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1500. I752
    S. 192 in force at 23.7.2018 by S.I. 2018/625, reg. 3(i)
  1501. I753
    Sch. 12 para. 11 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1502. I754
    Sch. 7 para. 22 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1503. F726
    Sch. 13 para. 1(1)(i) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 97(2)(d) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1504. I755
    Sch. 19 para. 74 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1505. F727
    Words in Sch. 13 para. 1(1)(e) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 97(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1506. F728
    Words in s. 74B(6)(a) omitted (5.2.2026) by virtue of Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 8 para. 5(7)(b); S.I. 2026/82, reg. 2(z10)
  1507. I756
    Sch. 19 para. 80 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1508. F729
    S. 116(1)(a) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 48(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1509. C24
    Pt. 5 applied in part (with modifications) by S.I. 2016/696, Sch. 2 (as substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 406 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g) (with reg. 4))
  1510. C25
    Pt. 7 applied in part (with modifications) by S.I. 2016/696, Sch. 2 (as substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 406 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g) (with reg. 4))
  1511. C26
    Pt. 6 applied in part (with modifications) by S.I. 2016/696, Sch. 2 (as substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 406 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g) (with reg. 4); and as amended (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), ss. 105, 142(1); S.I. 2026/82, reg. 2(u))
  1512. C27
    S. 13 applied by S.I. 2015/1945, reg. 15(1) (as substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 387(2) (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g))
  1513. F730
    S. 94(2A) inserted (retrospective to 1.1.2024) by Data (Use and Access) Act 2025 (c. 18), ss. 78(4)(5), 142(2)(b)
  1514. F731
    S. 45(2A) inserted (retrospective to 1.1.2024) by Data (Use and Access) Act 2025 (c. 18), ss. 78(3)(5), 142(2)(b)
  1515. F732
    S. 56(4) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 84(3), 142(1); S.I. 2025/904, reg. 2(d)
  1516. F733
    S. 59(7A) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 84(4), 142(1); S.I. 2025/904, reg. 2(d)
  1517. F734
    Words in s. 207(7) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 87(8) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
  1518. F735
    S. 199(1) omitted (5.2.2026) by virtue of The Data (Use and Access) Act 2025 (Consequential and Other Amendments) Regulations 2025 (S.I. 2025/1331), regs. 2(2), 3; S.I. 2026/82, reg. 2(s)
  1519. I757
    S. 17 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1520. I758
    S. 138 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(e)
  1521. I759
    S. 73 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1522. I760
    S. 92 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1523. I761
    S. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1524. I762
    S. 183 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(g)
  1525. I763
    S. 170 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1526. I764
    Sch. 5 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1527. I765
    S. 141 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1528. I766
    S. 78 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1529. I767
    Sch. 2 para. 11 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1530. I768
    S. 87 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1531. I769
    S. 132 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1532. I770
    S. 149 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(f)
  1533. I771
    S. 153 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1534. I772
    S. 53 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(c)
  1535. I773
    S. 202 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1536. I774
    S. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1537. I775
    S. 10 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(b)
  1538. I776
    Sch. 13 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1539. I777
    S. 214 in force at Royal Assent, see s. 212(2)(e)
  1540. I778
    Sch. 2 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1541. I779
    S. 64 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1542. I780
    Sch. 2 para. 26 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(b)
  1543. I781
    S. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1544. I782
    S. 21 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1545. I783
    S. 207 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1546. I784
    S. 136 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1547. I785
    S. 152 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1548. I786
    Sch. 4 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1549. I787
    Sch. 2 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1550. I788
    S. 59 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1551. I789
    S. 100 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1552. I790
    S. 165 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1553. I791
    S. 187 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1554. I792
    Sch. 1 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1555. I793
    Sch. 1 para. 39 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1556. I794
    S. 208 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1557. I795
    S. 186 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1558. I796
    S. 156 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1559. I797
    S. 42 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1560. I798
    S. 43 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1561. I799
    S. 174 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1562. I800
    Sch. 2 para. 25 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1563. I801
    S. 185 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1564. I802
    S. 169 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1565. I803
    S. 95 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1566. I804
    S. 15 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1567. I805
    S. 71 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1568. I806
    S. 203 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(g)
  1569. I807
    S. 171 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1570. I808
    S. 213(3) in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(g)
  1571. I809
    S. 205 in force at Royal Assent, see s. 212(2)(c)
  1572. I810
    Sch. 3 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1573. I811
    S. 137 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(e)
  1574. I812
    Sch. 3 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1575. I813
    S. 83 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1576. I814
    S. 32 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1577. I815
    S. 150 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1578. I816
    S. 63 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1579. I817
    S. 28 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1580. I818
    Sch. 1 para. 41 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1581. I819
    S. 151 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1582. I820
    Sch. 1 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1583. I821
    S. 27 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1584. I822
    S. 90 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1585. I823
    S. 114 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1586. I824
    Sch. 3 para. 11 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1587. I825
    S. 131 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1588. I826
    Sch. 5 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1589. I827
    Sch. 17 para. 1 in force at 23.7.2018, see s. 212(3)(d)
  1590. I828
    Sch. 17 para. 4 in force at 23.7.2018, see s. 212(3)(d)
  1591. I829
    S. 179 in force at 23.7.2018, see s. 212(3)(e)
  1592. I830
    Sch. 3 para. 19 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1593. I831
    Sch. 3 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1594. I832
    Sch. 1 para. 23 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1595. I833
    S. 45 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1596. I834
    S. 13 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1597. I835
    S. 143 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1598. I836
    S. 16 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(b)
  1599. I837
    Sch. 4 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1600. I838
    S. 84 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1601. I839
    S. 173 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1602. I840
    S. 180 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1603. I841
    S. 12 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(b)
  1604. I842
    S. 201 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1605. I843
    S. 122 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1606. I844
    Sch. 2 para. 12 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1607. I845
    S. 62 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1608. I846
    Sch. 20 para. 50 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1609. I847
    S. 120 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1610. I848
    Sch. 4 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1611. I849
    Sch. 17 para. 2 in force at 23.7.2018, see s. 212(3)(d)
  1612. I850
    Sch. 3 para. 21 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1613. I851
    S. 88 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1614. I852
    S. 57 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1615. I853
    S. 106 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1616. I854
    S. 198 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1617. I855
    S. 61 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1618. I856
    Sch. 4 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1619. I857
    S. 116 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1620. I858
    S. 101 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1621. I859
    S. 86 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(d)
  1622. I860
    S. 25 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1623. I861
    S. 7 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(b)
  1624. I862
    Sch. 1 para. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1625. I863
    S. 81 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1626. I864
    S. 36 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1627. I865
    S. 82 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1628. I866
    S. 178 in force at 23.7.2018, see s. 212(3)(d)
  1629. I867
    S. 129 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1630. I868
    S. 75 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1631. I869
    S. 51 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1632. I870
    S. 142 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1633. I871
    S. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1634. I872
    S. 139 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1635. I873
    S. 124 not in force at Royal Assent; s. 124 in force at 23.7.2018, see s. 212(3)(a)
  1636. I874
    S. 155 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(f)
  1637. I875
    S. 1 in force at Royal Assent, see s. 212(2)(a)
  1638. I876
    S. 52 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1639. I877
    S. 56 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1640. I878
    S. 157 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1641. I879
    Sch. 18 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1642. I880
    S. 206 in force at Royal Assent, see s. 212(2)(c)
  1643. I881
    S. 134 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1644. I882
    S. 215 in force at Royal Assent, see s. 212(2)(e)
  1645. I883
    S. 31 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1646. I884
    S. 210 in force at Royal Assent, see s. 212(2)(d)
  1647. I885
    S. 118 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1648. I886
    S. 135 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1649. I887
    S. 38 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1650. I888
    S. 115 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1651. I889
    S. 85 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1652. I890
    S. 159 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(f)
  1653. I891
    S. 167 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1654. I892
    S. 97 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1655. I893
    S. 94 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(d)
  1656. I894
    S. 212 in force at Royal Assent, see s. 212(2)
  1657. I895
    S. 181 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1658. I896
    S. 3 in force at Royal Assent, see s. 212(2)(a)
  1659. I897
    S. 121 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1660. I898
    Sch. 4 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1661. I899
    S. 24 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(b)
  1662. I900
    S. 130 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1663. I901
    S. 117 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1664. I902
    Sch. 18 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1665. I903
    S. 34 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1666. I904
    S. 46 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1667. I905
    S. 69 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1668. I906
    S. 182 in force at royal Assent, see s. 212(2)(b)
  1669. I907
    S.65 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1670. I908
    S. 29 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1671. I909
    S. 39 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1672. I910
    Sch. 5 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1673. I911
    S. 76 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1674. I912
    Sch. 17 para. 3 in force at 23.7.2018, see s. 212(3)(d)
  1675. I913
    S. 70 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1676. I914
    Sch. 3 para. 20 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1677. I915
    S. 177 in force at 23.7.2018, see s. 212(3)(c)
  1678. I916
    S. 26 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1679. I917
    Sch. 18 para. 5 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1680. I918
    S. 66 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1681. I919
    Sch. 2 para. 4 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1682. I920
    Sch. 3 para. 17 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1683. I921
    S. 77 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1684. I922
    Sch. 2 para. 16 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1685. I923
    Sch. 2 para. 20 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1686. I924
    S. 197 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1687. I925
    S. 40 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1688. I926
    S. 89 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1689. I927
    S. 60 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1690. I928
    S. 98 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1691. I929
    S. 213(1) in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1692. I930
    S. 48 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1693. I931
    S. 54 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(c)
  1694. I932
    S. 119 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1695. I933
    Sch. 3 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1696. I934
    Sch. 2 para. 10 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1697. I935
    S. 199 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1698. I936
    S. 67 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1699. I937
    Sch. 2 para. 18 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1700. I938
    S. 204 in force at Royal Assent, see s. 212(2)(c)
  1701. I939
    Sch. 3 para. 8 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1702. I940
    S. 68 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1703. I941
    S. 209 in force at Royal Assent, see s. 212(2)(d)
  1704. I942
    S. 211 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(g)
  1705. I943
    Sch. 3 para. 7 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1706. I944
    S. 30 in force in so far as not already in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1707. I945
    S. 168 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1708. I946
    Sch. 2 para. 6 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1709. I947
    Sch. 18 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1710. I948
    S. 55 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1711. I949
    Sch. 20 para. 18 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1712. I950
    S. 35 in force in so far as not already in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1713. I951
    Sch. 2 para. 13 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1714. I952
    S. 96 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1715. I953
    S. 184 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1716. I954
    S. 2 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(a)
  1717. I955
    S. 107 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1718. I956
    Sch. 2 para. 3 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1719. I957
    S. 33 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1720. I958
    S. 11 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1721. I959
    S. 166 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(f)
  1722. I960
    S. 72 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1723. I961
    S. 41 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1724. I962
    S. 58 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1725. I963
    S. 200 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1726. I964
    S. 79 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1727. I965
    Sch. 13 para. 1 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1728. I966
    Sch. 3 para. 12 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
  1729. I967
    S. 47 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1730. I968
    S. 44 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1731. I969
    S. 91 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1732. I970
    S. 140 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1733. I971
    S. 133 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(e)
  1734. I972
    S. 196 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(g)
  1735. I973
    S. 99 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(d)
  1736. I974
    S. 37 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1737. I975
    S. 80 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(c)
  1738. C28
    Act modified (10.3.2026) by The Surrey (Structural Changes) Order 2026 (S.I. 2026/264), arts. 1(1), 28(2)(e), 40(2)(e)
  1739. F736
    S. 13A inserted (E.W.) (31.3.2026) by Victims and Prisoners Act 2024 (c. 21), ss. 31(4), 81(2) (with s. 32); S.I. 2026/317, reg. 2
  1740. C29
    S. 13A extended (S. and N.I.) (31.3.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 11 para. 32(b); S.I. 2026/317, reg. 3
  1741. F737
    Sch. 19 para. 191 omitted (7.4.2026) by virtue of Employment Rights Act 2025 (c. 36), s. 159(3), Sch. 10 para. 90 (with s. 147, Sch. 11); S.I. 2026/323, reg. 4(1)(55)(e)
  1742. F738
    Sch. 19 para. 197 omitted (7.4.2026) by virtue of Employment Rights Act 2025 (c. 36), s. 159(3), Sch. 10 para. 90 (with s. 147, Sch. 11); S.I. 2026/323, reg. 4(1)(55)(e)