Legislation – Data (Use and Access) Act 2025

New Search

Introduction

Part 1
Access to customer data and business data

1 Customer data and business data

2 Power to make provision in connection with customer data

3 Customer data: supplementary

4 Power to make provision in connection with business data

5 Business data: supplementary

6 Decision-makers

7 Interface bodies

8 Enforcement of regulations under this Part

9 Restrictions on powers of investigation etc

10 Financial penalties

11 Fees

12 Levy

13 Financial assistance

14 The FCA and financial services interfaces

15 The FCA and financial services interfaces: supplementary

16 The FCA and financial services interfaces: penalties and levies

17 The FCA and co-ordination with other regulators

18 Liability in damages

19 Duty to review regulations

20 Restrictions on processing and data protection

21 Regulations under this Part: supplementary

22 Regulations under this Part: Parliamentary procedure and consultation

23 Related subordinate legislation

24 Repeal of provisions relating to supply of customer data

25 Other defined terms

26 Index of defined terms for this Part

Part 2
Digital verification services

27 Introductory

28 DVS trust framework

29 Supplementary codes

30 Withdrawal of a supplementary code

31 Review of DVS trust framework and supplementary codes

32 DVS register

33 Registration in the DVS register

34 Power to refuse registration in the DVS register

35 Registration of additional services

36 Supplementary notes

37 Addition of services to supplementary notes

38 Applications for registration, supplementary notes, etc

39 Fees for applications for registration, supplementary notes, etc

40 Duty to remove person from the DVS register

41 Power to remove person from the DVS register

42 Duty to remove services from the DVS register

43 Duty to remove supplementary notes from the DVS register

44 Duty to remove services from supplementary notes

45 Power of public authority to disclose information to registered person

46 Information disclosed by the Revenue and Customs

47 Information disclosed by the Welsh Revenue Authority

48 Information disclosed by Revenue Scotland

49 Code of practice about the disclosure of information

50 Trust mark for use by registered persons

51 Power of Secretary of State to require information

52 Arrangements for third party to exercise functions

53 Report on the operation of this Part

54 Index of defined terms for this Part

55 Powers relating to verification of identity or status

Part 3
National Underground Asset Register

56 National Underground Asset Register: England and Wales

57 Information in relation to apparatus: England and Wales

58 National Underground Asset Register: Northern Ireland

59 Information in relation to apparatus: Northern Ireland

60 Pre-commencement consultation

Part 4
Registers of births and deaths

61 Form in which registers of births and deaths are to be kept

62 Provision of equipment and facilities by local authorities

63 Requirements to sign register

64 Treatment of existing registers and records

65 Minor and consequential amendments

Part 5
Data protection and privacy

Chapter 1 Data protection

Terms used in this Chapter

66 The 2018 Act and the UK GDPR

Definitions in the UK GDPR and the 2018 Act

67 Meaning of research and statistical purposes

68 Consent to processing for the purposes of scientific research

69 Consent to law enforcement processing

Data protection principles

70 Lawfulness of processing

71 The purpose limitation

72 Processing in reliance on relevant international law

Processing of special categories of personal data

73 Elected representatives responding to requests

74 Processing of special categories of personal data

Data subject’s rights

75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

76 Time limits for responding to data subjects’ requests

77 Information to be provided to data subjects

78 Searches in response to data subjects’ requests

79 Data subjects’ rights to information: legal professional privilege exemption

Automated decision-making

80 Automated decision-making

Obligations of controllers

81 Data protection by design: children’s higher protection matters

Logging of law enforcement processing

82 Logging of law enforcement processing

Codes of conduct

83 General processing and codes of conduct

84 Law enforcement processing and codes of conduct

International transfers of personal data

85 Transfers of personal data to third countries and international organisations

Safeguards for processing for research etc purposes

86 Safeguards for processing for research etc purposes

87 Section 86: consequential provision

National security

88 National security exemption

Intelligence services

89 Joint processing by intelligence services and competent authorities

90 Joint processing: consequential amendments

Information Commissioner’s role

91 Duties of the Commissioner in carrying out functions

92 Codes of practice for the processing of personal data

93 Codes of practice: panels and impact assessments

94 Manifestly unfounded or excessive requests to the Commissioner

95 Analysis of performance

96 Notices from the Commissioner

Enforcement

97 Power of the Commissioner to require documents

98 Power of the Commissioner to require a report

99 Assessment notices: removal of OFSTED restriction

100 Interview notices

101 Penalty notices

102 Annual report on regulatory action

103 Complaints by data subjects

104 Court procedure in connection with subject access requests

105 Consequential amendments to the EITSET Regulations

Protection of prohibitions, restrictions and data subject’s rights

106 Protection of prohibitions, restrictions and data subject’s rights

Miscellaneous

107 Regulations under the UK GDPR

108 Further minor provision about data protection

Chapter 2 Privacy and electronic communications

109 The PEC Regulations

110 Interpretation of the PEC Regulations

111 Duty to notify the Commissioner of personal data breach: time periods

112 Storing information in the terminal equipment of a subscriber or user

113 Emergency alerts: interpretation of time periods

114 Use of electronic mail for direct marketing by charities

115 Commissioner’s enforcement powers

116 Codes of conduct

Part 6
The Information Commission

117 The Information Commission

118 Abolition of the office of Information Commissioner

119 Transfer of functions to the Information Commission

120 Transfer of property etc to the Information Commission

Part 7
Other provision about use of, or access to, data

121 Information standards for health and adult social care in England

122 Grant of smart meter communication licences

123 Disclosure of information to improve public service delivery to undertakings

124 Retention of information by providers of internet services in connection with death of child

125 Information for research about online safety matters

126 Retention of biometric data and recordable offences

127 Retention of pseudonymised biometric data

128 Retention of biometric data from INTERPOL

129 The eIDAS Regulation

130 Recognition of EU conformity assessment bodies

131 Removal of recognition of EU standards etc

132 Recognition of overseas trust products

133 Co-operation between supervisory authority and overseas authorities

134 Time periods: the eIDAS Regulation and the EITSET Regulations

135 Economic impact assessment

136 Report on the use of copyright works in the development of AI systems

137 Progress statement

138 Creating, or requesting the creation of, purported intimate image of adult

Part 8
Final provisions

139 Power to make consequential amendments

140 Regulations

141 Extent

142 Commencement

143 Transitional, transitory and saving provision

144 Short title

SCHEDULES

Schedule 1 National Underground Asset Register (England and Wales): monetary penalties

Schedule 2 National Underground Asset Register (Northern Ireland): monetary penalties

Schedule 3 Registers of births and deaths: minor and consequential amendments

Schedule 4 Lawfulness of processing: recognised legitimate interests

Schedule 5 Purpose limitation: processing to be treated as compatible with original purpose

Schedule 6 Automated decision-making: minor and consequential amendments

Schedule 7 Transfers of personal data to third countries etc: general processing

Schedule 8 Transfers of personal data to third countries etc: law enforcement processing

Schedule 9 Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

Schedule 10 Complaints: minor and consequential amendments

Schedule 11 Further minor provision about data protection

Schedule 12 Storing information in the terminal equipment of a subscriber or user

Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers

Schedule 14 The Information Commission

Schedule 15 Information standards for health and adult social care in England

Schedule 16 Grant of smart meter communication licences

Changes to legislation:

There are currently no known outstanding effects for the Data (Use and Access) Act 2025, Schedule 7. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.

Schedules

Schedule 7Transfers of personal data to third countries etc: general processing

Section 85

Introduction

1

Chapter 5 of the UK GDPR (transfers of personal data to third countries or international organisations) is amended as follows.

Annotations:
Commencement Information

I1Sch. 7 para. 1 not in force at Royal Assent, see s. 142(1)

General principles for transfers

2

(1)

Omit Article 44 (transfers of personal data to third countries etc: general principle for transfers).

(2)

After that Article insert—

“Article 44AGeneral principles for transfers

1.

A controller or processor may transfer personal data to a third country or an international organisation only if—

(a)

the condition in paragraph 2 is met, and

(b)

the transfer is carried out in compliance with the other provisions of this Regulation.

2.

The condition is met if the transfer—

(a)

is approved by regulations under Article 45A that are in force at the time of the transfer,

(b)

is made subject to appropriate safeguards (see Article 46), or

(c)

is made in reliance on a derogation for specific situations (see Article 49).

3.

A transfer may not be made in reliance on paragraph 2(b) or (c) if, or to the extent that, it would breach a restriction in regulations under Article 49A.”

Annotations:
Commencement Information

I2Sch. 7 para. 2 not in force at Royal Assent, see s. 142(1)

Transfers approved by regulations

3

Omit Article 45 (transfers on the basis of an adequacy decision).

Annotations:
Commencement Information

I3Sch. 7 para. 3 not in force at Royal Assent, see s. 142(1)

4

After that Article insert—

“Article 45ATransfers approved by regulations

1.

For the purposes of Article 44A, the Secretary of State may by regulations approve transfers of personal data to—

(a)

a third country, or

(b)

an international organisation.

2.

The Secretary of State may only make regulations under this Article approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see Article 45B).

3.

In making regulations under this Article, the Secretary of State may have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom.

4.

Regulations under this Article may, among other things—

(a)

make provision in relation to a third country or international organisation specified in the regulations or a description of country or organisation;

(b)

approve all transfers of personal data to a third country or international organisation or only transfers specified or described in the regulations;

(c)

identify a transfer of personal data by any means, including by reference to—

(i)

a sector or geographic area within a third country,

(ii)

the controller or processor,

(iii)

the recipient of the personal data,

(iv)

the personal data transferred,

(v)

the means by which the transfer is made, or

(vi)

relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time;

(d)

confer a discretion on a person.

5.

Regulations under this Article are subject to the negative resolution procedure.

Article 45BThe data protection test

1.

For the purposes of Article 45A, the data protection test is met in relation to transfers of personal data to a third country or international organisation if the standard of the protection provided for data subjects with regard to general processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under—

(a)

this Regulation,

(b)

Part 2 of the 2018 Act, and

(c)

Parts 5 to 7 of that Act, so far as relevant to general processing.

2.

In considering whether the data protection test is met in relation to transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things—

(a)

respect for the rule of law and for human rights in the country or by the organisation,

(b)

the existence, and powers, of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation,

(c)

arrangements for judicial or non-judicial redress for data subjects in connection with such processing,

(d)

rules about the transfer of personal data from the country or by the organisation to other countries or international organisations,

(e)

relevant international obligations of the country or organisation, and

(f)

the constitution, traditions and culture of the country or organisation.

3.

In paragraphs 1 and 2—

(a)

the references to the protection provided for data subjects are to that protection taken as a whole,

(b)

the references to general processing are to processing to which this Regulation applies or equivalent types of processing in the third country or by the international organisation (as appropriate), and

(c)

the references to processing of personal data in the third country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Regulation applies as described in Article 3.

4.

When the data protection test is applied only to certain transfers to a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with Article 45A(4)(b))—

(a)

the references in paragraphs 1 to 3 to personal data are to be read as references only to personal data likely to be the subject of such transfers, and

(b)

the reference in paragraph 2(d) to transfer to other countries or international organisations is to be read as including transfer within the third country or international organisation.”

Annotations:
Commencement Information

I4Sch. 7 para. 4 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

Transfers approved by regulations: monitoring

5

After Article 45B (inserted by paragraph 4) insert—

“Article 45CTransfers approved by regulations: monitoring

1.

The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under Article 45A or to amend or revoke such regulations.

2.

Where the Secretary of State becomes aware that the data protection test is no longer met in relation to transfers approved, or of a description approved, in regulations under Article 45A, the Secretary of State must, to the extent necessary, amend or revoke the regulations.

3.

Where regulations under Article 45A are amended or revoked in accordance with paragraph 2, the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to improving the protection provided to data subjects with regard to the processing of personal data in the country or by the organisation.

4.

The Secretary of State must publish—

(a)

a list of the third countries and international organisations, and the descriptions of such countries and organisations, which are for the time being approved by regulations under Article 45A as places or persons to which personal data may be transferred, and

(b)

a list of the third countries and international organisations, and the descriptions of such countries and organisations, which have been but are no longer approved by such regulations.

5.

In the case of regulations under Article 45A which approve only certain transfers to a third country or international organisation specified or described in the regulations (in accordance with Article 45A(4)(b)), the lists published under paragraph 4 must specify or describe the relevant transfers.”

Annotations:
Commencement Information

I5Sch. 7 para. 5 not in force at Royal Assent, see s. 142(1)

Transfers subject to appropriate safeguards

6

(1)

Article 46 (transfers subject to appropriate safeguards) is amended as follows.

(2)

Omit paragraph 1.

(3)

After that paragraph insert—

“1A.

A transfer of personal data to a third country or an international organisation by a controller or processor is made subject to appropriate safeguards only—

(a)

in a case in which—

(i)

safeguards are provided in connection with the transfer as described in paragraph 2 or 3 or regulations made under Article 47A(4), and

(ii)

the controller or processor, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see paragraph 6), or

(b)

in a case in which—

(i)

safeguards are provided in accordance with paragraph 2(a) by an instrument that is intended to be relied on in connection with the transfer or that type of transfer, and

(ii)

each public body that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see paragraph 6).”

(4)

In paragraph 2—

(a)

in the words before point (a)—

(i)

omit “appropriate”, and

(ii)

for “paragraph 1” substitute “paragraph 1A(a)”,

(b)

in point (a), for “public authorities or bodies” substitute “a public body and another relevant person or persons”,

(c)

in point (b), after “rules” insert “approved”,

(d)

in point (c), for “section 17C of the 2018 Act” substitute “Article 47A(1)”,

(e)

in point (e), for “appropriate safeguards” substitute “safeguards provided by the code”, and

(f)

in point (f), for “appropriate safeguards” substitute “safeguards provided by the mechanism”.

(5)

In paragraph 3, in the words before point (a)—

(a)

omit “appropriate”,

(b)

for “paragraph 1” substitute “paragraph 1A(a)”,

(c)

omit “, in particular,”, and

(d)

in point (b), for “public authorities or bodies” substitute “a public body and another relevant person or persons”.

(6)

At the end insert—

“6.

For the purposes of this Article, the data protection test is met in relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data by the safeguards required under paragraph 1A, and (where relevant) by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under—

(a)

this Regulation,

(b)

Part 2 of the 2018 Act, and

(c)

Parts 5 to 7 of that Act, so far as relevant to processing to which this Regulation applies.

7.

For the purposes of paragraph 1A(a)(ii) and (b)(ii), what is reasonable and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred.

8.

In this Article—

(a)

references to the protection provided for the data subject are to that protection taken as a whole;

(b)

relevant person” means a public body or another person exercising functions of a public nature.”

Annotations:
Commencement Information

I6Sch. 7 para. 6 not in force at Royal Assent, see s. 142(1)

7

In the heading of Article 47 (binding corporate rules) at the beginning insert “Transfers subject to appropriate safeguards:”.

Annotations:
Commencement Information

I7Sch. 7 para. 7 not in force at Royal Assent, see s. 142(1)

8

After Article 47 insert—

“Article 47ATransfers subject to appropriate safeguards: further provision

1.

The Secretary of State may by regulations specify standard data protection clauses which the Secretary of State considers are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations.

2.

The Secretary of State must keep under review the standard data protection clauses specified in regulations under paragraph 1 that are for the time being in force.

3.

Regulations under paragraph 1 are subject to the negative resolution procedure.

4.

The Secretary of State may by regulations make provision about further safeguards that may be relied on for the purposes of Article 46(1A)(a).

5.

The Secretary of State may only make regulations under paragraph 4 if the Secretary of State considers that the further safeguards are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations.

6.

Regulations under paragraph 4 may, among other things—

(a)

make provision by adopting safeguards prepared or published by another person;

(b)

make provision about ways of providing safeguards which require authorisation from the Commissioner.

7.

Regulations under paragraph 4 which amend Article 46 may do so only in the following ways—

(a)

by adding ways of providing safeguards, or

(b)

by varying or omitting ways of providing safeguards which were added by regulations under this Article.

8.

Regulations under paragraph 4 are subject to the affirmative resolution procedure.”

Annotations:
Commencement Information

I8Sch. 7 para. 8 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

Derogations for specific situations

9

(1)

Article 49 (derogations for specific situations) is amended as follows.

(2)

In paragraph 1, in the first subparagraph—

(a)

for “adequacy regulations under section 17A of the 2018 Act, or of appropriate safeguards pursuant to Article 46, including binding corporate rules” substitute “approval by regulations under Article 45A and of compliance with Article 46 (appropriate safeguards)”, and

(b)

in point (a), for “an adequacy decision” substitute “approval by regulations under Article 45A”.

(3)

In paragraph 1, in the second subparagraph, for “a provision in Article 45” substitute “Article 45A”.

(4)

In paragraph 4, for “section 18(1) of the 2018 Act” substitute “paragraph 4A”.

(5)

After paragraph 4 insert—

“4A.

The Secretary of State may by regulations specify for the purposes of point (d) of paragraph 1—

(a)

circumstances in which a transfer of personal data to a third country or international organisation is to be taken to be necessary for important reasons of public interest, and

(b)

circumstances in which a transfer of personal data to a third country or international organisation which is not required by an enactment is not to be taken to be necessary for important reasons of public interest.”

(6)

Omit paragraph 5A.

(7)

After paragraph 6 insert—

“7.

Regulations under this Article—

(a)

are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them;

(b)

otherwise, are subject to the affirmative resolution procedure.

8.

For the purposes of this Article, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.”

Annotations:
Commencement Information

I9Sch. 7 para. 9 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

Public interest restrictions

10

After Article 49 insert—

“Article 49ARestriction in the public interest

1.

The Secretary of State may by regulations restrict the transfer of a category of personal data to a third country or international organisation where—

(a)

the transfer is not approved by regulations under Article 45A for the time being in force, and

(b)

the Secretary of State considers the restriction to be necessary for important reasons of public interest.

2.

Regulations under this Article—

(a)

are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them;

(b)

otherwise, are subject to the affirmative resolution procedure.

3.

For the purposes of this Article, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.”

Annotations:
Commencement Information

I10Sch. 7 para. 10 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)