Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Article 57(3) of the UK GDPR (performance of Commissioner’s tasks…

CHAPTER 2 The UK GDPR

Meaning of certain terms used in the UK GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Relevant international law

9A Processing in reliance on relevant international law

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

13A Meaning of “relevant offence” for purpose of right to erasure

14 Automated decision-making authorised by law: safeguards

Exemptions etc

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Certification

17 Accreditation of certification providers

17A Transfers based on adequacy regulations

17B Transfers based on adequacy regulations: review etc

17C Standard data protection clauses

18 Transfers of personal data to third countries etc : public interest

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Exemptions for manual unstructured processing and for national security and defence purposes

Definitions

21 Definitions

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the UK GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

42A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Data subject’s rights to information

44 … Controller’s general duties

45 Right of access by the data subject

45A Exemption from sections 44 and 45: legal professional privilege

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

50A Automated processing and significant decisions

50B Restrictions on automated decision-making based on sensitive processing

50C Safeguards for automated decision-making

50D Further provision about automated decision-making

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

Codes of conduct

71A Codes of conduct

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

74A Transfers based on adequacy regulations

74AA Transfers approved by regulations

74AB The data protection test

74B Transfers approved by regulations: monitoring

75 Transfers subject to appropriate safeguards

76 Transfers based on special circumstances

Additional conditions

77 Additional conditions for transfers in reliance on section 73(4)(b)

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

78A National security exemption

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

82A Designation of processing by a qualifying competent authority

82B Duration of designation notice

82C Review and withdrawal of designation notice

82D Records of designation notices

82E Appeal against designation notice

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

91A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

114A The Information Commission

115 General functions under the UK GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation between parties to the Data Protection Convention

119 Inspection of personal data in accordance with international obligations

119A Standard clauses for transfers to third countries etc

120 Further international role

120A Principal objective

120B Duties in relation to functions under the data protection legislation

120C Strategy

120D Duty to consult other regulators

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

124A Other codes of practice

124B Panels to consider codes of practice

124C Impact assessments for codes of practice

125 Approval of codes prepared under sections 121 to 124A

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

139A Analysis of performance

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

146A Assessment notices: approval of person to prepare report etc

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

148A Interview notices

148B Interview notices: restrictions

148C False statements made in response to interview notices

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

161A Annual report on regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

164A Complaints by data subjects to controllers

164B Controllers to notify the Commissioner of the number of complaints

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the UK GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

180A Procedure in connection with subject access requests

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

183A Protection of prohibitions and restrictions etc on processing: relevant enactments

183B Protection of prohibitions and restrictions etc on processing: other enactments

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Protection of data subject’s rights

186A Protection of data subject’s rights: further provision

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

Schedule A1 Processing in reliance on relevant international law

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the UK GDPR

SCHEDULE 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

Schedule 12A The Information Commission

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

SCHEDULE 21 Further transitional provision etc

Changes to legislation:

Data Protection Act 2018, Cross Heading: General principles for transfers is up to date with all changes known to be in force on or before 03 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.


View outstanding changes

Changes and effects yet to be applied to Part 3 Chapter 5 Crossheading General-principles-for-transfers:

Changes and effects yet to be applied to the whole Act associated Parts and Chapters:

Whole provisions yet to be inserted into this Act (including any effects on those provisions):

PART 3Law enforcement processing

CHAPTER 5Transfers of personal data to third countries etc

General principles for transfers

73General principles for transfers of personal data

F1A1

This section applies in relation to a transfer of personal data to a third country or international organisation for a law enforcement purpose.

(1)

F2The controller in relation to the transfer must secure that the transfer takes place only if—

(a)

the three conditions set out in subsections (2) to (4) are met, F3

(b)

in a case where the personal data was originally transmitted or otherwise made available to the controller or another competent authority by a member State F4…, that member State, or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State F5, and—

(c)

the transfer is carried out in accordance with the other provisions of this Part.

(2)

Condition 1 is that the transfer is necessary for any of the law enforcement purposes.

F6(3)

Condition 2 is that the transfer—

(a)

is approved by regulations under section 74AA that are in force at the time of the transfer,

(b)

is made subject to appropriate safeguards (see section 75), or

(c)

is based on special circumstances (see section 76).

(4)

Condition 3 is that—

(a)

the intended recipient is a relevant authority in a third country or an international organisation that is a relevant international organisation,

F7(aa)

the intended recipient is a person in a third country who—

(i)

is not a person described in paragraph (a), but

(ii)

is a processor whose processing, on behalf of the controller, of the personal data transferred is governed by, or authorised in accordance with, a contract with the controller that complies with section 59, or

(b)

in a case where the controller is a competent authority specified in any of paragraphs 5 to 17, 21, 24 to 28, 34 to 51, 54 and 56 of Schedule 7—

(i)

the intended recipient is a person in a third country F8who is not a person described in paragraph (a) or (aa), and

(ii)

the additional conditions in section 77 are met.

(5)

Authorisation is not required as mentioned in subsection (1)(b) if—

(a)

the transfer is necessary for the prevention of an immediate and serious threat F9to the public security, national security or essential interests of a third country or the United Kingdom, and

(b)

the authorisation cannot be obtained in good time.

(6)

Where a transfer is made without the authorisation mentioned in subsection (1)(b), the authority in the member State which would have been responsible for deciding whether to authorise the transfer must be informed without delay.

(7)

In this section, “relevant international organisation” means an international organisation that carries out functions for any of the law enforcement purposes.

F1074Transfers on the basis of an adequacy decision

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F1174ATransfers based on adequacy regulations

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F1274AATransfers approved by regulations

(1)

For the purposes of section 73, the Secretary of State may by regulations approve transfers of personal data to—

(a)

a third country, or

(b)

an international organisation.

(2)

The Secretary of State may only make regulations under this section approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see section 74AB).

(3)

In making regulations under this section, the Secretary of State may have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom.

(4)

Regulations under this section may, among other things—

(a)

make provision by reference to a third country or international organisation specified in the regulations or a description of country or organisation;

(b)

approve all transfers of personal data to a third country or international organisation or only transfers specified or described in the regulations;

(c)

identify a transfer of personal data by any means, including by reference to—

(i)

a sector or geographic area within a third country,

(ii)

the controller or processor,

(iii)

the recipient of the personal data,

(iv)

the personal data transferred,

(v)

the means by which the transfer is made, or

(vi)

relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time;

(d)

confer a discretion on a person.

(5)

Regulations under this section are subject to the negative resolution procedure.

74ABThe data protection test

(1)

For the purposes of section 74AA, the data protection test is met in relation to transfers to a third country or international organisation if the standard of the protection provided for data subjects with regard to law enforcement processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under—

(a)

this Part, and

(b)

Parts 5 to 7, so far as relevant to law enforcement processing.

(2)

In considering whether the data protection test is met in relation to transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things—

(a)

respect for the rule of law and for human rights in the country or by the organisation,

(b)

the existence, and powers, of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation,

(c)

arrangements for judicial or non-judicial redress for data subjects in connection with such processing,

(d)

rules about the transfer of personal data from the country or by the organisation to other countries or international organisations,

(e)

relevant international obligations of the country or organisation, and

(f)

the constitution, traditions and culture of the country or organisation.

(3)

In subsections (1) and (2)—

(a)

the references to the protection provided for data subjects are to that protection taken as a whole,

(b)

the references to law enforcement processing are to processing by a competent authority for any of the law enforcement purposes or equivalent types of processing in the third country or by the international organisation (as appropriate), and

(c)

the references to processing of personal data in the third country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Act applies as described in section 207(2).

(4)

When the data protection test is applied only to certain transfers to a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with section 74AA(4)(b))—

(a)

the references in subsections (1) to (3) to personal data are to be read as references only to personal data likely to be the subject of such transfers, and

(b)

the reference in subsection (2)(d) to transfer to other countries or international organisations is to be read as including transfer within the third country or international organisation.

F1374BF14Transfers approved by regulations: monitoring

F15(1)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F15(2)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(3)

The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations F16giving approval under section 74AA or to amend or revoke such regulations.

(4)

F17Where the Secretary of State becomes aware that the data protection test is no longer met in relation to transfers approved, or of a description approved, in regulations under section 74AA, the Secretary of State must, to the extent necessary, amend or revoke the regulations.

(5)

Where regulations under F18section 74AA are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to F19improving the protection provided to data subjects with regard to the processing of personal data in the country or by the organisation.

(6)

The Secretary of State must publish—

(a)

a list of the third countries F20… and international organisations, and the descriptions of such countries F21… and organisations, which are for the time being F22approved by regulations under section 74AA as places or persons to which personal data may be transferred, and

(b)

a list of the third countries F23… and international organisations, and the descriptions of such countries F24… and organisations, which have been but are no longer F25approved by such regulations.

(7)

In the case of F26regulations under section 74AA which approve only certain transfers to a third country or international organisation that are specified or described in the regulations F27(in accordance with section 74AA(4)(b))

F28(a)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(b)

the lists published under subsection (6) must specify or describe the relevant transfers.

75Transfers F29subject to appropriate safeguards

F30(1)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F31(1A)

A transfer of personal data to a third country or an international organisation is made subject to appropriate safeguards only if—

(a)

an appropriate legal instrument binds the intended recipient of the data (see subsection (4)), or

(b)

the controller, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see subsection (5)).

(2)

The controller must inform the Commissioner about the categories of data transfers that take place in reliance on F32subsection (1A)(b) but not in reliance on section 73(4)(aa) (transfer to processor).

(3)

Where a transfer of data takes place in reliance on F33this section but not in reliance on section 73(4)(aa) (transfer to processor)

(a)

the transfer must be documented,

(b)

the documentation must be provided to the Commissioner on request, and

(c)

the documentation must include, in particular—

(i)

the date and time of the transfer,

(ii)

the name of and any other pertinent information about the recipient,

(iii)

the justification for the transfer, and

(iv)

a description of the personal data transferred.

F34(4)

For the purposes of this section, a legal instrument is “appropriate”, in relation to a transfer of personal data, if—

(a)

the instrument is intended to be relied on in connection with the transfer or that type of transfer,

(b)

at least one competent authority is a party to the instrument, and

(c)

each competent authority that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see subsection (5)).

(5)

For the purposes of this section, the data protection test is met in relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data, whether by a binding legal instrument or by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under—

(a)

this Part, and

(b)

Parts 5 to 7, so far as they relate to processing by a competent authority for any of the law enforcement purposes.

(6)

For the purposes of subsections (1A)(b) and (4)(c), what is reasonable and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred.

(7)

In this section, references to the protection provided for the data subject are to that protection taken as a whole.

F35(8)

For provision about standard data protection clauses which the Commissioner considers are capable of securing that the data protection test in this section is met, see section 119A.

76Transfers F36based on special circumstances

F37A1

A transfer of personal data to a third country or international organisation is based on special circumstances where—

(a)

it is made in the absence of approval by regulations under section 74AA and of compliance with section 75 (appropriate safeguards), and

(b)

it is necessary for a special purpose.

(1)

F38A transfer of personal data is necessary for a special purpose if it is necessary—

(a)

to protect the vital interests of the data subject or another person,

(b)

to safeguard the legitimate interests of the data subject,

(c)

for the prevention of an immediate and serious threat to the public security F39or national security of F40… a third country F41or the United Kingdom,

(d)

F42in particular circumstances, for any of the law enforcement purposes, or

(e)

F43in particular circumstances, for a legal purpose.

(2)

F44But a transfer of personal data is not necessary for a special purpose by virtue of subsection (1)(d) or (e) if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer.

F45(2A)

In accordance with the third data protection principle, the amount of personal data transferred in reliance on this section must not be excessive in relation to the special purpose relied on.

(3)

Where a transfer of data takes place in reliance on F46this section

(a)

the transfer must be documented,

(b)

the documentation must be provided to the Commissioner on request, and

(c)

the documentation must include, in particular—

(i)

the date and time of the transfer,

(ii)

the name of and any other pertinent information about the recipient,

(iii)

the justification for the transfer, and

(iv)

a description of the personal data transferred.

(4)

For the purposes of this section, a transfer is necessary for a legal purpose if—

(a)

it is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings) relating to any of the law enforcement purposes,

(b)

it is necessary for the purpose of obtaining legal advice in relation to any of the law enforcement purposes, or

(c)

it is otherwise necessary for the purposes of establishing, exercising or defending legal rights in relation to any of the law enforcement purposes.