Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Definitions

CHAPTER 2 The UK GDPR

Meaning of certain terms used in the UK GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Relevant international law

9A Processing in reliance on relevant international law

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

14 Automated decision-making authorised by law: safeguards

Exemptions etc

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Certification

17 Accreditation of certification providers

Transfers of personal data to third countries etc

17A Transfers based on adequacy regulations

17B Transfers based on adequacy regulations: review etc

17C Standard data protection clauses

18 Transfers of personal data to third countries etc : public interest

Specific processing situations

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Exemptions for manual unstructured processing and for national security and defence purposes

Definitions

21 Definitions

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the UK GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

42A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Data subject’s rights to information

44 … Controller’s general duties

45 Right of access by the data subject

45A Exemption from sections 44 and 45: legal professional privilege

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

50A Automated processing and significant decisions

50B Restrictions on automated decision-making based on sensitive processing

50C Safeguards for automated decision-making

50D Further provision about automated decision-making

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

Codes of conduct

71A Codes of conduct

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

74A Transfers based on adequacy regulations

74AA Transfers approved by regulations

74AB The data protection test

74B Transfers based on adequacy regulations: review etc

75 Transfers on the basis of appropriate safeguards

76 Transfers on the basis of special circumstances

Transfers to particular recipients

77 Transfers of personal data to persons other than relevant authorities

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

78A National security exemption

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

82A Designation of processing by a qualifying competent authority

82B Duration of designation notice

82C Review and withdrawal of designation notice

82D Records of designation notices

82E Appeal against designation notice

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

91A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

114A The Information Commission

115 General functions under the UK GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation between parties to the Data Protection Convention

119 Inspection of personal data in accordance with international obligations

119A Standard clauses for transfers to third countries etc

120 Further international role

120A Principal objective

120B Duties in relation to functions under the data protection legislation

120C Strategy

120D Duty to consult other regulators

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

124A Other codes of practice

124B Panels to consider codes of practice

124C Impact assessments for codes of practice

125 Approval of codes prepared under sections 121 to 124A

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

139A Analysis of performance

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

161A Annual report on regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

164A Complaints by data subjects to controllers

164B Controllers to notify the Commissioner of the number of complaints

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the UK GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

180A Procedure in connection with subject access requests

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

183A Protection of prohibitions and restrictions etc on processing: relevant enactments

183B Protection of prohibitions and restrictions etc on processing: other enactments

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Protection of data subject’s rights

186A Protection of data subject’s rights: further provision

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

Schedule A1 Processing in reliance on relevant international law

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the UK GDPR

SCHEDULE 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

Schedule 12A The Information Commission

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

SCHEDULE 21 Further transitional provision etc

Changes to legislation:

Data Protection Act 2018, CHAPTER 2 is up to date with all changes known to be in force on or before 04 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

PART 2General processing

CHAPTER 2F1 The UK GDPR

Meaning of certain terms used in the F2UK GDPR

6Meaning of “controller”

(1)

The definition of “controller” in Article 4(7) of the F3UK GDPR has effect subject to—

(a)

subsection (2),

(b)

section 209, and

(c)

section 210.

(2)

For the purposes of the F4UK GDPR, where personal data is processed only—

(a)

for purposes for which it is required by an enactment to be processed, and

(b)

by means by which it is required by an enactment to be processed,

the person on whom the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.

7Meaning of “public authority” and “public body”

(1)

For the purposes of the F5UK GDPR, the following (and only the following) are “public authorities” and “public bodies” F6…—

(a)

a public authority as defined by the Freedom of Information Act 2000,

(b)

a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13),

F7(ba)

the Advanced Research and Invention Agency, and

(c)

an authority or body specified or described by the Secretary of State in regulations,

subject to subsections (2), (3) and (4).

(2)

An authority or body that falls within subsection (1) is only a “public authority” or “public body” for the purposes of the F8UK GDPR when performing a task carried out in the public interest or in the exercise of official authority vested in it.

(3)

The references in subsection (1)(a) and (b) to public authorities and Scottish public authorities as defined by the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 (asp 13) do not include any of the following that fall within those definitions—

(a)

a parish council in England;

(b)

a community council in Wales;

(c)

a community council in Scotland;

(d)

a parish meeting constituted under section 13 of the Local Government Act 1972;

(e)

a community meeting constituted under section 27 of that Act;

(f)

charter trustees constituted—

(i)

under section 246 of that Act,

(ii)

under Part 1 of the Local Government and Public Involvement in Health Act 2007, or

(iii)

by the Charter Trustees Regulations 1996 (S.I. 1996/263).

(4)

The Secretary of State may by regulations provide that a person specified or described in the regulations that is a public authority F9described or mentioned in subsection (1)(a), (b) or (ba) is not a “public authority” or “public body” for the purposes of the F10UK GDPR.

(5)

Regulations under this section are subject to the affirmative resolution procedure.

Lawfulness of processing

8Lawfulness of processing: public interest etc

In Article 6(1) of the F11UK GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for—

(a)

the administration of justice,

(b)

the exercise of a function of either House of Parliament,

(c)

the exercise of a function conferred on a person by an enactment or rule of law,

(d)

the exercise of a function of the Crown, a Minister of the Crown or a government department, or

(e)

an activity that supports or promotes democratic engagement.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F13Relevant international law

9AProcessing in reliance on relevant international law

(1)

Processing of personal data meets the requirement in Article 6(3), 8A(3)(e), 9(2)(g) or 10(1) of the UK GDPR for a basis in, or authorisation by, relevant international law only if it meets a condition in Schedule A1.

(2)

A condition in Schedule A1 may be relied on for the purposes of any of those provisions, unless that Schedule provides otherwise.

(3)

The Secretary of State may by regulations amend Schedule A1 by adding, varying or omitting—

(a)

conditions,

(b)

provision about the purposes for which a condition may be relied on, and

(c)

safeguards in connection with processing carried out in reliance on a condition in the Schedule.

(4)

Regulations under this section may only add a condition relating entirely or partly to a treaty ratified by the United Kingdom.

(5)

Regulations under this section are subject to the affirmative resolution procedure.

(6)

In this section, “treaty” and “ratified” have the same meaning as in Part 2 of the Constitutional Reform and Governance Act 2010 (see section 25 of that Act).

Special categories of personal data

10Special categories of personal data and criminal convictions etc data

(1)

Subsections (2) and (3) make provision about the processing of personal data described in Article 9(1) of the F14UK GDPR (prohibition on processing of special categories of personal data) in reliance on an exception in one of the following points of Article 9(2)—

(a)

point (b)
(employment, social security and social protection);

(b)

point (g)
(substantial public interest);

(c)

point (h)
(health and social care);

(d)

point (i)
(public health);

(e)

point (j)
(archiving, research and statistics).

(2)

The processing meets the requirement in point (b), (h), (i) or (j) of Article 9(2) of the F15UK GDPR for authorisation by, or a basis in, the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1 of Schedule 1.

(3)

The processing meets the requirement in point (g) of Article 9(2) of the F16UK GDPR for a basis in the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 2 of Schedule 1.

(4)

Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.

(5)

The processing meets the requirement in Article F1710(1) of the UK GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.

(6)

The Secretary of State may by regulations—

(a)

amend Schedule 1—

(i)

by adding or varying conditions or safeguards, and

(ii)

by omitting conditions or safeguards added by regulations under this section, and

(b)

consequentially amend this section.

(7)

Regulations under this section are subject to the affirmative resolution procedure.

11Special categories of personal data etc: supplementary

(1)

For the purposes of Article 9(2)(h) of the F18UK GDPR (processing for health or social care purposes etc), the circumstances in which the processing of personal data is carried out subject to the conditions and safeguards referred to in Article 9(3) of the F18UK GDPR (obligation of secrecy) include circumstances in which it is carried out—

(a)

by or under the responsibility of a health professional or a social work professional, or

(b)

by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

(2)

In Article 10 of the F19UK GDPR and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to—

(a)

the alleged commission of offences by the data subject, or

(b)

proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

Rights of the data subject

12Limits on fees that may be charged by controllers

(1)

The Secretary of State may by regulations specify limits on the fees that a controller may charge in reliance on—

(a)

Article 12(5) of the F20UK GDPR (reasonable fees when responding to manifestly unfounded or excessive requests), or

(b)

Article 15(3) of the F21UK GDPR (reasonable fees for provision of further copies).

(2)

The Secretary of State may by regulations—

(a)

require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in reliance on those provisions, and

(b)

specify what the guidance must include.

(3)

Regulations under this section are subject to the negative resolution procedure.

13Obligations of credit reference agencies

(1)

This section applies where a controller is a credit reference agency (within the meaning of section 145(8) of the Consumer Credit Act 1974).

(2)

The controller’s obligations under Article 15(1) to (3) of the F22UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) are taken to apply only to personal data relating to the data subject’s financial standing, unless the data subject has indicated a contrary intention.

(3)

Where the controller discloses personal data in pursuance of Article 15(1) to (3) of the F23UK GDPR, the disclosure must be accompanied by a statement informing the data subject of the data subject’s rights under section 159 of the Consumer Credit Act 1974 (correction of wrong information).

14Automated decision-making authorised by law: safeguards

(1)

This section makes provision for the purposes of Article 22(2)(b) of the F24UK GDPR (exception from Article 22(1) of the F24UK GDPR for significant decisions based solely on automated processing that are F25required or authorised under the law of the United Kingdom or a part of the United Kingdom and subject to safeguards for the data subject’s rights, freedoms and legitimate interests).

(2)

A decision is a “significant decision” for the purposes of this section if, in relation to a data subject, it—

(a)

produces legal effects concerning the data subject, or

(b)

similarly significantly affects the data subject.

(3)

A decision is a “qualifying significant decision” for the purposes of this section if—

(a)

it is a significant decision in relation to a data subject,

(b)

it is required or authorised by law, and

(c)

it does not fall within Article 22(2)(a) or (c) of the F26UK GDPR (decisions necessary to a contract or made with the data subject’s consent).

(4)

Where a controller takes a qualifying significant decision in relation to a data subject based solely on automated processing—

(a)

the controller must, as soon as reasonably practicable, notify the data subject in writing that a decision has been taken based solely on automated processing, and

(b)

the data subject may, before the end of the period of 1 month beginning with receipt of the notification, request the controller to—

(i)

reconsider the decision, or

(ii)

take a new decision that is not based solely on automated processing.

(5)

If a request is made to a controller under subsection (4), the controller must, within the period described in Article 12(3) of the F27UK GDPR

(a)

consider the request, including any information provided by the data subject that is relevant to it,

(b)

comply with the request, and

(c)

by notice in writing inform the data subject of—

(i)

the steps taken to comply with the request, and

(ii)

the outcome of complying with the request.

(6)

In connection with this section, a controller has the powers and obligations under Article 12 of the F28UK GDPR (transparency, procedure for extending time for acting on request, fees, manifestly unfounded or excessive requests etc) that apply in connection with Article 22 of the F28UK GDPR.

(7)

The Secretary of State may by regulations make such further provision as the Secretary of State considers appropriate to provide suitable measures to safeguard a data subject’s rights, freedoms and legitimate interests in connection with the taking of qualifying significant decisions based solely on automated processing.

(8)

Regulations under subsection (7)—

(a)

may amend this section, and

(b)

are subject to the affirmative resolution procedure.

F29Exemptions etc

15Exemptions etc

(1)

Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the F30UK GDPR.

(2)

In Schedule 2—

(a)

Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the F31UK GDPR in specified circumstances F32(of a kind described in Article 6(3) and Article 23(1) of the F33UK GDPR);

(b)

Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the F34UK GDPR in specified circumstances F35(of a kind described in Article 23(1) of the F36UK GDPR);

(c)

Part 3 makes provision restricting the application of Article 15 of the F37UK GDPR where this is necessary to protect the rights of others F38(of a kind described in Article 23(1) of the F39UK GDPR);

(d)

Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the F40UK GDPR in specified circumstances F41(of a kind described in Article 23(1) of the F42UK GDPR);

(e)

Part 5 makes provision containing exemptions or derogations from Chapters II, III, IV F43and V of the UK GDPR for reasons relating to freedom of expression F44(of a kind described in Article 85(2) of the UK GDPR);

(f)

Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the F45UK GDPR for scientific or historical research purposes, statistical purposes and archiving purposes F46….

(3)

Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the F47UK GDPR to health, social work, education and child abuse data F48(of a kind described in Article 23(1) of the F49UK GDPR).

(4)

Schedule 4 makes provision restricting the application of rules contained in Articles 13 to 21 of the F50UK GDPR to information the disclosure of which is prohibited or restricted by an enactment F51(of a kind described in Article 23(1) of the F52UK GDPR).

F53(4A)

In connection with the manual unstructured processing of personal data held by an FOI public authority, see Chapter 3 of this Part (sections 21, 24 and 25).

(5)

In connection with the safeguarding of national security and with defence, see Chapter 3 of this Part F54(sections 26 to 28).

16Power to make further exemptions etc by regulations

(1)

The following powers to make provision altering the application of the F55UK GDPR may be exercised by way of regulations made by the Secretary of State under this section—

(a)

the power in Article 6(3) F56… to lay down a legal basis containing specific provisions to adapt the application of rules of the F57UK GDPR where processing is necessary for compliance with a legal obligation, for the performance of a task in the public interest or in the exercise of official authority;

(b)

the power in Article 23(1) to make F58provision restricting the scope of the obligations and rights mentioned in that Article where necessary and proportionate to safeguard certain objectives of general public interest;

(c)

the power in Article 85(2) to provide for exemptions or derogations from certain Chapters of the F59UK GDPR where necessary to reconcile the protection of personal data with the freedom of expression and information.

(2)

Regulations under this section may—

(a)

amend Schedules 2 to 4—

(i)

by adding or varying provisions, and

(ii)

by omitting provisions added by regulations under this section, F60

(b)

consequentially amend section 15 F61, and

(c)

consequentially amend the UK GDPR by adding, varying or omitting a reference to section 15, Schedule 2, 3 or 4, this section or regulations under this section.

(3)

Regulations under this section are subject to the affirmative resolution procedure.

F62Certification

17Accreditation of certification providers

(1)

Accreditation of a person as a certification provider is only valid when carried out by—

(a)

the Commissioner, or

(b)

the F63UK national accreditation body.

(2)

The Commissioner may only accredit a person as a certification provider where the Commissioner—

(a)

has published a statement that the Commissioner will carry out such accreditation, and

(b)

has not published a notice withdrawing that statement.

(3)

The F64UK national accreditation body may only accredit a person as a certification provider where the Commissioner—

(a)

has published a statement that the body may carry out such accreditation, and

(b)

has not published a notice withdrawing that statement.

(4)

The publication of a notice under subsection (2)(b) or (3)(b) does not affect the validity of any accreditation carried out before its publication.

(5)

Schedule 5 makes provision about reviews of, and appeals from, a decision relating to accreditation of a person as a certification provider.

(6)

The F65UK national accreditation body may charge a reasonable fee in connection with, or incidental to, the carrying out of the body’s functions under this section, Schedule 5 and Article 43 of the F66UK GDPR.

(7)

The F67UK national accreditation body must provide the Secretary of State with such information relating to its functions under this section, Schedule 5 and Article 43 of the F68UK GDPR as the Secretary of State may reasonably require.

(8)

In this section—

certification provider” means a person who issues certification for the purposes of Article 42 of the F69UK GDPR;

the F70UK national accreditation body” means the F70UK national accreditation body for the purposes of Article 4(1) of Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93.

Transfers of personal data to third countries etc

F7117ATransfers based on adequacy regulations

(1)

The Secretary of State may by regulations specify any of the following which the Secretary of State considers ensures an adequate level of protection of personal data—

(a)

a third country,

(b)

a territory or one or more sectors within a third country,

(c)

an international organisation, or

(d)

a description of such a country, territory, sector or organisation.

(2)

For the purposes of the UK GDPR and this Part of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, regulations made under this section are in force which specify, or specify a description which includes—

(a)

in the case of a third country, the country or a relevant territory or sector within the country, or

(b)

in the case of an international organisation, the organisation.

(3)

Regulations under this section may specify that the Secretary of State considers that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations and, if they do so, only such a transfer may rely on those regulations for the purposes of subsection (2).

(4)

Article 45(2) of the UK GDPR makes provision about the assessment of the adequacy of the level of protection for the purposes of this section and section 17B.

(5)

Regulations under this section—

(a)

where they relate to a third country, must specify their territorial and sectoral application;

(b)

where applicable, must specify the independent supervisory authority or authorities referred to in Article 45(2)(b) of the UK GDPR.

(6)

Regulations under this section may, among other things—

(a)

provide that in relation to a country, territory, sector, organisation or transfer specified, or falling within a description specified, in the regulations, section 17B(1) has effect as if it required the reviews described there to be carried out at such shorter intervals as are specified in the regulations;

(b)

identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(c)

confer a discretion on a person.

(7)

Regulations under this section are subject to the negative resolution procedure.

F7117BTransfers based on adequacy regulations: review etc

(1)

For so long as regulations under section 17A are in force which specify, or specify a description which includes, a third country, a territory or sector within a third country or an international organisation, the Secretary of State must carry out a review of whether the country, territory, sector or organisation ensures an adequate level of protection of personal data at intervals of not more than 4 years.

(2)

Each review under subsection (1) must take into account all relevant developments in the third country or international organisation.

(3)

The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under section 17A or to amend or revoke such regulations.

(4)

Where the Secretary of State becomes aware that a country, territory, sector or organisation specified, or falling within a description specified, in regulations under section 17A no longer ensures an adequate level of protection of personal data, whether as a result of a review under this section or otherwise, the Secretary of State must, to the extent necessary, amend or revoke the regulations.

(5)

Where regulations under section 17A are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to remedying the lack of an adequate level of protection.

(6)

The Secretary of State must publish—

(a)

a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which are for the time being specified in regulations under section 17A, and

(b)

a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which have been but are no longer specified in such regulations.

(7)

In the case of regulations under section 17A which specify that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations—

(a)

the duty under subsection (1) is only to carry out a review of the level of protection ensured for such a transfer, and

(b)

the lists published under subsection (6) must specify or describe the relevant transfers.

F7117CStandard data protection clauses

(1)

The Secretary of State may by regulations specify standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR (and see also section 119A).

(2)

The Secretary of State must keep under review the standard data protection clauses specified in regulations under this section that are for the time being in force.

(3)

Regulations under this section are subject to the negative resolution procedure.

18Transfers of personal data to third countries etcF72: public interest

(1)

The Secretary of State may by regulations specify, for the purposes of Article 49(1)(d) of the F73UK GDPR

(a)

circumstances in which a transfer of personal data to a third country or international organisation is to be taken to be necessary for important reasons of public interest, and

(b)

circumstances in which a transfer of personal data to a third country or international organisation which is not required by an enactment is not to be taken to be necessary for important reasons of public interest.

(2)

The Secretary of State may by regulations restrict the transfer of a category of personal data to a third country or international organisation where—

F74(a)

the transfer cannot take place based on adequacy regulations (see section 17A), and

(b)

the Secretary of State considers the restriction to be necessary for important reasons of public interest.

(3)

Regulations under this section—

(a)

are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them;

(b)

are otherwise subject to the affirmative resolution procedure.

(4)

For the purposes of this section, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.

Specific processing situations

19Processing for archiving, research and statistical purposes: safeguards

(1)

This section makes provision about—

(a)

processing of personal data that is necessary for archiving purposes in the public interest,

(b)

processing of personal data that is necessary for scientific or historical research purposes, and

(c)

processing of personal data that is necessary for statistical purposes.

(2)

Such processing does not satisfy the requirement in Article 89(1) of the F75UK GDPR for the processing to be subject to appropriate safeguards for the rights and freedoms of the data subject if it is likely to cause substantial damage or substantial distress to a data subject.

(3)

Such processing does not satisfy that requirement if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research.

(4)

In this section—

approved medical research” means medical research carried out by a person who has approval to carry out that research from—

(a)

a research ethics committee recognised or established by the Health Research Authority under Chapter 2 of Part 3 of the Care Act 2014, or

(b)

a body appointed by any of the following for the purpose of assessing the ethics of research involving individuals—

  1. (i)

    the Secretary of State, the Scottish Ministers, the Welsh Ministers, or a Northern Ireland department;

  2. (ii)

    a relevant NHS body;

  3. (iii)

    United Kingdom Research and Innovation or a body that is a Research Council for the purposes of the Science and Technology Act 1965;

  4. (iv)

    an institution that is a research institution for the purposes of Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003 (see section 457 of that Act);

relevant NHS body” means—

(a)

an NHS trust or NHS foundation trust in England,

(b)

an NHS trust or Local Health Board in Wales,

(c)

a Health Board or Special Health Board constituted under section 2 of the National Health Service (Scotland) Act 1978,

(d)

the Common Services Agency for the Scottish Health Service, or

(e)

any of the health and social care bodies in Northern Ireland falling within paragraphs (a) to (e) of section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)).

(5)

The Secretary of State may by regulations change the meaning of “approved medical research” for the purposes of this section, including by amending subsection (4).

(6)

Regulations under subsection (5) are subject to the affirmative resolution procedure.

Minor definition

F7620Meaning of “court”

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .