Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Article 57(3) of the UK GDPR (performance of Commissioner’s tasks…

CHAPTER 2 The UK GDPR

Meaning of certain terms used in the UK GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Relevant international law

9A Processing in reliance on relevant international law

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

13A Meaning of “relevant offence” for purpose of right to erasure

14 Automated decision-making authorised by law: safeguards

Exemptions etc

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Certification

17 Accreditation of certification providers

17A Transfers based on adequacy regulations

17B Transfers based on adequacy regulations: review etc

17C Standard data protection clauses

18 Transfers of personal data to third countries etc : public interest

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Exemptions for manual unstructured processing and for national security and defence purposes

Definitions

21 Definitions

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the UK GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

42A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Data subject’s rights to information

44 … Controller’s general duties

45 Right of access by the data subject

45A Exemption from sections 44 and 45: legal professional privilege

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

50A Automated processing and significant decisions

50B Restrictions on automated decision-making based on sensitive processing

50C Safeguards for automated decision-making

50D Further provision about automated decision-making

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

Codes of conduct

71A Codes of conduct

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

74A Transfers based on adequacy regulations

74AA Transfers approved by regulations

74AB The data protection test

74B Transfers approved by regulations: monitoring

75 Transfers subject to appropriate safeguards

76 Transfers based on special circumstances

Additional conditions

77 Additional conditions for transfers in reliance on section 73(4)(b)

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

78A National security exemption

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

82A Designation of processing by a qualifying competent authority

82B Duration of designation notice

82C Review and withdrawal of designation notice

82D Records of designation notices

82E Appeal against designation notice

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

91A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

114A The Information Commission

115 General functions under the UK GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation between parties to the Data Protection Convention

119 Inspection of personal data in accordance with international obligations

119A Standard clauses for transfers to third countries etc

120 Further international role

120A Principal objective

120B Duties in relation to functions under the data protection legislation

120C Strategy

120D Duty to consult other regulators

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

124A Other codes of practice

124B Panels to consider codes of practice

124C Impact assessments for codes of practice

125 Approval of codes prepared under sections 121 to 124A

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

139A Analysis of performance

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

146A Assessment notices: approval of person to prepare report etc

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

148A Interview notices

148B Interview notices: restrictions

148C False statements made in response to interview notices

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

161A Annual report on regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

164A Complaints by data subjects to controllers

164B Controllers to notify the Commissioner of the number of complaints

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the UK GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

180A Procedure in connection with subject access requests

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

183A Protection of prohibitions and restrictions etc on processing: relevant enactments

183B Protection of prohibitions and restrictions etc on processing: other enactments

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Protection of data subject’s rights

186A Protection of data subject’s rights: further provision

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

Schedule A1 Processing in reliance on relevant international law

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the UK GDPR

SCHEDULE 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

Schedule 12A The Information Commission

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

SCHEDULE 21 Further transitional provision etc

Changes to legislation:

Data Protection Act 2018, PART 5 is up to date with all changes known to be in force on or before 13 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

PART 5The Information Commissioner

The Commissioner

114The Information Commissioner

(1)

There is to continue to be an Information Commissioner.

(2)

Schedule 12 makes provision about the Commissioner.

F1The Information Commission

114AThe Information Commission

(1)

A body corporate called the Information Commission is established.

(2)

Schedule 12A makes further provision about the Commission.

General functions

115General functions under the F2UK GDPR and safeguards

F3(1)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(2)

General functions are conferred on the Commissioner by—

(a)

Article 57 of the F4UK GDPR (tasks), and

(b)

Article 58 of the F5UK GDPR (powers),

(and see also the Commissioner’s duty under section 2 F6and section 28(5)).

(3)

The Commissioner’s functions in relation to the processing of personal data to which the F7UK GDPR applies include—

(a)

a duty to advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data, and

(b)

a power to issue, on the Commissioner’s own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.

(4)

The Commissioner’s functions under Article 58 of the F8UK GDPR are subject to the safeguards in subsections (5) to (9).

(5)

The Commissioner’s power under Article 58(1)(a) of the F9UK GDPR (power to require a controller or processor to provide information that the Commissioner requires for the performance of the Commissioner’s tasks under the F9UK GDPR) is exercisable only by giving an information notice under section 142.

(6)

The Commissioner’s power under Article 58(1)(b) of the F10UK GDPR (power to carry out data protection audits) is exercisable only in accordance with section 146.

(7)

The Commissioner’s powers under Article 58(1)(e) and (f) of the F11UK GDPR (power to obtain information from controllers and processors and access to their premises) are exercisable only—

(a)

in accordance with Schedule 15 (see section 154), or

(b)

to the extent that they are exercised in conjunction with the power under Article 58(1)(b) of the F11UK GDPR, in accordance with section 146.

(8)

The following powers are exercisable only by giving an enforcement notice under section 149—

(a)

the Commissioner’s powers under Article 58(2)(c) to (g) and (j) of the F12UK GDPR (certain corrective powers);

(b)

the Commissioner’s powers under Article 58(2)(h) to order a certification body to withdraw, or not to issue, a certification under Articles 42 and 43 of the F13UK GDPR.

(9)

The Commissioner’s powers under Articles 58(2)(i) and 83 of the F14UK GDPR (administrative fines) are exercisable only by giving a penalty notice under section 155.

(10)

This section is without prejudice to other functions conferred on the Commissioner, whether by the F15UK GDPR, this Act or otherwise.

116Other general functions

F16A1

The Commissioner is responsible for monitoring the application of Part 3 of this Act, in order to protect the fundamental rights and freedoms of individuals in relation to processing by a competent authority for any of the law enforcement purposes (as defined in Part 3) and to facilitate the free flow of personal data.

(1)

The Commissioner—

F17(a)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(b)

is to continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Data Protection Convention.

(2)

Schedule 13 confers general functions on the Commissioner in connection with processing to which the F18UK GDPR does not apply (and see also the Commissioner’s duty under section 2).

(3)

This section and Schedule 13 are without prejudice to other functions conferred on the Commissioner, whether by this Act or otherwise.

117Competence in relation to courts etc

Nothing in this Act F19or the UK GDPR permits or requires the Commissioner to exercise functions in relation to the processing of personal data by—

(a)

an individual acting in a judicial capacity, or

(b)

a court or tribunal acting in its judicial capacity F20

F20….

International role

118F21Co-operation between parties to the Data Protection Convention

F22(1)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F22(2)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F22(3)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F22(4)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(5)

Part 2 of Schedule 14 makes provision as to the functions to be carried out by the Commissioner for the purposes of Article 13 of the Data Protection Convention (co-operation between parties).

119Inspection of personal data in accordance with international obligations

(1)

The Commissioner may inspect personal data where the inspection is necessary in order to discharge an international obligation of the United Kingdom, subject to the restriction in subsection (2).

(2)

The power under subsection (1) is exercisable only if the personal data—

(a)

is processed wholly or partly by automated means, or

(b)

is processed otherwise than by automated means and forms part of a filing system or is intended to form part of a filing system.

(3)

The power under subsection (1) includes power to inspect, operate and test equipment which is used for the processing of personal data.

(4)

Before exercising the power under subsection (1), the Commissioner must by written notice inform the controller and any processor that the Commissioner intends to do so.

(5)

Subsection (4) does not apply if the Commissioner considers that the case is urgent.

(6)

It is an offence—

(a)

intentionally to obstruct a person exercising the power under subsection (1), or

(b)

to fail without reasonable excuse to give a person exercising that power any assistance the person may reasonably require.

(7)

Paragraphs (c) and (d) of section 3(14) do not apply to references in this section to personal data, the processing of personal data, a controller or a processor.

F23119AStandard clauses for transfers to third countries etc

(1)

The Commissioner may issue a document specifying standard data protection clauses which the Commissioner considers F24are capable of securing that the data protection test set out in Article 46 of the UK GDPR or section 75 of this Act (or both) is met in relation to transfers of personal data.

(2)

The Commissioner may issue a document that amends or withdraws a document issued under subsection (1).

(3)

A document issued under this section—

(a)

must specify when it comes into force,

F25(aa)

may make provision generally or in relation to types of transfer described in the document,

(b)

may make different provision for different purposes, and

(c)

may include transitional provision or savings.

(4)

Before issuing a document under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—

(a)

trade associations;

(b)

data subjects;

(c)

persons who appear to the Commissioner to represent the interests of data subjects.

(5)

After a document is issued under this section—

(a)

the Commissioner must send a copy to the Secretary of State, and

(b)

the Secretary of State must lay it before Parliament.

(6)

If, within the 40-day period, either House of Parliament resolves not to approve the document then, with effect from the end of the day on which the resolution is passed, the document is to be treated as not having been issued under this section (so that the document, and any amendment or withdrawal made by the document, is to be disregarded for the purposes of Article 46(2)(d) of the UK GDPR).

(7)

Nothing in subsection (6)—

(a)

affects any transfer of personal data previously made in reliance on the document, or

(b)

prevents a further document being laid before Parliament.

(8)

The Commissioner must publish—

(a)

a document issued under this section, and

(b)

a notice identifying any document which, under subsection (6), is treated as not having been issued under this section.

(9)

The Commissioner must keep under review the clauses specified in a document issued under this section for the time being in force.

(10)

In this section, “the 40-day period” means—

(a)

if the document is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or

(b)

if the document is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.

(11)

In calculating the 40-day period, no account is to be taken of any F26whole days that fall within a period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.

(12)

In this section, “trade association” includes a body representing controllers or processors.

120Further international role

(1)

The Commissioner must, in relation to third countries and international organisations, take appropriate steps to—

(a)

develop international co-operation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;

(b)

provide international mutual assistance in the enforcement of legislation for the protection of personal data, subject to appropriate safeguards for the protection of personal data and F27… fundamental rights and freedoms;

(c)

engage relevant stakeholders in discussion and activities aimed at furthering international co-operation in the enforcement of legislation for the protection of personal data;

(d)

promote the exchange and documentation of legislation and practice for the protection of personal data, including legislation and practice relating to jurisdictional conflicts with third countries.

(2)

Subsection (1) applies only in connection with the processing of personal data to which the F28UK GDPR does not apply; for the equivalent duty in connection with the processing of personal data to which the F28UK GDPR applies, see Article 50 of the F28UK GDPR (international co-operation for the protection of personal data).

F29(2A)

The Commissioner may contribute to the activities of international organisations with data protection functions.

(3)

The Commissioner must carry out data protection functions which the Secretary of State directs the Commissioner to carry out for the purpose of enabling Her Majesty’s Government in the United Kingdom to give effect to an international obligation of the United Kingdom.

(4)

The Commissioner may provide an authority carrying out data protection functions under the law of a British overseas territory with assistance in carrying out those functions.

(5)

The Secretary of State may direct that assistance under subsection (4) is to be provided on terms, including terms as to payment, specified or approved by the Secretary of State.

(6)

In this section—

data protection functions” means functions relating to the protection of individuals with respect to the processing of personal data;

mutual assistance in the enforcement of legislation for the protection of personal data” includes assistance in the form of notification, complaint referral, investigative assistance and information exchange;

third country” means a country or territory F30outside the United Kingdom.

(7)

Section 3(14)(c) does not apply to references to personal data and the processing of personal data in this section.

F31Duties in carrying out functions

120APrincipal objective

It is the principal objective of the Commissioner, in carrying out functions under the data protection legislation—

(a)

to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and

(b)

to promote public trust and confidence in the processing of personal data.

120BDuties in relation to functions under the data protection legislation

In carrying out functions under the data protection legislation, the Commissioner must have regard to such of the following as appear to the Commissioner to be relevant in the circumstances—

(a)

the desirability of promoting innovation;

(b)

the desirability of promoting competition;

(c)

the importance of the prevention, investigation, detection and prosecution of criminal offences;

(d)

the need to safeguard public security and national security;

(e)

the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.

120CStrategy

(1)

The Commissioner must prepare a strategy for carrying out the Commissioner’s functions under the data protection legislation in accordance with the Commissioner’s duties under—

(a)

sections 120A and 120B,

(b)

section 108 of the Deregulation Act 2015 (exercise of regulatory functions: economic growth), and

(c)

section 21 of the Legislative and Regulatory Reform Act 2006 (exercise of regulatory functions: principles).

(2)

The Commissioner must—

(a)

review the strategy from time to time, and

(b)

revise the strategy as appropriate.

(3)

The Commissioner must publish the strategy and any revised strategy.

120DDuty to consult other regulators

(1)

The Commissioner must, at such times as the Commissioner considers appropriate, consult the persons mentioned in subsection (2) about how the manner in which the Commissioner exercises functions under the data protection legislation may affect economic growth, innovation and competition.

(2)

The persons are—

(a)

such persons exercising regulatory functions as the Commissioner considers appropriate;

(b)

such other persons as the Commissioner considers appropriate.

(3)

In this section, “regulatory function” has the meaning given by section 111 of the Deregulation Act 2015.

Codes of practice

121Data-sharing code

(1)

The Commissioner must prepare a code of practice which contains—

(a)

practical guidance in relation to the sharing of personal data in accordance with the requirements of the data protection legislation, and

(b)

such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data.

(2)

Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.

(3)

Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—

(a)

trade associations;

(b)

data subjects;

(c)

persons who appear to the Commissioner to represent the interests of data subjects.

(4)

A code under this section may include transitional provision or savings.

(5)

In this section—

good practice in the sharing of personal data” means such practice in the sharing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation;

the sharing of personal data” means the disclosure of personal data by transmission, dissemination or otherwise making it available;

trade association” includes a body representing controllers or processors.

122Direct marketing code

(1)

The Commissioner must prepare a code of practice which contains—

(a)

practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426), and

(b)

such other guidance as the Commissioner considers appropriate to promote good practice in direct marketing.

(2)

Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.

(3)

Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—

(a)

trade associations;

(b)

data subjects;

(c)

persons who appear to the Commissioner to represent the interests of data subjects.

(4)

A code under this section may include transitional provision or savings.

(5)

In this section—

direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals;

good practice in direct marketing” means such practice in direct marketing as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements mentioned in subsection (1)(a);

trade association” includes a body representing controllers or processors.

123Age-appropriate design code

(1)

The Commissioner must prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children.

(2)

Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.

(3)

Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such other persons as the Commissioner considers appropriate, including—

(a)

children,

(b)

parents,

(c)

persons who appear to the Commissioner to represent the interests of children,

(d)

child development experts, and

(e)

trade associations.

(4)

In preparing a code or amendments under this section, the Commissioner must have regard—

(a)

to the fact that children have different needs at different ages, and

(b)

to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child.

(5)

A code under this section may include transitional provision or savings.

(6)

Any transitional provision included in the first code under this section must cease to have effect before the end of the period of 12 months beginning when the code comes into force.

(7)

In this section—

age-appropriate design” means the design of services so that they are appropriate for use by, and meet the development needs of, children;

information society services” has the same meaning as in the F32UK GDPR, but does not include preventive or counselling services;

relevant information society services” means information society services which involve the processing of personal data to which the F32UK GDPR applies;

standards of age-appropriate design of relevant information society services” means such standards of age-appropriate design of such services as appear to the Commissioner to be desirable having regard to the best interests of children;

trade association” includes a body representing controllers or processors;

the United Nations Convention on the Rights of the Child” means the Convention on the Rights of the Child adopted by the General Assembly of the United Nations on 20 November 1989 (including any Protocols to that Convention which are in force in relation to the United Kingdom), subject to any reservations, objections or interpretative declarations by the United Kingdom for the time being in force.

124Data protection and journalism code

(1)

The Commissioner must prepare a code of practice which contains—

(a)

practical guidance in relation to the processing of personal data for the purposes of journalism in accordance with the requirements of the data protection legislation, and

(b)

such other guidance as the Commissioner considers appropriate to promote good practice in the processing of personal data for the purposes of journalism.

(2)

Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.

(3)

Before preparing a code or amendments under this section, the Commissioner must consult such of the following as the Commissioner considers appropriate—

(a)

trade associations;

(b)

data subjects;

(c)

persons who appear to the Commissioner to represent the interests of data subjects.

(4)

A code under this section may include transitional provision or savings.

(5)

In this section—

good practice in the processing of personal data for the purposes of journalism” means such practice in the processing of personal data for those purposes as appears to the Commissioner to be desirable having regard to—

(a)

the interests of data subjects and others F33…, and

(b)

the special importance of the public interest in the freedom of expression and information;

F34and includes compliance with the requirements of the data protection legislation;

trade association” includes a body representing controllers or processors.

F35124AOther codes of practice

(1)

The Commissioner must prepare appropriate codes of practice giving guidance as to good practice in the processing of personal data if required to do so by regulations made by the Secretary of State.

(2)

Regulations under this section—

(a)

must describe the personal data or processing to which the code of practice is to relate, and

(b)

may describe the persons or classes of person to whom it is to relate.

(3)

Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.

(4)

Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—

(a)

trade associations;

(b)

data subjects;

(c)

persons who appear to the Commissioner to represent the interests of data subjects.

(5)

A code under this section may include transitional provision or savings.

(6)

Regulations under this section are subject to the negative resolution procedure.

(7)

In this section—

good practice in the processing of personal data” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation;

trade association” includes a body representing controllers or processors.

F36124BPanels to consider codes of practice

(1)

This section applies where a code is prepared under section 121, 122, 123, 124 or 124A, subject to subsection (11).

(2)

The Commissioner must establish a panel of individuals to consider the code.

(3)

The panel must consist of—

(a)

individuals the Commissioner considers have expertise in the subject matter of the code, and

(b)

individuals the Commissioner considers—

(i)

are likely to be affected by the code, or

(ii)

represent persons likely to be affected by the code.

(4)

Before the panel begins to consider the code, the Commissioner must—

(a)

publish the code in draft, and

(b)

publish a statement that—

(i)

states that a panel has been established to consider the code,

(ii)

identifies the members of the panel,

(iii)

explains the process by which they were selected, and

(iv)

explains the reasons for their selection.

(5)

Where at any time it appears to the Commissioner that a member of the panel is not willing or able to serve as a member of the panel, the Commissioner may select another individual to be a member of the panel.

(6)

Where the Commissioner selects an individual to be a member of the panel under subsection (5), the Commissioner must publish a statement that—

(a)

identifies the member of the panel,

(b)

explains the process by which the member was selected, and

(c)

explains the reasons for the member’s selection.

(7)

The Commissioner must make arrangements—

(a)

for the members of the panel to consider the code with one another (whether in person or otherwise), and

(b)

for the panel to prepare and submit to the Commissioner a report on the code within such reasonable period as is determined by the Commissioner.

(8)

If the panel submits to the Commissioner a report on the code within the period determined by the Commissioner, the Commissioner must as soon as reasonably practicable—

(a)

make any alterations to the code that the Commissioner considers appropriate in the light of the report, and

(b)

publish—

(i)

the code in draft,

(ii)

the report or a summary of it, and

(iii)

in a case where a recommendation in the report to alter the code has not been accepted by the Commissioner, an explanation of why it has not been accepted.

(9)

The Commissioner may pay remuneration and expenses to the members of the panel.

(10)

This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections, subject to subsection (11).

(11)

The Secretary of State may by regulations provide that this section does not apply, or applies with modifications, in the case of—

(a)

a code prepared under section 124A, or

(b)

an amendment of such a code,

that is specified or described in the regulations.

(12)

Regulations under this section are subject to the negative resolution procedure.

124CImpact assessments for codes of practice

(1)

Where a code is prepared under section 121, 122, 123, 124 or 124A, the Commissioner must carry out and publish an assessment of—

(a)

who would be likely to be affected by the code, and

(b)

the effect the code would be likely to have on them.

(2)

This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections.

125Approval of codes prepared under sections 121 to F37124A

(1)

When a code is prepared under section 121, 122, 123 F38, 124 or 124A

(a)

the Commissioner must submit the final version to the Secretary of State, and

(b)

the Secretary of State must lay the code before Parliament.

F39(2)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(3)

If, within the 40-day period, either House of Parliament resolves not to approve a code prepared under section 121, 122, 123 F40, 124 or 124A, the Commissioner must not issue the code.

(4)

If no such resolution is made within that period—

(a)

the Commissioner must issue the code, and

(b)

the code comes into force at the end of the period of 21 days beginning with the day on which it is issued.

F41(5)

If the Commissioner is prevented by subsection (3) from issuing a code that is not a replacement code, the Commissioner must prepare another version of the code.

(6)

Nothing in subsection (3) prevents another version of the code being laid before Parliament.

(7)

In this section, “the 40-day period” means—

(a)

if the code is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or

(b)

if the code is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.

(8)

In calculating the 40-day period, no account is to be taken of any F42whole days that fall within a period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.

(9)

This section, other than F43subsection (5), applies in relation to amendments prepared under section 121, 122, 123 F44, 124 or 124A as it applies in relation to codes prepared under those sections.

126Publication and review of codes issued under section 125(4)

(1)

The Commissioner must publish a code issued under section 125(4).

(2)

Where an amendment of a code is issued under section 125(4), the Commissioner must publish—

(a)

the amendment, or

(b)

the code as amended by it.

(3)

The Commissioner must keep under review each code issued under section 125(4) for the time being in force.

(4)

Where the Commissioner becomes aware that the terms of such a code could result in a breach of an international obligation of the United Kingdom, the Commissioner must exercise the power under section 121(2), 122(2), 123(2) F45, 124(2) or 124A(3) with a view to remedying the situation.

127Effect of codes issued under section 125(4)

(1)

A failure by a person to act in accordance with a provision of a code issued under section 125(4) does not of itself make that person liable to legal proceedings in a court or tribunal.

(2)

A code issued under section 125(4), including an amendment or replacement code, is admissible in evidence in legal proceedings.

(3)

In any proceedings before a court or tribunal, the court or tribunal must take into account a provision of a code issued under section 125(4) in determining a question arising in the proceedings if—

(a)

the question relates to a time when the provision was in force, and

(b)

the provision appears to the court or tribunal to be relevant to the question.

(4)

Where the Commissioner is carrying out a function described in subsection (5), the Commissioner must take into account a provision of a code issued under section 125(4) in determining a question arising in connection with the carrying out of the function if—

(a)

the question relates to a time when the provision was in force, and

(b)

the provision appears to the Commissioner to be relevant to the question.

(5)

Those functions are functions under—

(a)

the data protection legislation, or

(b)

the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426).

Annotations:
Commencement Information

I16S. 127 not in force at Royal Assent; s. 127 in force at 23.7.2018 for specified purposes, see s. 212(3)(b)

I17S. 127 in force at 23.7.2018 for specified purposes by S.I. 2018/625, reg. 3(d)

F46128Other codes of practice

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Consensual audits

129Consensual audits

(1)

The Commissioner’s functions under Article 58(1) of the F47UK GDPR and paragraph 1 of Schedule 13 include power, with the consent of a controller or processor, to carry out an assessment of whether the controller or processor is complying with good practice in the processing of personal data.

(2)

The Commissioner must inform the controller or processor of the results of such an assessment.

(3)

In this section, “good practice in the processing of personal data” has the same meaning as in section F48124A.

Records of national security certificates

130Records of national security certificates

(1)

A Minister of the Crown who issues a certificate under section 27, 79 or 111 must send a copy of the certificate to the Commissioner.

(2)

If the Commissioner receives a copy of a certificate under subsection (1), the Commissioner must publish a record of the certificate.

(3)

The record must contain—

(a)

the name of the Minister who issued the certificate,

(b)

the date on which the certificate was issued, and

(c)

subject to subsection (4), the text of the certificate.

(4)

The Commissioner must not publish the text, or a part of the text, of the certificate if—

(a)

the Minister determines that publishing the text or that part of the text—

(i)

would be against the interests of national security,

(ii)

would be contrary to the public interest, or

(iii)

might jeopardise the safety of any person, and

(b)

the Minister has notified the Commissioner of that determination.

(5)

The Commissioner must keep the record of the certificate available to the public while the certificate is in force.

(6)

If a Minister of the Crown revokes a certificate issued under section 27, 79 or 111, the Minister must notify the Commissioner.

Information provided to the Commissioner

131Disclosure of information to the Commissioner

(1)

No enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the Commissioner with information necessary for the discharge of the Commissioner’s functions.

(2)

But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.

(3)

Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.

132Confidentiality of information

(1)

A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which—

(a)

has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions,

(b)

relates to an identified or identifiable individual or business, and

(c)

is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,

unless the disclosure is made with lawful authority.

(2)

For the purposes of subsection (1), a disclosure is made with lawful authority only if and to the extent that—

(a)

the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,

(b)

the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),

(c)

the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions,

F49(d)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(e)

the disclosure was made for the purposes of criminal or civil proceedings, however arising, or

(f)

having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.

(3)

It is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).

133Guidance about privileged communications

(1)

The Commissioner must produce and publish guidance about—

(a)

how the Commissioner proposes to secure that privileged communications which the Commissioner obtains or has access to in the course of carrying out the Commissioner’s functions are used or disclosed only so far as necessary for carrying out those functions, and

(b)

how the Commissioner proposes to comply with restrictions and prohibitions on obtaining or having access to privileged communications which are imposed by an enactment.

(2)

The Commissioner—

(a)

may alter or replace the guidance, and

(b)

must publish any altered or replacement guidance.

(3)

The Commissioner must consult the Secretary of State before publishing guidance under this section (including altered or replacement guidance).

(4)

The Commissioner must arrange for guidance under this section (including altered or replacement guidance) to be laid before Parliament.

(5)

In this section, “privileged communications” means—

(a)

communications made—

(i)

between a professional legal adviser and the adviser’s client, and

(ii)

in connection with the giving of legal advice to the client with respect to legal obligations, liabilities or rights, and

(b)

communications made—

(i)

between a professional legal adviser and the adviser’s client or between such an adviser or client and another person,

(ii)

in connection with or in contemplation of legal proceedings, and

(iii)

for the purposes of such proceedings.

(6)

In subsection (5)—

(a)

references to the client of a professional legal adviser include references to a person acting on behalf of the client, and

(b)

references to a communication include—

(i)

a copy or other record of the communication, and

(ii)

anything enclosed with or referred to in the communication if made as described in subsection (5)(a)(ii) or in subsection (5)(b)(ii) and (iii).

Fees

134Fees for services

The Commissioner may require a person other than a data subject or a data protection officer to pay a reasonable fee for a service provided to the person, or at the person’s request, which the Commissioner is required or authorised to provide under the data protection legislation.

135Manifestly unfounded or excessive requests by data subjects etc

F50A1

This section makes provision about cases in which a request made to the Commissioner, to which the Commissioner is required or authorised to respond under the data protection legislation, is manifestly unfounded or excessive.

(1)

F51… The Commissioner may—

(a)

charge a reasonable fee for dealing with the request, or

(b)

refuse to act on the request.

F52(1A)

In subsection (1)—

(a)

the reference in paragraph (a) to charging a reasonable fee is, in a case in which section 134 is relevant, a reference to doing so under that section, and

(b)

paragraph (b) is not to be read as implying anything about whether the Commissioner may refuse to act on requests that are neither manifestly unfounded nor excessive.

(2)

An example of a request that may be excessive is one that merely repeats the substance of previous requests.

(3)

In any proceedings where there is an issue as to whether a request described in subsection F53(A1) is manifestly unfounded or excessive, it is for the Commissioner to show that it is.

F54(4)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F55(5)

Article 57(3) of the UK GDPR (performance of Commissioner’s tasks generally to be free of charge for data subject) has effect subject to this section.

136Guidance about fees

(1)

The Commissioner must produce and publish guidance about the fees the Commissioner proposes to charge in accordance with—

(a)

section 134 or 135, F56

F56(b)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(2)

Before publishing the guidance, the Commissioner must consult the Secretary of State.

Charges

137Charges payable to the Commissioner by controllers

(1)

The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner.

(2)

Regulations under subsection (1) may require a controller to pay a charge regardless of whether the Commissioner has provided, or proposes to provide, a service to the controller.

(3)

Regulations under subsection (1) may—

(a)

make provision about the time or times at which, or period or periods within which, a charge must be paid;

(b)

make provision for cases in which a discounted charge is payable;

(c)

make provision for cases in which no charge is payable;

(d)

make provision for cases in which a charge which has been paid is to be refunded.

(4)

In making regulations under subsection (1), the Secretary of State must have regard to the desirability of securing that the charges payable to the Commissioner under such regulations are sufficient to offset—

(a)

expenses incurred by the Commissioner in discharging the Commissioner’s functions—

(i)

under the data protection legislation,

(ii)

under the Data Protection Act 1998,

(iii)

under or by virtue of sections 108 and 109 of the Digital Economy Act 2017, and

(iv)

under or by virtue of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426),

(b)

any expenses of the Secretary of State in respect of the Commissioner so far as attributable to those functions,

(c)

to the extent that the Secretary of State considers appropriate, any deficit previously incurred (whether before or after the passing of this Act) in respect of the expenses mentioned in paragraph (a), and

(d)

to the extent that the Secretary of State considers appropriate, expenses incurred by the Secretary of State in respect of the inclusion of any officers or staff of the Commissioner in any scheme under section 1 of the Superannuation Act 1972 or section 1 of the Public Service Pensions Act 2013.

(5)

The Secretary of State may from time to time require the Commissioner to provide information about the expenses referred to in subsection (4)(a).

(6)

The Secretary of State may by regulations make provision—

(a)

requiring a controller to provide information to the Commissioner, or

(b)

enabling the Commissioner to require a controller to provide information to the Commissioner,

for either or both of the purposes mentioned in subsection (7).

(7)

Those purposes are—

(a)

determining whether a charge is payable by the controller under regulations under subsection (1);

(b)

determining the amount of a charge payable by the controller.

(8)

The provision that may be made under subsection (6)(a) includes provision requiring a controller to notify the Commissioner of a change in the controller’s circumstances of a kind specified in the regulations.

Annotations:
Commencement Information

I26S. 137 in force at Royal Assent for specified purposes, see s. 212(2)(f)

I27S. 137 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(e)

138Regulations under section 137: supplementary

(1)

Before making regulations under section 137(1) or (6), the Secretary of State must consult such representatives of persons likely to be affected by the regulations as the Secretary of State thinks appropriate (and see also section 182).

(2)

The Commissioner—

(a)

must keep under review the working of regulations under section 137(1) or (6), and

(b)

may from time to time submit proposals to the Secretary of State for amendments to be made to the regulations.

(3)

The Secretary of State must review the working of regulations under section 137(1) or (6)—

(a)

at the end of the period of 5 years beginning with the making of the first set of regulations under section 108 of the Digital Economy Act 2017, and

(b)

at the end of each subsequent 5 year period.

(4)

Regulations under section 137(1) are subject to the negative resolution procedure if—

(a)

they only make provision increasing a charge for which provision is made by previous regulations under section 137(1) or section 108(1) of the Digital Economy Act 2017, and

(b)

they do so to take account of an increase in the retail prices index since the previous regulations were made.

(5)

Subject to subsection (4), regulations under section 137(1) or (6) are subject to the affirmative resolution procedure.

(6)

In subsection (4), “the retail prices index” means—

(a)

the general index of retail prices (for all items) published by the Statistics Board, or

(b)

where that index is not published for a month, any substitute index or figures published by the Board.

(7)

Regulations under section 137(1) or (6) may not apply to—

(a)

Her Majesty in her private capacity,

(b)

Her Majesty in right of the Duchy of Lancaster, or

(c)

the Duke of Cornwall.

Annotations:
Commencement Information

I28S. 138 in force at Royal Assent for specified purposes, see s. 212(2)(f)

I29S. 138 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(e)

Reports etc

139Reporting to Parliament

(1)

The Commissioner must—

(a)

produce a general report on the carrying out of the Commissioner’s functions annually,

(b)

arrange for it to be laid before Parliament, and

(c)

publish it.

F57(1A)

In connection with the Commissioner’s functions under the data protection legislation, the report must contain (among other things)—

(a)

a review of what the Commissioner has done during the reporting period to comply with the duties under—

(i)

sections 120A and 120B,

(ii)

section 108 of the Deregulation Act 2015, and

(iii)

section 21 of the Legislative and Regulatory Reform Act 2006,

including a review of the operation of the strategy prepared and published under section 120C;

(b)

a review of what the Commissioner has done during the reporting period to comply with the duty under section 120D.

(1B)

In subsection (1A), “the reporting period” means the period to which the report relates.

F58(2)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F59(2A)

The report under this section may include the annual report under section 161A.

(3)

The Commissioner may produce other reports relating to the carrying out of the Commissioner’s functions and arrange for them to be laid before Parliament.

F60139AAnalysis of performance

(1)

The Commissioner must prepare and publish an analysis of the Commissioner’s performance using key performance indicators.

(2)

The analysis must be prepared and published at least annually.

(3)

In this section, “key performance indicators” means factors by reference to which the Commissioner’s performance can be measured most effectively.

F61Documents and notices

140Publication by the Commissioner

A duty under this Act for the Commissioner to publish a document is a duty for the Commissioner to publish it, or to arrange for it to be published, in such form and manner as the Commissioner considers appropriate.

141Notices from the Commissioner

(1)

This section applies in relation to a notice authorised or required by this Act to be given to a person by the Commissioner.

(2)

The notice may be given to an individual—

(a)

by delivering it to the individual,

(b)

by sending it to the individual by post addressed to the individual at his or her usual or last-known place of residence or business, or

(c)

by leaving it for the individual at that place.

(3)

The notice may be given to a body corporate or unincorporate—

(a)

by sending it by post to the proper officer of the body at its principal office, or

(b)

by addressing it to the proper officer of the body and leaving it at that office.

(4)

The notice may be given to a partnership in Scotland—

(a)

by sending it by post to the principal office of the partnership, or

(b)

by addressing it to that partnership and leaving it at that office.

(5)

The notice may be given to the person by other means, including by electronic means, with the person’s consent.

(6)

In this section—

principal office”, in relation to a registered company, means its registered office;

proper officer”, in relation to any body, means the secretary or other executive officer charged with the conduct of its general affairs;

registered company” means a company registered under the enactments relating to companies for the time being in force in the United Kingdom.

(7)

This section is without prejudice to any other lawful method of giving a notice.