Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Article 57(3) of the UK GDPR (performance of Commissioner’s tasks…

CHAPTER 2 The UK GDPR

Meaning of certain terms used in the UK GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Relevant international law

9A Processing in reliance on relevant international law

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

14 Automated decision-making authorised by law: safeguards

Exemptions etc

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Certification

17 Accreditation of certification providers

17A Transfers based on adequacy regulations

17B Transfers based on adequacy regulations: review etc

17C Standard data protection clauses

18 Transfers of personal data to third countries etc : public interest

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Exemptions for manual unstructured processing and for national security and defence purposes

Definitions

21 Definitions

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the UK GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

42A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Data subject’s rights to information

44 … Controller’s general duties

45 Right of access by the data subject

45A Exemption from sections 44 and 45: legal professional privilege

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

50A Automated processing and significant decisions

50B Restrictions on automated decision-making based on sensitive processing

50C Safeguards for automated decision-making

50D Further provision about automated decision-making

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

Codes of conduct

71A Codes of conduct

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

74A Transfers based on adequacy regulations

74AA Transfers approved by regulations

74AB The data protection test

74B Transfers approved by regulations: monitoring

75 Transfers subject to appropriate safeguards

76 Transfers based on special circumstances

Additional conditions

77 Additional conditions for transfers in reliance on section 73(4)(b)

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

78A National security exemption

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

82A Designation of processing by a qualifying competent authority

82B Duration of designation notice

82C Review and withdrawal of designation notice

82D Records of designation notices

82E Appeal against designation notice

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

91A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

114A The Information Commission

115 General functions under the UK GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation between parties to the Data Protection Convention

119 Inspection of personal data in accordance with international obligations

119A Standard clauses for transfers to third countries etc

120 Further international role

120A Principal objective

120B Duties in relation to functions under the data protection legislation

120C Strategy

120D Duty to consult other regulators

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

124A Other codes of practice

124B Panels to consider codes of practice

124C Impact assessments for codes of practice

125 Approval of codes prepared under sections 121 to 124A

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

139A Analysis of performance

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

146A Assessment notices: approval of person to prepare report etc

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

148A Interview notices

148B Interview notices: restrictions

148C False statements made in response to interview notices

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

161A Annual report on regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

164A Complaints by data subjects to controllers

164B Controllers to notify the Commissioner of the number of complaints

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the UK GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

180A Procedure in connection with subject access requests

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

183A Protection of prohibitions and restrictions etc on processing: relevant enactments

183B Protection of prohibitions and restrictions etc on processing: other enactments

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Protection of data subject’s rights

186A Protection of data subject’s rights: further provision

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

Schedule A1 Processing in reliance on relevant international law

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the UK GDPR

SCHEDULE 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

Schedule 12A The Information Commission

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

SCHEDULE 21 Further transitional provision etc

Changes to legislation:

Data Protection Act 2018, SCHEDULE 1 is up to date with all changes known to be in force on or before 05 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

SCHEDULES

SCHEDULE 1Special categories of personal data and criminal convictions etc data

Section 10

PART 1Conditions relating to employment, health and research etc

Employment, social security and social protection

1

(1)

This condition is met if—

(a)

the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and

(b)

when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).

(2)

See also the additional safeguards in Part 4 of this Schedule.

(3)

In this paragraph—

social security” includes any of the branches of social security listed in Article 3(1) of Regulation (EC) No. 883/2004 of the European Parliament and of the Council on the co-ordination of social security systems (as amended from time to time);

social protection” includes an intervention described in Article 2(b) of Regulation (EC) 458/2007 of the European Parliament and of the Council of 25 April 2007 on the European system of integrated social protection statistics (ESSPROS) F1as it had effect in EU law immediately before F2IP completion day.

Health or social care purposes

2

(1)

This condition is met if the processing is necessary for health or social care purposes.

(2)

In this paragraph “health or social care purposes” means the purposes of—

(a)

preventive or occupational medicine,

(b)

the assessment of the working capacity of an employee,

(c)

medical diagnosis,

(d)

the provision of health care or treatment,

(e)

the provision of social care, or

(f)

the management of health care systems or services or social care systems or services.

(3)

See also the conditions and safeguards in Article 9(3) of the F3UK GDPR (obligations of secrecy) and section 11(1).

Public health

3

This condition is met if the processing—

(a)

is necessary for reasons of public interest in the area of public health, and

(b)

is carried out—

(i)

by or under the responsibility of a health professional, or

(ii)

by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

Research etc

4

This condition is met if the processing—

(a)

is necessary for archiving purposes, scientific or historical research purposes or statistical purposes,

(b)

is carried out in accordance with F4Article 84B of the UK GDPR, and

(c)

is in the public interest.

PART 2Substantial public interest conditions

Requirement for an appropriate policy document when relying on conditions in this Part

5

(1)

Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).

(2)

See also the additional safeguards in Part 4 of this Schedule.

Statutory etc and government purposes

6

(1)

This condition is met if the processing—

(a)

is necessary for a purpose listed in sub-paragraph (2), and

(b)

is necessary for reasons of substantial public interest.

(2)

Those purposes are—

(a)

the exercise of a function conferred on a person by an enactment or rule of law;

(b)

the exercise of a function of the Crown, a Minister of the Crown or a government department.

Administration of justice and parliamentary purposes

7

This condition is met if the processing is necessary—

(a)

for the administration of justice, or

(b)

for the exercise of a function of either House of Parliament.

Equality of opportunity or treatment

8

(1)

This condition is met if the processing—

(a)

is of a specified category of personal data, and

(b)

is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained,

subject to the exceptions in sub-paragraphs (3) to (5).

(2)

In sub-paragraph (1), “specified” means specified in the following table—

Category of personal data

Groups of people (in relation to a category of personal data)

Personal data revealing racial or ethnic origin

People of different racial or ethnic origins

Personal data revealing religious or philosophical beliefs

People holding different religious or philosophical beliefs

Data concerning health

People with different states of physical or mental health

Personal data concerning an individual’s sexual orientation

People of different sexual orientation

(3)

Processing does not meet the condition in sub-paragraph (1) if it is carried out for the purposes of measures or decisions with respect to a particular data subject.

(4)

Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.

(5)

Processing does not meet the condition in sub-paragraph (1) if—

(a)

an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),

(b)

the notice gave the controller a reasonable period in which to stop processing such data, and

(c)

that period has ended.

Racial and ethnic diversity at senior levels of organisations

9

(1)

This condition is met if the processing—

(a)

is of personal data revealing racial or ethnic origin,

(b)

is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally,

(c)

is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations, and

(d)

can reasonably be carried out without the consent of the data subject,

subject to the exception in sub-paragraph (3).

(2)

For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—

(a)

the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b)

the controller is not aware of the data subject withholding consent.

(3)

Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.

(4)

For the purposes of this paragraph, an individual holds a senior position in an organisation if the individual—

(a)

holds a position listed in sub-paragraph (5), or

(b)

does not hold such a position but is a senior manager of the organisation.

(5)

Those positions are—

(a)

a director, secretary or other similar officer of a body corporate;

(b)

a member of a limited liability partnership;

(c)

a partner in a partnership within the Partnership Act 1890, a limited partnership registered under the Limited Partnerships Act 1907 or an entity of a similar character formed under the law of a country or territory outside the United Kingdom.

(6)

In this paragraph, “senior manager”, in relation to an organisation, means a person who plays a significant role in—

(a)

the making of decisions about how the whole or a substantial part of the organisation’s activities are to be managed or organised, or

(b)

the actual managing or organising of the whole or a substantial part of those activities.

(7)

The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Preventing F5etc unlawful acts

10

(1)

This condition is met if the processing—

(a)

is necessary for the purposes of the prevention F6, investigation or detection of an unlawful act,

(b)

must be carried out without the consent of the data subject so as not to prejudice those purposes, and

(c)

is necessary for reasons of substantial public interest.

(2)

If the processing consists of the disclosure of personal data to a competent authority, or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

(3)

In this paragraph—

act” includes a failure to act;

competent authority” has the same meaning as in Part 3 of this Act (see section 30).

Protecting the public against dishonesty etc

11

(1)

This condition is met if the processing—

(a)

is necessary for the exercise of a protective function,

(b)

must be carried out without the consent of the data subject so as not to prejudice the exercise of that function, and

(c)

is necessary for reasons of substantial public interest.

(2)

In this paragraph, “protective function” means a function which is intended to protect members of the public against—

(a)

dishonesty, malpractice or other seriously improper conduct,

(b)

unfitness or incompetence,

(c)

mismanagement in the administration of a body or association, or

(d)

failures in services provided by a body or association.

Regulatory requirements relating to unlawful acts and dishonesty etc

12

(1)

This condition is met if—

(a)

the processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has—

(i)

committed an unlawful act, or

(ii)

been involved in dishonesty, malpractice or other seriously improper conduct,

(b)

in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing, and

(c)

the processing is necessary for reasons of substantial public interest.

(2)

In this paragraph—

act” includes a failure to act;

regulatory requirement” means—

(a)

a requirement imposed by legislation or by a person in exercise of a function conferred by legislation, or

(b)

a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity.

Journalism etc in connection with unlawful acts and dishonesty etc

13

(1)

This condition is met if—

(a)

the processing consists of F7, or is carried out in preparation for, the disclosure of personal data for the special purposes,

(b)

it is carried out in connection with a matter described in sub-paragraph (2),

(c)

it is necessary for reasons of substantial public interest,

(d)

it is carried out with a view to the publication of the personal data by any person, and

(e)

the controller reasonably believes that publication of the personal data would be in the public interest.

(2)

The matters mentioned in sub-paragraph (1)(b) are any of the following (whether alleged or established)—

(a)

the commission of an unlawful act by a person;

(b)

dishonesty, malpractice or other seriously improper conduct of a person;

(c)

unfitness or incompetence of a person;

(d)

mismanagement in the administration of a body or association;

(e)

a failure in services provided by a body or association.

(3)

The condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

(4)

In this paragraph—

act” includes a failure to act;

the special purposes” means—

(a)

the purposes of journalism;

(b)

academic purposes;

(c)

artistic purposes;

(d)

literary purposes.

Preventing fraud

14

(1)

This condition is met if the processing—

(a)

is necessary for the purposes of preventing fraud or a particular kind of fraud, and

(b)

consists of—

(i)

the disclosure of personal data by a person as a member of an anti-fraud organisation,

(ii)

the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation,

F8(iia)

the processing of personal data carried out in preparation for disclosure described in sub-paragraph (i) or (ii), or

(iii)

the processing of personal data disclosed as described in sub-paragraph (i) or (ii).

(2)

In this paragraph, “anti-fraud organisation” has the same meaning as in section 68 of the Serious Crime Act 2007.

Suspicion of terrorist financing or money laundering

15

This condition is met if the processing is necessary for the purposes of making a disclosure in good faith under either of the following—

(a)

section 21CA of the Terrorism Act 2000 (disclosures between certain entities within regulated sector in relation to suspicion of commission of terrorist financing offence or for purposes of identifying terrorist property);

(b)

section 339ZB of the Proceeds of Crime Act 2002 (disclosures within regulated sector in relation to suspicion of money laundering).

Support for individuals with a particular disability or medical condition

16

(1)

This condition is met if the processing—

(a)

is carried out by a not-for-profit body which provides support to individuals with a particular disability or medical condition,

(b)

is of a type of personal data falling within sub-paragraph (2) which relates to an individual falling within sub-paragraph (3),

(c)

is necessary for the purposes of—

(i)

raising awareness of the disability or medical condition, or

(ii)

providing support to individuals falling within sub-paragraph (3) or enabling such individuals to provide support to each other,

(d)

can reasonably be carried out without the consent of the data subject, and

(e)

is necessary for reasons of substantial public interest.

(2)

The following types of personal data fall within this sub-paragraph—

(a)

personal data revealing racial or ethnic origin;

(b)

genetic data or biometric data;

(c)

data concerning health;

(d)

personal data concerning an individual’s sex life or sexual orientation.

(3)

An individual falls within this sub-paragraph if the individual is or has been a member of the body mentioned in sub-paragraph (1)(a) and—

(a)

has the disability or condition mentioned there, has had that disability or condition or has a significant risk of developing that disability or condition, or

(b)

is a relative or carer of an individual who satisfies paragraph (a) of this sub-paragraph.

(4)

For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—

(a)

the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b)

the controller is not aware of the data subject withholding consent.

(5)

In this paragraph—

carer” means an individual who provides or intends to provide care for another individual other than—

(a)

under or by virtue of a contract, or

(b)

as voluntary work;

disability” has the same meaning as in the Equality Act 2010 (see section 6 of, and Schedule 1 to, that Act).

(6)

The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Counselling etc

17

(1)

This condition is met if the processing—

(a)

is necessary for the provision of confidential counselling, advice or support or of another similar service provided confidentially,

(b)

is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(c)

is necessary for reasons of substantial public interest.

(2)

The reasons mentioned in sub-paragraph (1)(b) are—

(a)

in the circumstances, consent to the processing cannot be given by the data subject;

(b)

in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)

the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the service mentioned in sub-paragraph (1)(a).

Safeguarding of children and of individuals at risk

18

(1)

This condition is met if—

(a)

the processing is necessary for the purposes of—

(i)

protecting an individual from neglect or physical, mental or emotional harm, or

(ii)

protecting the physical, mental or emotional well-being of an individual,

(b)

the individual is—

(i)

aged under 18, or

(ii)

aged 18 or over and at risk,

(c)

the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(d)

the processing is necessary for reasons of substantial public interest.

(2)

The reasons mentioned in sub-paragraph (1)(c) are—

(a)

in the circumstances, consent to the processing cannot be given by the data subject;

(b)

in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)

the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).

(3)

For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—

(a)

has needs for care and support,

(b)

is experiencing, or at risk of, neglect or physical, mental or emotional harm, and

(c)

as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.

(4)

In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.

Safeguarding of economic well-being of certain individuals

19

(1)

This condition is met if the processing—

(a)

is necessary for the purposes of protecting the economic well-being of an individual at economic risk who is aged 18 or over,

(b)

is of data concerning health,

(c)

is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(d)

is necessary for reasons of substantial public interest.

(2)

The reasons mentioned in sub-paragraph (1)(c) are—

(a)

in the circumstances, consent to the processing cannot be given by the data subject;

(b)

in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)

the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).

(3)

In this paragraph, “individual at economic risk” means an individual who is less able to protect his or her economic well-being by reason of physical or mental injury, illness or disability.

Insurance

20

(1)

This condition is met if the processing—

(a)

is necessary for an insurance purpose,

(b)

is of personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health, and

(c)

is necessary for reasons of substantial public interest,

subject to sub-paragraphs (2) and (3).

(2)

Sub-paragraph (3) applies where—

(a)

the processing is not carried out for the purposes of measures or decisions with respect to the data subject, and

(b)

the data subject does not have and is not expected to acquire—

(i)

rights against, or obligations in relation to, a person who is an insured person under an insurance contract to which the insurance purpose mentioned in sub-paragraph (1)(a) relates, or

(ii)

other rights or obligations in connection with such a contract.

(3)

Where this sub-paragraph applies, the processing does not meet the condition in sub-paragraph (1) unless, in addition to meeting the requirements in that sub-paragraph, it can reasonably be carried out without the consent of the data subject.

(4)

For the purposes of sub-paragraph (3), processing can reasonably be carried out without the consent of the data subject only where—

(a)

the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b)

the controller is not aware of the data subject withholding consent.

(5)

In this paragraph—

insurance contract” means a contract of general insurance or long-term insurance;

insurance purpose” means—

(a)

advising on, arranging, underwriting or administering an insurance contract,

(b)

administering a claim under an insurance contract, or

(c)

exercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law.

(6)

The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

(7)

Terms used in the definition of “insurance contract” in sub-paragraph (5) and also in an order made under section 22 of the Financial Services and Markets Act 2000 (regulated activities) have the same meaning in that definition as they have in that order.

Occupational pensions

21

(1)

This condition is met if the processing—

(a)

is necessary for the purpose of making a determination in connection with eligibility for, or benefits payable under, an occupational pension scheme,

(b)

is of data concerning health which relates to a data subject who is the parent, grandparent, great-grandparent or sibling of a member of the scheme,

(c)

is not carried out for the purposes of measures or decisions with respect to the data subject, and

(d)

can reasonably be carried out without the consent of the data subject.

(2)

For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—

(a)

the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b)

the controller is not aware of the data subject withholding consent.

(3)

In this paragraph—

occupational pension scheme” has the meaning given in section 1 of the Pension Schemes Act 1993;

member”, in relation to a scheme, includes an individual who is seeking to become a member of the scheme.

(4)

The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Political parties

22

(1)

This condition is met if the processing—

(a)

is of personal data revealing political opinions,

(b)

is carried out by a person or organisation included in the register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000, and

(c)

is necessary for the purposes of the person’s or organisation’s political activities,

subject to the exceptions in sub-paragraphs (2) and (3).

(2)

Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to a person.

(3)

Processing does not meet the condition in sub-paragraph (1) if—

(a)

an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),

(b)

the notice gave the controller a reasonable period in which to stop processing such data, and

(c)

that period has ended.

(4)

In this paragraph, “political activities” include campaigning, fund-raising, political surveys and case-work.

Elected representatives responding to requests

23

(1)

This condition is met if—

(a)

the processing is carried out—

(i)

by an elected representative or a person acting with the authority of such a representative,

(ii)

in connection with the discharge of the elected representative’s functions, and

(iii)

in response to a request by an individual that the elected representative take action on behalf of the individual, and

(b)

the processing is necessary for the purposes of, or in connection with, the action reasonably taken by the elected representative in response to that request,

subject to sub-paragraph (2).

(2)

Where the request is made by an individual other than the data subject, the condition in sub-paragraph (1) is met only if the processing must be carried out without the consent of the data subject for one of the following reasons—

(a)

in the circumstances, consent to the processing cannot be given by the data subject;

(b)

in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)

obtaining the consent of the data subject would prejudice the action taken by the elected representative;

(d)

the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.

(3)

In this paragraph, “elected representative” means—

(a)

a member of the House of Commons;

(b)

a member of the National Assembly for Wales;

(c)

a member of the Scottish Parliament;

(d)

a member of the Northern Ireland Assembly;

F9(e)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(f)

an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972, namely—

(i)

in England, a county council, a district council, a London borough council or a parish council;

(ii)

in Wales, a county council, a county borough council or a community council;

(g)

an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000;

(h)

a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;

F10(ha)

a mayor for the area of a combined county authority established under section 9(1) of the Levelling-up and Regeneration Act 2023;

(i)

the Mayor of London or an elected member of the London Assembly;

(j)

an elected member of—

(i)

the Common Council of the City of London, or

(ii)

the Council of the Isles of Scilly;

(k)

an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994;

(l)

an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.));

(m)

a police and crime commissioner.

(4)

For the purposes of sub-paragraph (3), a person who is—

(a)

a member of the House of Commons immediately before Parliament is dissolved,

(b)

a member of the National Assembly for Wales immediately before that Assembly is dissolved,

(c)

a member of the Scottish Parliament immediately before that Parliament is dissolved, or

(d)

a member of the Northern Ireland Assembly immediately before that Assembly is dissolved,

is to be treated as if the person were such a member until the end of the F11period of 30 days beginning with the day after the day on which the subsequent general election in relation to that Parliament or Assembly is held.

(5)

For the purposes of sub-paragraph (3), a person who is an elected member of the Common Council of the City of London and whose term of office comes to an end at the end of the day preceding the annual Wardmotes is to be treated as if he or she were such a member until the end of the fourth day after the day on which those Wardmotes are held.

Disclosure to elected representatives

24

(1)

This condition is met if—

(a)

the processing consists of F12, or is carried out in preparation for, the disclosure of personal data—

(i)

to an elected representative or a person acting with the authority of such a representative, and

(ii)

in response to a communication to the controller from that representative or person which was made in response to a request from an individual,

(b)

the personal data is relevant to the subject matter of that communication, and

(c)

the disclosure is necessary for the purpose of responding to that communication,

subject to sub-paragraph (2).

(2)

Where the request to the elected representative came from an individual other than the data subject, the condition in sub-paragraph (1) is met only if the disclosure must be made without the consent of the data subject for one of the following reasons—

(a)

in the circumstances, consent to the processing cannot be given by the data subject;

(b)

in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)

obtaining the consent of the data subject would prejudice the action taken by the elected representative;

(d)

the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.

(3)

In this paragraph, “elected representative” has the same meaning as in paragraph 23.

Informing elected representatives about prisoners

25

(1)

This condition is met if—

(a)

the processing consists of the processing of personal data about a prisoner for the purpose of informing a member of the House of Commons, a member of the National Assembly for Wales or a member of the Scottish Parliament about the prisoner, and

(b)

the member is under an obligation not to further disclose the personal data.

(2)

The references in sub-paragraph (1) to personal data about, and to informing someone about, a prisoner include personal data about, and informing someone about, arrangements for the prisoner’s release.

(3)

In this paragraph—

prison” includes a young offender institution, a remand centre, a secure training centre or a secure college;

prisoner” means a person detained in a prison.

Anti-doping in sport

27

(1)

This condition is met if the processing is necessary—

(a)

for the purposes of measures designed to eliminate doping which are undertaken by or under the responsibility of a body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally, or

(b)

for the purposes of providing information about doping, or suspected doping, to such a body or association.

(2)

The reference in sub-paragraph (1)(a) to measures designed to eliminate doping includes measures designed to identify or prevent doping.

(3)

If the processing consists of the disclosure of personal data to a body or association described in sub-paragraph (1)(a), or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

Standards of behaviour in sport

28

(1)

This condition is met if the processing—

(a)

is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event,

(b)

must be carried out without the consent of the data subject so as not to prejudice those purposes, and

(c)

is necessary for reasons of substantial public interest.

(2)

In sub-paragraph (1)(a), the reference to measures designed to protect the integrity of a sport or a sporting event is a reference to measures designed to protect a sport or a sporting event against—

(a)

dishonesty, malpractice or other seriously improper conduct, or

(b)

failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or event.

PART 3Additional conditions relating to criminal convictions etc

Protecting individual’s vital interests

30

This condition is met if—

(a)

the processing is necessary to protect the vital interests of an individual, and

(b)

the data subject is physically or legally incapable of giving consent.

Processing by not-for-profit bodies

31

This condition is met if the processing is carried out—

(a)

in the course of its legitimate activities with appropriate safeguards by a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, and

(b)

on condition that—

(i)

the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and

(ii)

the personal data is not disclosed outside that body without the consent of the data subjects.

Personal data in the public domain

32

This condition is met if the processing relates to personal data which is manifestly made public by the data subject.

Judicial acts

34

This condition is met if the processing is necessary when a court or tribunal is acting in its judicial capacity.

Administration of accounts used in commission of indecency offences involving children

35

(1)

This condition is met if—

(a)

the processing is of personal data about a conviction or caution for an offence listed in sub-paragraph (2),

(b)

the processing is necessary for the purpose of administering an account relating to the payment card used in the commission of the offence or cancelling that payment card, and

(c)

when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).

(2)

Those offences are an offence under—

(a)

section 1 of the Protection of Children Act 1978 (indecent photographs of children),

(b)

Article 3 of the Protection of Children (Northern Ireland) Order 1978 (S.I. 1978/1047 (N.I. 17)) (indecent photographs of children),

(c)

section 52 of the Civic Government (Scotland) Act 1982 (indecent photographs etc of children),

(d)

section 160 of the Criminal Justice Act 1988 (possession of indecent photograph of child),

(e)

Article 15 of the Criminal Justice (Evidence etc) (Northern Ireland) Order 1988 (S.I. 1988/1847 (N.I. 17)) (possession of indecent photograph of child), or

(f)

section 62 of the Coroners and Justice Act 2009 (possession of prohibited images of children),

or incitement to commit an offence under any of those provisions.

(3)

See also the additional safeguards in Part 4 of this Schedule.

(4)

In this paragraph—

caution” means a caution given to a person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;

conviction” has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978 (S.I. 1978/1908 (N.I. 27));

payment card” includes a credit card, a charge card and a debit card.

Extension of conditions in Part 2 of this Schedule referring to substantial public interest

36

This condition is met if the processing would meet a condition in Part 2 of this Schedule but for an express requirement for the processing to be necessary for reasons of substantial public interest.

Extension of insurance conditions

37

This condition is met if the processing—

(a)

would meet the condition in paragraph 20 in Part 2 of this Schedule (the “insurance condition”), or

(b)

would meet the condition in paragraph 36 by virtue of the insurance condition,

but for the requirement for the processing to be processing of a category of personal data specified in paragraph 20(1)(b).

PART 4Appropriate policy document and additional safeguards

Application of this Part of this Schedule

38

This Part of this Schedule makes provision about the processing of personal data carried out in reliance on a condition in Part 1, 2 or 3 of this Schedule which requires the controller to have an appropriate policy document in place when the processing is carried out.

Requirement to have an appropriate policy document in place

39

The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on a condition described in paragraph 38 if the controller has produced a document which—

(a)

explains the controller’s procedures for securing compliance with the principles in Article 5 of the F13UK GDPR (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and

(b)

explains the controller’s policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.

Additional safeguard: retention of appropriate policy document

40

(1)

Where personal data is processed in reliance on a condition described in paragraph 38, the controller must during the relevant period—

(a)

retain the appropriate policy document,

(b)

review and (if appropriate) update it from time to time, and

(c)

make it available to the Commissioner, on request, without charge.

(2)

Relevant period”, in relation to the processing of personal data in reliance on a condition described in paragraph 38, means a period which—

(a)

begins when the controller starts to carry out processing of personal data in reliance on that condition, and

(b)

ends at the end of the period of 6 months beginning when the controller ceases to carry out such processing.

Additional safeguard: record of processing

41

A record maintained by the controller, or the controller’s representative, under Article 30 of the F14UK GDPR in respect of the processing of personal data in reliance on a condition described in paragraph 38 must include the following information—

(a)

which condition is relied on,

(b)

how the processing satisfies Article 6 of the F14UK GDPR (lawfulness of processing), and

(c)

whether the personal data is retained and erased in accordance with the policies described in paragraph 39(b) and, if it is not, the reasons for not following those policies.