Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Definitions

CHAPTER 2 The UK GDPR

Meaning of certain terms used in the UK GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Relevant international law

9A Processing in reliance on relevant international law

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

14 Automated decision-making authorised by law: safeguards

Exemptions etc

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Certification

17 Accreditation of certification providers

Transfers of personal data to third countries etc

17A Transfers based on adequacy regulations

17B Transfers based on adequacy regulations: review etc

17C Standard data protection clauses

18 Transfers of personal data to third countries etc : public interest

Specific processing situations

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Exemptions for manual unstructured processing and for national security and defence purposes

Definitions

21 Definitions

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the UK GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

42A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Data subject’s rights to information

44 … Controller’s general duties

45 Right of access by the data subject

45A Exemption from sections 44 and 45: legal professional privilege

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

50A Automated processing and significant decisions

50B Restrictions on automated decision-making based on sensitive processing

50C Safeguards for automated decision-making

50D Further provision about automated decision-making

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

Codes of conduct

71A Codes of conduct

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

74A Transfers based on adequacy regulations

74AA Transfers approved by regulations

74AB The data protection test

74B Transfers based on adequacy regulations: review etc

75 Transfers on the basis of appropriate safeguards

76 Transfers on the basis of special circumstances

Transfers to particular recipients

77 Transfers of personal data to persons other than relevant authorities

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

78A National security exemption

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

91A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

114A The Information Commission

115 General functions under the UK GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation between parties to the Data Protection Convention

119 Inspection of personal data in accordance with international obligations

119A Standard clauses for transfers to third countries etc

120 Further international role

120A Principal objective

120B Duties in relation to functions under the data protection legislation

120C Strategy

120D Duty to consult other regulators

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

124A Other codes of practice

124B Panels to consider codes of practice

124C Impact assessments for codes of practice

125 Approval of codes prepared under sections 121 to 124A

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

139A Analysis of performance

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

161A Annual report on regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

164A Complaints by data subjects to controllers

164B Controllers to notify the Commissioner of the number of complaints

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the UK GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

180A Procedure in connection with subject access requests

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

183A Protection of prohibitions and restrictions etc on processing: relevant enactments

183B Protection of prohibitions and restrictions etc on processing: other enactments

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Protection of data subject’s rights

186A Protection of data subject’s rights: further provision

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

Schedule A1 Processing in reliance on relevant international law

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the UK GDPR

SCHEDULE 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

Schedule 12A The Information Commission

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

SCHEDULE 21 Further transitional provision etc

Changes to legislation:

Data Protection Act 2018, SCHEDULE 15 is up to date with all changes known to be in force on or before 03 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

SCHEDULES

SCHEDULE 15Powers of entry and inspection

Section 154

Issue of warrants in connection with non-compliance and offences

1

(1)

This paragraph applies if a judge of the High Court, a circuit judge or a District Judge (Magistrates’ Courts) is satisfied by information on oath supplied by the Commissioner that—

(a)

there are reasonable grounds for suspecting that—

(i)

a controller or processor has failed or is failing as described in section 149(2), or

(ii)

an offence under this Act has been or is being committed, and

(b)

there are reasonable grounds for suspecting that evidence of the failure or of the commission of the offence is to be found on premises specified in the information or is capable of being viewed using equipment on such premises.

(2)

The judge may grant a warrant to the Commissioner.

Issue of warrants in connection with assessment notices

2

(1)

This paragraph applies if a judge of the High Court, a circuit judge or a District Judge (Magistrates’ Courts) is satisfied by information on oath supplied by the Commissioner that a controller or processor has failed to comply with a requirement imposed by an assessment notice.

(2)

The judge may, for the purpose of enabling the Commissioner to determine whether the controller or processor has complied or is complying with the data protection legislation, grant a warrant to the Commissioner in relation to premises that were specified in the assessment notice.

Restrictions on issuing warrants: processing for the special purposes

3

A judge must not issue a warrant under this Schedule in respect of personal data processed for the special purposes unless a determination under section 174 with respect to the data or the processing has taken effect.

Restrictions on issuing warrants: procedural requirements

4

(1)

A judge must not issue a warrant under this Schedule unless satisfied that—

(a)

the conditions in sub-paragraphs (2) to (4) are met,

(b)

compliance with those conditions would defeat the object of entry to the premises in question, or

(c)

the Commissioner requires access to the premises in question urgently.

(2)

The first condition is that the Commissioner has given 7 days’ notice in writing to the occupier of the premises in question demanding access to the premises.

(3)

The second condition is that—

(a)

access to the premises was demanded at a reasonable hour and was unreasonably refused, or

(b)

entry to the premises was granted but the occupier unreasonably refused to comply with a request by the Commissioner or the Commissioner’s officers or staff to be allowed to do any of the things referred to in paragraph 5.

(4)

The third condition is that, since the refusal, the occupier of the premises—

(a)

has been notified by the Commissioner of the application for the warrant, and

(b)

has had an opportunity to be heard by the judge on the question of whether or not the warrant should be issued.

(5)

In determining whether the first condition is met, an assessment notice given to the occupier is to be disregarded.

Content of warrants

5

(1)

A warrant issued under this Schedule must authorise the Commissioner or any of the Commissioner’s officers or staff—

(a)

to enter the premises,

(b)

to search the premises, and

(c)

to inspect, examine, operate and test any equipment found on the premises which is used or intended to be used for the processing of personal data.

(2)

A warrant issued under paragraph 1 must authorise the Commissioner or any of the Commissioner’s officers or staff—

(a)

to inspect and seize any documents or other material found on the premises which may be evidence of the failure or offence mentioned in that paragraph,

(b)

to require any person on the premises to provide, in an appropriate form, a copy of information capable of being viewed using equipment on the premises which may be evidence of that failure or offence,

(c)

to require any person on the premises to provide an explanation of any document or other material found on the premises and of any information capable of being viewed using equipment on the premises, and

(d)

to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the controller or processor has failed or is failing as described in section 149(2).

(3)

A warrant issued under paragraph 2 must authorise the Commissioner or any of the Commissioner’s officers or staff—

(a)

to inspect and seize any documents or other material found on the premises which may enable the Commissioner to determine whether the controller or processor has complied or is complying with the data protection legislation,

(b)

to require any person on the premises to provide, in an appropriate form, a copy of information capable of being viewed using equipment on the premises which may enable the Commissioner to make such a determination,

(c)

to require any person on the premises to provide an explanation of any document or other material found on the premises and of any information capable of being viewed using equipment on the premises, and

(d)

to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the controller or processor has complied or is complying with the data protection legislation.

(4)

A warrant issued under this Schedule must authorise the Commissioner or any of the Commissioner’s officers or staff to do the things described in sub-paragraphs (1) to (3) at any time in the period of 7 days beginning with the day on which the warrant is issued.

(5)

For the purposes of this paragraph, a copy of information is in an “appropriate form” if —

(a)

it can be taken away, and

(b)

it is visible and legible or it can readily be made visible and legible.

Copies of warrants

6

A judge who issues a warrant under this Schedule must—

(a)

issue two copies of it, and

(b)

certify them clearly as copies.

Execution of warrants: reasonable force

7

A person executing a warrant issued under this Schedule may use such reasonable force as may be necessary.

Execution of warrants: time when executed

8

A warrant issued under this Schedule may be executed only at a reasonable hour, unless it appears to the person executing it that there are grounds for suspecting that exercising it at a reasonable hour would defeat the object of the warrant.

Execution of warrants: occupier of premises

9

(1)

If an occupier of the premises in respect of which a warrant is issued under this Schedule is present when the warrant is executed, the person executing the warrant must—

(a)

show the occupier the warrant, and

(b)

give the occupier a copy of it.

(2)

Otherwise, a copy of the warrant must be left in a prominent place on the premises.

Execution of warrants: seizure of documents etc

10

(1)

This paragraph applies where a person executing a warrant under this Schedule seizes something.

(2)

The person must, on request—

(a)

give a receipt for it, and

(b)

give an occupier of the premises a copy of it.

(3)

Sub-paragraph (2)(b) does not apply if the person executing the warrant considers that providing a copy would result in undue delay.

(4)

Anything seized may be retained for so long as is necessary in all the circumstances.

Matters exempt from inspection and seizure: privileged communications

11

(1)

The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable in respect of a communication which is made—

(a)

between a professional legal adviser and the adviser’s client, and

(b)

in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.

(2)

The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable in respect of a communication which is made—

(a)

between a professional legal adviser and the adviser’s client or between such an adviser or client and another person,

(b)

in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and

(c)

for the purposes of such proceedings.

(3)

Sub-paragraphs (1) and (2) do not prevent the exercise of powers conferred by a warrant issued under this Schedule in respect of—

(a)

anything in the possession of a person other than the professional legal adviser or the adviser’s client, or

(b)

anything held with the intention of furthering a criminal purpose.

(4)

The references to a communication in sub-paragraphs (1) and (2) include—

(a)

a copy or other record of the communication, and

(b)

anything enclosed with or referred to in the communication if made as described in sub-paragraph (1)(b) or in sub-paragraph (2)(b) and (c).

(5)

In sub-paragraphs (1) to (3), the references to the client of a professional legal adviser include a person acting on behalf of such a client.

Matters exempt from inspection and seizure: Parliamentary privilege

12

The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable where their exercise would involve an infringement of the privileges of either House of Parliament.

Partially exempt material

13

(1)

This paragraph applies if a person in occupation of premises in respect of which a warrant is issued under this Schedule objects to the inspection or seizure of any material under the warrant on the grounds that it consists partly of matters in respect of which those powers are not exercisable.

(2)

The person must, if the person executing the warrant so requests, provide that person with a copy of so much of the material as is not exempt from those powers.

Return of warrants

14

(1)

Where a warrant issued under this Schedule is executed—

(a)

it must be returned to the court from which it was issued after being executed, and

(b)

the person by whom it is executed must write on the warrant a statement of the powers that have been exercised under the warrant.

(2)

Where a warrant issued under this Schedule is not executed, it must be returned to the court from which it was issued within the time authorised for its execution.

Offences

15

(1)

It is an offence for a person—

(a)

intentionally to obstruct a person in the execution of a warrant issued under this Schedule, or

(b)

to fail without reasonable excuse to give a person executing such a warrant such assistance as the person may reasonably require for the execution of the warrant.

(2)

It is an offence for a person—

(a)

to make a statement in response to a requirement under paragraph 5(2)(c) or (d) or (3)(c) or (d) which the person knows to be false in a material respect, or

(b)

recklessly to make a statement in response to such a requirement which is false in a material respect.

Self-incrimination

16

(1)

An explanation given, or information provided, by a person in response to a requirement under paragraph 5(2)(c) or (d) or (3)(c) or (d) may only be used in evidence against that person—

(a)

on a prosecution for an offence under a provision listed in sub-paragraph (2), or

(b)

on a prosecution for any other offence where—

(i)

in giving evidence that person makes a statement inconsistent with that explanation or information, and

(ii)

evidence relating to that explanation or information is adduced, or a question relating to it is asked, by that person or on that person’s behalf.

(2)

Those provisions are—

(a)

paragraph 15,

(b)

section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),

(c)

section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or

(d)

Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).

Vessels, vehicles etc

17

In this Schedule—

(a)

premises” includes a vehicle, vessel or other means of transport, and

(b)

references to the occupier of premises include the person in charge of a vehicle, vessel or other means of transport.

Scotland

18

In the application of this Schedule to Scotland—

(a)

references to a judge of the High Court have effect as if they were references to a judge of the Court of Session,

(b)

references to a circuit judge have effect as if they were references to the sheriff or the summary sheriff,

(c)

references to information on oath have effect as if they were references to evidence on oath, and

(d)

references to the court from which the warrant was issued have effect as if they were references to the sheriff clerk.

Northern Ireland

19

In the application of this Schedule to Northern Ireland—

(a)

references to a circuit judge have effect as if they were references to a county court judge, and

(b)

references to information on oath have effect as if they were references to a complaint on oath.