Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Definitions

CHAPTER 2 The UK GDPR

Meaning of certain terms used in the UK GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Relevant international law

9A Processing in reliance on relevant international law

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

14 Automated decision-making authorised by law: safeguards

Exemptions etc

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Certification

17 Accreditation of certification providers

Transfers of personal data to third countries etc

17A Transfers based on adequacy regulations

17B Transfers based on adequacy regulations: review etc

17C Standard data protection clauses

18 Transfers of personal data to third countries etc : public interest

Specific processing situations

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Exemptions for manual unstructured processing and for national security and defence purposes

Definitions

21 Definitions

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the UK GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

42A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Data subject’s rights to information

44 … Controller’s general duties

45 Right of access by the data subject

45A Exemption from sections 44 and 45: legal professional privilege

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

50A Automated processing and significant decisions

50B Restrictions on automated decision-making based on sensitive processing

50C Safeguards for automated decision-making

50D Further provision about automated decision-making

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

Codes of conduct

71A Codes of conduct

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

74A Transfers based on adequacy regulations

74AA Transfers approved by regulations

74AB The data protection test

74B Transfers based on adequacy regulations: review etc

75 Transfers on the basis of appropriate safeguards

76 Transfers on the basis of special circumstances

Transfers to particular recipients

77 Transfers of personal data to persons other than relevant authorities

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

78A National security exemption

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

91A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

114A The Information Commission

115 General functions under the UK GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation between parties to the Data Protection Convention

119 Inspection of personal data in accordance with international obligations

119A Standard clauses for transfers to third countries etc

120 Further international role

120A Principal objective

120B Duties in relation to functions under the data protection legislation

120C Strategy

120D Duty to consult other regulators

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

124A Other codes of practice

124B Panels to consider codes of practice

124C Impact assessments for codes of practice

125 Approval of codes prepared under sections 121 to 124A

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

139A Analysis of performance

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

161A Annual report on regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

164A Complaints by data subjects to controllers

164B Controllers to notify the Commissioner of the number of complaints

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the UK GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

180A Procedure in connection with subject access requests

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

183A Protection of prohibitions and restrictions etc on processing: relevant enactments

183B Protection of prohibitions and restrictions etc on processing: other enactments

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Protection of data subject’s rights

186A Protection of data subject’s rights: further provision

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

Schedule A1 Processing in reliance on relevant international law

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the UK GDPR

SCHEDULE 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

Schedule 12A The Information Commission

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

SCHEDULE 21 Further transitional provision etc

Changes to legislation:

Data Protection Act 2018, PART 4 is up to date with all changes known to be in force on or before 09 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

PART 4Intelligence services processing

CHAPTER 1Scope and definitions

Scope

82Processing to which this Part applies

(1)

This Part applies to—

(a)

the processing by an intelligence service of personal data wholly or partly by automated means, and

(b)

the processing by an intelligence service otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.

(2)

In this Part, “intelligence service” means—

(a)

the Security Service;

(b)

the Secret Intelligence Service;

(c)

the Government Communications Headquarters.

F1(2A)

In this Part—

competent authority” has the same meaning as in Part 3;

qualifying competent authority” means a competent authority specified or described in regulations made by the Secretary of State.

(3)

A reference in this Part to the processing of personal data is to processing to which this Part applies.

F2(4)

Regulations under this section are subject to the affirmative resolution procedure.

Definitions

83Meaning of “controller” and “processor”

(1)

In this Part, “controller” means the intelligence service which, alone or jointly with others—

(a)

determines the purposes and means of the processing of personal data, or

(b)

is the controller by virtue of subsection (2).

(2)

Where personal data is processed only—

(a)

for purposes for which it is required by an enactment to be processed, and

(b)

by means by which it is required by an enactment to be processed,

the intelligence service on which the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.

(3)

In this Part, “processor” means any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller).

84Other definitions

(1)

This section defines other expressions used in this Part.

(2)

Consent”, in relation to the processing of personal data relating to an individual, means a freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data.

(3)

Employee”, in relation to any person, includes an individual who holds a position (whether paid or unpaid) under the direction and control of that person.

(4)

Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

(5)

Recipient”, in relation to any personal data, means any person to whom the data is disclosed, whether a third party or not, but it does not include a person to whom disclosure is or may be made in the framework of a particular inquiry in accordance with the law.

(6)

Restriction of processing” means the marking of stored personal data with the aim of limiting its processing for the future.

F3(6A)

Sensitive processing” has the meaning given in section 86(7).

(7)

Sections 3 and 205 include definitions of other expressions used in this Part.

CHAPTER 2Principles

Overview

85Overview

(1)

This Chapter sets out the six data protection principles as follows—

(a)

section 86 sets out the first data protection principle (requirement that processing be lawful, fair and transparent);

(b)

section 87 sets out the second data protection principle (requirement that the purposes of processing be specified, explicit and legitimate);

(c)

section 88 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive);

(d)

section 89 sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date);

(e)

section 90 sets out the fifth data protection principle (requirement that personal data be kept for no longer than is necessary);

(f)

section 91 sets out the sixth data protection principle (requirement that personal data be processed in a secure manner).

(2)

Each of sections 86, 87 and 91 makes provision to supplement the principle to which it relates.

The data protection principles

86The first data protection principle

(1)

The first data protection principle is that the processing of personal data must be—

(a)

lawful, and

(b)

fair and transparent.

(2)

The processing of personal data is lawful only if and to the extent that—

(a)

at least one of the conditions in Schedule 9 is met, and

(b)

in the case of sensitive processing, at least one of the conditions in Schedule 10 is also met.

(3)

The Secretary of State may by regulations amend Schedule 10—

(a)

by adding conditions;

(b)

by F4varying or omitting conditions added by regulations under paragraph (a).

(4)

Regulations under subsection (3) are subject to the affirmative resolution procedure.

(5)

In determining whether the processing of personal data is fair and transparent, regard is to be had to the method by which it is obtained.

(6)

For the purposes of subsection (5), data is to be treated as obtained fairly and transparently if it consists of information obtained from a person who—

(a)

is authorised by an enactment to supply it, or

(b)

is required to supply it by an enactment or by an international obligation of the United Kingdom.

(7)

In this F5Part, “sensitive processing” means—

(a)

the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;

(b)

the processing of genetic data for the purpose of uniquely identifying an individual;

(c)

the processing of biometric data for the purpose of uniquely identifying an individual;

(d)

the processing of data concerning health;

(e)

the processing of data concerning an individual’s sex life or sexual orientation;

(f)

the processing of personal data as to—

(i)

the commission or alleged commission of an offence by an individual, or

(ii)

proceedings for an offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of a court in such proceedings.

87The second data protection principle

(1)

The second data protection principle is that—

(a)

the purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and

(b)

personal data so collected must not be processed in a manner that is incompatible with the purpose for which it is collected.

(2)

Paragraph (b) of the second data protection principle is subject to subsections (3) and (4).

(3)

Personal data collected by a controller for one purpose may be processed for any other purpose of the controller that collected the data or any purpose of another controller provided that—

(a)

the controller is authorised by law to process the data for that purpose, and

(b)

the processing is necessary and proportionate to that other purpose.

(4)

Processing of personal data is to be regarded as compatible with the purpose for which it is collected if the processing—

(a)

consists of—

(i)

processing for archiving purposes in the public interest,

(ii)

processing for the purposes of scientific or historical research, or

(iii)

processing for statistical purposes, and

(b)

is subject to appropriate safeguards for the rights and freedoms of the data subject.

88The third data protection principle

The third data protection principle is that personal data must be adequate, relevant and not excessive in relation to the purpose for which it is processed.

89The fourth data protection principle

The fourth data protection principle is that personal data undergoing processing must be accurate and, where necessary, kept up to date.

90The fifth data protection principle

The fifth data protection principle is that personal data must be kept for no longer than is necessary for the purpose for which it is processed.

91The sixth data protection principle

(1)

The sixth data protection principle is that personal data must be processed in a manner that includes taking appropriate security measures as regards risks that arise from processing personal data.

(2)

The risks referred to in subsection (1) include (but are not limited to) accidental or unauthorised access to, or destruction, loss, use, modification or disclosure of, personal data.

F691AFurther provision about sensitive processing

(1)

The Secretary of State may by regulations—

(a)

make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part,

(b)

make provision so that added processing is not sensitive processing for the purposes of this Part,

(c)

make provision so that a protected condition in Schedule 10 may or may not be relied on in connection with added processing, and

(d)

make provision varying such a condition as it relates to added processing.

(2)

In subsection (1)—

added processing” means a description of processing which is sensitive processing by virtue of provision made under subsection (1)(a);

protected condition in Schedule 10” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 86(3).

(3)

Regulations under this section may amend this Part and sections 205 and 206.

(4)

Regulations under this section are subject to the affirmative resolution procedure.

CHAPTER 3Rights of the data subject

Overview

92Overview

(1)

This Chapter sets out the rights of the data subject as follows—

(a)

section 93 deals with the information to be made available to the data subject;

(b)

sections 94 and 95 deal with the right of access by the data subject;

(c)

sections 96 and 97 deal with rights in relation to automated processing;

(d)

section 98 deals with the right to information about decision-making;

(e)

section 99 deals with the right to object to processing;

(f)

section 100 deals with rights to rectification and erasure of personal data.

(2)

In this Chapter, “the controller”, in relation to a data subject, means the controller in relation to personal data relating to the data subject.

Rights

93Right to information

(1)

The controller must give a data subject the following information—

(a)

the identity and the contact details of the controller;

(b)

the legal basis on which, and the purposes for which, the controller processes personal data;

(c)

the categories of personal data relating to the data subject that are being processed;

(d)

the recipients or the categories of recipients of the personal data (if applicable);

(e)

the right to lodge a complaint with the Commissioner and the contact details of the Commissioner;

(f)

how to exercise rights under this Chapter;

(g)

any other information needed to secure that the personal data is processed fairly and transparently.

(2)

The controller may comply with subsection (1) by making information generally available, where the controller considers it appropriate to do so.

(3)

The controller is not required under subsection (1) to give a data subject information that the data subject already has.

(4)

Where personal data relating to a data subject is collected by or on behalf of the controller from a person other than the data subject, the requirement in subsection (1) has effect, in relation to the personal data so collected, with the following exceptions—

(a)

the requirement does not apply in relation to processing that is authorised by an enactment;

(b)

the requirement does not apply in relation to the data subject if giving the information to the data subject would be impossible or involve disproportionate effort.

94Right of access

(1)

An individual is entitled to obtain from a controller—

(a)

confirmation as to whether or not personal data concerning the individual is being processed, and

(b)

where that is the case—

(i)

communication, in intelligible form, of the personal data of which that individual is the data subject, and

(ii)

the information set out in subsection (2).

(2)

That information is—

(a)

the purposes of and legal basis for the processing;

(b)

the categories of personal data concerned;

(c)

the recipients or categories of recipients to whom the personal data has been disclosed;

(d)

the period for which the personal data is to be preserved;

(e)

the existence of a data subject’s rights to rectification and erasure of personal data (see section 100);

(f)

the right to lodge a complaint with the Commissioner and the contact details of the Commissioner;

(g)

any information about the origin of the personal data concerned.

F7(2A)

Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.

(3)

A controller is not obliged to provide information under this section unless the controller has received such reasonable fee as the controller may require, subject to subsection (4).

(4)

The Secretary of State may by regulations—

(a)

specify cases in which a controller may not charge a fee;

(b)

specify the maximum amount of a fee.

(5)

Where a controller—

(a)

reasonably requires further information—

(i)

in order that the controller be satisfied as to the identity of the individual making a request under subsection (1), or

(ii)

to locate the information which that individual seeks, and

(b)

has informed that individual of that requirement,

the controller is not obliged to comply with the request unless the controller is supplied with that further information.

(6)

Where a controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, the controller is not obliged to comply with the request unless—

(a)

the other individual has consented to the disclosure of the information to the individual making the request, or

(b)

it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

(7)

In subsection (6), the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request.

(8)

Subsection (6) is not to be construed as excusing a controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

(9)

In determining for the purposes of subsection (6)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard must be had, in particular, to—

(a)

any duty of confidentiality owed to the other individual,

(b)

any steps taken by the controller with a view to seeking the consent of the other individual,

(c)

whether the other individual is capable of giving consent, and

(d)

any express refusal of consent by the other individual.

(10)

Subject to F8subsections (3), (5) and (6), a controller must comply with a request under subsection (1)—

(a)

promptly, and

(b)

in any event before the end of the applicable time period.

(11)

If a court is satisfied on the application of an individual who has made a request under subsection (1) that the controller in question has failed to comply with the request in contravention of this section, the court may order the controller to comply with the request.

(12)

A court may make an order under subsection (11) in relation to a joint controller whose responsibilities are determined in an arrangement under section 104 only if the controller is responsible for compliance with the obligation to which the order relates.

(13)

The jurisdiction conferred on a court by this section is exercisable by the High Court or, in Scotland, by the Court of Session.

(14)

In this section—

the applicable time period” means—

(a)

the period of 1 month, or

(b)

such longer period, not exceeding 3 months, as may be specified in regulations made by the Secretary of State,

beginning with the relevant time;

the relevant time”, in relation to a request under subsection (1), means the latest of the following—

(a)

when the controller receives the request,

(b)

when the fee (if any) is paid, and

(c)

when the controller receives the information (if any) required under subsection (5) in connection with the request.

(15)

Regulations under this section are subject to the negative resolution procedure.

95Right of access: supplementary

(1)

The controller must comply with the obligation imposed by section 94(1)(b)(i) by supplying the data subject with a copy of the information in writing unless—

(a)

the supply of such a copy is not possible or would involve disproportionate effort, or

(b)

the data subject agrees otherwise;

and where any of the information referred to in section 94(1)(b)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.

(2)

Where a controller has previously complied with a request made under section 94 by an individual, the controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.

(3)

In determining for the purposes of subsection (2) whether requests under section 94 are made at reasonable intervals, regard must be had to—

(a)

the nature of the data,

(b)

the purpose for which the data is processed, and

(c)

the frequency with which the data is altered.

(4)

The information to be supplied pursuant to a request under section 94 must be supplied by reference to the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.

(5)

For the purposes of section 94(6) to (8), an individual can be identified from information to be disclosed to a data subject by a controller if the individual can be identified from—

(a)

that information, or

(b)

that and any other information that the controller reasonably believes the data subject making the request is likely to possess or obtain.

96Right not to be subject to automated decision-making

(1)

The controller may not take a decision significantly affecting a data subject that is based solely on automated processing of personal data relating to the data subject.

(2)

Subsection (1) does not prevent such a decision being made on that basis if—

(a)

the decision is required or authorised by law,

(b)

the data subject has given consent to the decision being made on that basis, or

(c)

the decision is a decision taken in the course of steps taken—

(i)

for the purpose of considering whether to enter into a contract with the data subject,

(ii)

with a view to entering into such a contract, or

(iii)

in the course of performing such a contract.

(3)

For the purposes of this section, a decision that has legal effects as regards an individual is to be regarded as significantly affecting the individual.

97Right to intervene in automated decision-making

(1)

This section applies where—

(a)

the controller takes a decision significantly affecting a data subject that is based solely on automated processing of personal data relating to the data subject, and

(b)

the decision is required or authorised by law.

(2)

This section does not apply to such a decision if—

(a)

the data subject has given consent to the decision being made on that basis, or

(b)

the decision is a decision taken in the course of steps taken—

(i)

for the purpose of considering whether to enter into a contract with the data subject,

(ii)

with a view to entering into such a contract, or

(iii)

in the course of performing such a contract.

(3)

The controller must as soon as reasonably practicable notify the data subject that such a decision has been made.

(4)

The data subject may, before the end of the period of 1 month beginning with receipt of the notification, request the controller—

(a)

to reconsider the decision, or

(b)

to take a new decision that is not based solely on automated processing.

(5)

If a request is made to the controller under subsection (4), the controller must, before the end of the period of 1 month beginning with receipt of the request—

(a)

consider the request, including any information provided by the data subject that is relevant to it, and

(b)

by notice in writing inform the data subject of the outcome of that consideration.

(6)

For the purposes of this section, a decision that has legal effects as regards an individual is to be regarded as significantly affecting the individual.

98Right to information about decision-making

(1)

Where—

(a)

the controller processes personal data relating to a data subject, and

(b)

results produced by the processing are applied to the data subject,

the data subject is entitled to obtain from the controller, on request, knowledge of the reasoning underlying the processing.

(2)

Where the data subject makes a request under subsection (1), the controller must comply with the request without undue delay.

99Right to object to processing

(1)

A data subject is entitled at any time, by notice given to the controller, to require the controller—

(a)

not to process personal data relating to the data subject, or

(b)

not to process such data for a specified purpose or in a specified manner,

on the ground that, for specified reasons relating to the situation of the data subject, the processing in question is an unwarranted interference with the interests or rights of the data subject.

(2)

Where the controller—

(a)

reasonably requires further information—

(i)

in order that the controller be satisfied as to the identity of the individual giving notice under subsection (1), or

(ii)

to locate the data to which the notice relates, and

(b)

has informed that individual of that requirement,

the controller is not obliged to comply with the notice unless the controller is supplied with that further information.

(3)

The controller must, before the end of 21 days beginning with the relevant time, give a notice to the data subject—

(a)

stating that the controller has complied or intends to comply with the notice under subsection (1), or

(b)

stating the controller’s reasons for not complying with the notice to any extent and the extent (if any) to which the controller has complied or intends to comply with the notice under subsection (1).

(4)

If the controller does not comply with a notice under subsection (1) to any extent, the data subject may apply to a court for an order that the controller take steps for complying with the notice.

(5)

If the court is satisfied that the controller should comply with the notice (or should comply to any extent), the court may order the controller to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

(6)

A court may make an order under subsection (5) in relation to a joint controller whose responsibilities are determined in an arrangement under section 104 only if the controller is responsible for compliance with the obligation to which the order relates.

(7)

The jurisdiction conferred on a court by this section is exercisable by the High Court or, in Scotland, by the Court of Session.

(8)

In this section, “the relevant time”, in relation to a notice under subsection (1), means—

(a)

when the controller receives the notice, or

(b)

if later, when the controller receives the information (if any) required under subsection (2) in connection with the notice.

100Rights to rectification and erasure

(1)

If a court is satisfied on the application of a data subject that personal data relating to the data subject is inaccurate, the court may order the controller to rectify that data without undue delay.

(2)

If a court is satisfied on the application of a data subject that the processing of personal data relating to the data subject would infringe any of sections 86 to 91, the court may order the controller to erase that data without undue delay.

(3)

If personal data relating to the data subject must be maintained for the purposes of evidence, the court may (instead of ordering the controller to rectify or erase the personal data) order the controller to restrict its processing without undue delay.

(4)

If—

(a)

the data subject contests the accuracy of personal data, and

(b)

the court is satisfied that the controller is not able to ascertain whether the data is accurate or not,

the court may (instead of ordering the controller to rectify or erase the personal data) order the controller to restrict its processing without undue delay.

(5)

A court may make an order under this section in relation to a joint controller whose responsibilities are determined in an arrangement under section 104 only if the controller is responsible for carrying out the rectification, erasure or restriction of processing that the court proposes to order.

(6)

The jurisdiction conferred on a court by this section is exercisable by the High Court or, in Scotland, by the Court of Session.

CHAPTER 4Controller and processor

Overview

101Overview

This Chapter sets out—

(a)

the general obligations of controllers and processors (see sections 102 to 106);

(b)

specific obligations of controllers and processors with respect to security (see section 107);

(c)

specific obligations of controllers and processors with respect to personal data breaches (see section 108).

General obligations

102General obligations of the controller

Each controller must implement appropriate measures—

(a)

to ensure, and

(b)

to be able to demonstrate, in particular to the Commissioner,

that the processing of personal data complies with the requirements of this Part.

103Data protection by design

(1)

Where a controller proposes that a particular type of processing of personal data be carried out by or on behalf of the controller, the controller must, prior to the processing, consider the impact of the proposed processing on the rights and freedoms of data subjects.

(2)

A controller must implement appropriate technical and organisational measures which are designed to ensure that—

(a)

the data protection principles are implemented, and

(b)

risks to the rights and freedoms of data subjects are minimised.

104Joint controllers

(1)

Where two or more intelligence services jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.

(2)

Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.

(3)

The arrangement must designate the controller which is to be the contact point for data subjects.

105Processors

(1)

This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.

(2)

The controller may use only a processor who undertakes—

(a)

to implement appropriate measures that are sufficient to secure that the processing complies with this Part;

(b)

to provide to the controller such information as is necessary for demonstrating that the processing complies with this Part.

(3)

If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.

106Processing under the authority of the controller or processor

A processor, and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—

(a)

on instructions from the controller, or

(b)

to comply with a legal obligation.

Obligations relating to security

107Security of processing

(1)

Each controller and each processor must implement security measures appropriate to the risks arising from the processing of personal data.

(2)

In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to—

(a)

prevent unauthorised processing or unauthorised interference with the systems used in connection with it,

(b)

ensure that it is possible to establish the precise details of any processing that takes place,

(c)

ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and

(d)

ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.

Obligations relating to personal data breaches

108Communication of a personal data breach

(1)

If a controller becomes aware of a serious personal data breach in relation to personal data for which the controller is responsible, the controller must notify the Commissioner of the breach without undue delay.

(2)

Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.

(3)

Subject to subsection (4), the notification must include—

(a)

a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b)

the name and contact details of the contact point from whom more information can be obtained;

(c)

a description of the likely consequences of the personal data breach;

(d)

a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(4)

Where and to the extent that it is not possible to provide all the information mentioned in subsection (3) at the same time, the information may be provided in phases without undue further delay.

(5)

If a processor becomes aware of a personal data breach (in relation to data processed by the processor), the processor must notify the controller without undue delay.

(6)

Subsection (1) does not apply in relation to a personal data breach if the breach also constitutes a relevant error within the meaning given by section 231(9) of the Investigatory Powers Act 2016.

(7)

For the purposes of this section, a personal data breach is serious if the breach seriously interferes with the rights and freedoms of a data subject.

CHAPTER 5Transfers of personal data outside the United Kingdom

109Transfers of personal data outside the United Kingdom

(1)

A controller may not transfer personal data to—

(a)

a country or territory outside the United Kingdom, or

(b)

an international organisation,

unless the transfer falls within subsection (2).

(2)

A transfer of personal data falls within this subsection if the transfer is a necessary and proportionate measure carried out—

(a)

for the purposes of the controller’s statutory functions, or

(b)

for other purposes provided for, in relation to the controller, in section 2(2)(a) of the Security Service Act 1989 or section 2(2)(a) or 4(2)(a) of the Intelligence Services Act 1994.

CHAPTER 6Exemptions

110National security

(1)

A provision mentioned in subsection (2) does not apply to personal data to which this Part applies if exemption from the provision is required for the purpose of safeguarding national security.

(2)

The provisions are—

(a)

Chapter 2 F9of this Part (the data protection principles), except section 86(1)(a) and (2) and Schedules 9 and 10;

(b)

Chapter 3 F10of this Part (rights of data subjects);

(c)

in Chapter 4 F11of this Part, section 108 (communication of a personal data breach to the Commissioner);

(d)

in Part 5—

(i)

section 119 (inspection in accordance with international obligations);

(ii)

in Schedule 13 (other general functions of the Commissioner), paragraphs 1(a) and (g) and 2;

(e)

in Part 6—

(i)

sections 142 to 154 and Schedule 15 (Commissioner’s notices and powers of entry and inspection);

(ii)

sections 170 to 173 (offences relating to personal data);

(iii)

sections 174 to 176 (provision relating to the special purposes).

111National security: certificate

(1)

Subject to subsection (3), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions mentioned in section 110(2) is, or at any time was, required for the purpose of safeguarding national security in respect of any personal data is conclusive evidence of that fact.

(2)

A certificate under subsection (1)—

(a)

may identify the personal data to which it applies by means of a general description, and

(b)

may be expressed to have prospective effect.

(3)

Any person directly affected by the issuing of a certificate under subsection (1) may appeal to the Tribunal against the certificate.

(4)

If on an appeal under subsection (3), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may—

(a)

allow the appeal, and

(b)

quash the certificate.

(5)

Where, in any proceedings under or by virtue of this Act, it is claimed by a controller that a certificate under subsection (1) which identifies the personal data to which it applies by means of a general description applies to any personal data, another party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question.

(6)

But, subject to any determination under subsection (7), the certificate is to be conclusively presumed so to apply.

(7)

On an appeal under subsection (5), the Tribunal may determine that the certificate does not so apply.

(8)

A document purporting to be a certificate under subsection (1) is to be—

(a)

received in evidence, and

(b)

deemed to be such a certificate unless the contrary is proved.

(9)

A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (1) is—

(a)

in any legal proceedings, evidence of that certificate, and

(b)

in any legal proceedings in Scotland, sufficient evidence of that certificate.

(10)

The power conferred by subsection (1) on a Minister of the Crown is exercisable only by—

(a)

a Minister who is a member of the Cabinet, or

(b)

the Attorney General or the Advocate General for Scotland.

112Other exemptions

Schedule 11 provides for further exemptions.

113Power to make further exemptions

(1)

The Secretary of State may by regulations amend Schedule 11—

(a)

by adding exemptions from any provision of this Part;

(b)

by omitting exemptions added by regulations under paragraph (a).

(2)

Regulations under this section are subject to the affirmative resolution procedure.

Annotations:
Commencement Information

I34S. 113 in force at Royal Assent for specified purposes, see s. 212(2)(f)

I35S. 113 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(d)