Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Definitions

CHAPTER 2 The UK GDPR

Meaning of certain terms used in the UK GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Relevant international law

9A Processing in reliance on relevant international law

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

14 Automated decision-making authorised by law: safeguards

Exemptions etc

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Certification

17 Accreditation of certification providers

Transfers of personal data to third countries etc

17A Transfers based on adequacy regulations

17B Transfers based on adequacy regulations: review etc

17C Standard data protection clauses

18 Transfers of personal data to third countries etc : public interest

Specific processing situations

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Exemptions for manual unstructured processing and for national security and defence purposes

Definitions

21 Definitions

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the UK GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

42A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Data subject’s rights to information

44 … Controller’s general duties

45 Right of access by the data subject

45A Exemption from sections 44 and 45: legal professional privilege

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

50A Automated processing and significant decisions

50B Restrictions on automated decision-making based on sensitive processing

50C Safeguards for automated decision-making

50D Further provision about automated decision-making

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

Codes of conduct

71A Codes of conduct

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

74A Transfers based on adequacy regulations

74AA Transfers approved by regulations

74AB The data protection test

74B Transfers based on adequacy regulations: review etc

75 Transfers on the basis of appropriate safeguards

76 Transfers on the basis of special circumstances

Transfers to particular recipients

77 Transfers of personal data to persons other than relevant authorities

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

78A National security exemption

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

82A Designation of processing by a qualifying competent authority

82B Duration of designation notice

82C Review and withdrawal of designation notice

82D Records of designation notices

82E Appeal against designation notice

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

91A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

114A The Information Commission

115 General functions under the UK GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation between parties to the Data Protection Convention

119 Inspection of personal data in accordance with international obligations

119A Standard clauses for transfers to third countries etc

120 Further international role

120A Principal objective

120B Duties in relation to functions under the data protection legislation

120C Strategy

120D Duty to consult other regulators

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

124A Other codes of practice

124B Panels to consider codes of practice

124C Impact assessments for codes of practice

125 Approval of codes prepared under sections 121 to 124A

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

139A Analysis of performance

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

161A Annual report on regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

164A Complaints by data subjects to controllers

164B Controllers to notify the Commissioner of the number of complaints

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the UK GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

180A Procedure in connection with subject access requests

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

183A Protection of prohibitions and restrictions etc on processing: relevant enactments

183B Protection of prohibitions and restrictions etc on processing: other enactments

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Protection of data subject’s rights

186A Protection of data subject’s rights: further provision

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

Schedule A1 Processing in reliance on relevant international law

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the UK GDPR

SCHEDULE 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

Schedule 12A The Information Commission

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

SCHEDULE 21 Further transitional provision etc

Changes to legislation:

Data Protection Act 2018, CHAPTER 3 is up to date with all changes known to be in force on or before 02 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

PART 3Law enforcement processing

CHAPTER 3Rights of the data subject

Overview and scope

43Overview and scope

(1)

This Chapter—

(a)

imposes general duties on the controller to make information available (see F1sections 44 and 45A);

(b)

confers a right of access by the data subject (see F2sections 45 and 45A);

(c)

confers rights on the data subject with respect to the rectification of personal data and the erasure of personal data or the restriction of its processing (see sections 46 to 48);

(d)

regulates automated decision-making (see sections 49 and 50);

(e)

makes supplementary provision (see sections 51 to 54).

(2)

This Chapter applies only in relation to the processing of personal data for a law enforcement purpose.

(3)

But sections 44 to 48 do not apply in relation to the processing of relevant personal data in the course of a criminal investigation or criminal proceedings, including proceedings for the purpose of executing a criminal penalty.

(4)

In subsection (3), “relevant personal data” means personal data contained in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority.

(5)

In this Chapter, “the controller”, in relation to a data subject, means the controller in relation to personal data relating to the data subject.

F3Data subject’s rights to information

44F4… Controller’s general duties

(1)

The controller must make available to data subjects the following information (whether by making the information generally available to the public or in any other way)—

(a)

the identity and the contact details of the controller;

(b)

where applicable, the contact details of the data protection officer (see sections 69 to 71);

(c)

the purposes for which the controller processes personal data;

(d)

the existence of the rights of data subjects to request from the controller—

(i)

access to personal data (see section 45),

(ii)

rectification of personal data (see section 46), and

(iii)

erasure of personal data or the restriction of its processing (see section 47);

(e)

the existence of the right to lodge a complaint with the Commissioner and the contact details of the Commissioner.

(2)

The controller must also, in specific cases for the purpose of enabling the exercise of a data subject’s rights under this Part, give the data subject the following—

(a)

information about the legal basis for the processing;

(b)

information about the period for which the personal data will be stored or, where that is not possible, about the criteria used to determine that period;

(c)

where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations);

(d)

such further information as is necessary to enable the exercise of the data subject’s rights under this Part.

(3)

An example of where further information may be necessary as mentioned in subsection (2)(d) is where the personal data being processed was collected without the knowledge of the data subject.

(4)

The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (2) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—

(a)

avoid obstructing an official or legal inquiry, investigation or procedure;

(b)

avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)

protect public security;

F5(d)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(e)

protect the rights and freedoms of others.

(5)

Where the provision of information to a data subject under subsection (2) is restricted F6under subsection (4), wholly or partly, the controller must inform the data subject in writing without undue delay—

(a)

that the provision of information has been restricted,

(b)

of the reasons for the restriction,

(c)

of the data subject’s right to make a request to the Commissioner under section 51,

(d)

of the data subject’s right to lodge a complaint with the Commissioner, and

(e)

of the data subject’s right to apply to a court under section 167.

(6)

Subsection (5)(a) and (b) do not apply to the extent that complying with them would undermine the purpose of the restriction.

(7)

The controller must—

(a)

record the reasons for a decision to restrict (whether wholly or partly) the provision of information to a data subject under subsection (2) F7in reliance on subsection (4), and

(b)

if requested to do so by the Commissioner, make the record available to the Commissioner.

F8

45Right of access by the data subject

(1)

A data subject is entitled to obtain from the controller—

(a)

confirmation as to whether or not personal data concerning him or her is being processed, and

(b)

where that is the case, access to the personal data and the information set out in subsection (2).

(2)

That information is—

(a)

the purposes of and legal basis for the processing;

(b)

the categories of personal data concerned;

(c)

the recipients or categories of recipients to whom the personal data has been disclosed (including recipients or categories of recipients in third countries or international organisations);

(d)

the period for which it is envisaged that the personal data will be stored or, where that is not possible, the criteria used to determine that period;

(e)

the existence of the data subject’s rights to request from the controller—

(i)

rectification of personal data (see section 46), and

(ii)

erasure of personal data or the restriction of its processing (see section 47);

(f)

the existence of the data subject’s right to lodge a complaint with the Commissioner and the contact details of the Commissioner;

(g)

communication of the personal data undergoing processing and of any available information as to its origin.

F9(2A)

Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.

(3)

Where a data subject makes a request under subsection (1), the information to which the data subject is entitled must be provided in writing —

(a)

without undue delay, and

(b)

in any event, before the end of the applicable time period (as to which see section 54).

(4)

The controller may restrict, wholly or partly, the rights conferred by subsection (1) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—

(a)

avoid obstructing an official or legal inquiry, investigation or procedure;

(b)

avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)

protect public security;

F10(d)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(e)

protect the rights and freedoms of others.

(5)

Where the rights of a data subject under subsection (1) are restricted F11under subsection (4), wholly or partly, the controller must inform the data subject in writing without undue delay—

(a)

that the rights of the data subject have been restricted,

(b)

of the reasons for the restriction,

(c)

of the data subject’s right to make a request to the Commissioner under section 51,

(d)

of the data subject’s right to lodge a complaint with the Commissioner, and

(e)

of the data subject’s right to apply to a court under section 167.

(6)

Subsection (5)(a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.

(7)

The controller must—

(a)

record the reasons for a decision to restrict (whether wholly or partly) the rights of a data subject under subsection (1) F12in reliance on subsection (4), and

(b)

if requested to do so by the Commissioner, make the record available to the Commissioner.

(1)

Sections 44(2) and 45(1) do not require the controller to give the data subject—

(a)

information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications could be maintained in legal proceedings, or

(b)

information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.

(2)

A controller relying on the exemption in subsection (1) must inform the data subject in writing without undue delay of—

(a)

the decision to rely on the exemption,

(b)

the reason for the decision,

(c)

the data subject’s right to make a request to the Commissioner under section 51,

(d)

the data subject’s right to lodge a complaint with the Commissioner under section 165, and

(e)

the data subject’s right to apply to a court under section 167.

(3)

Subsection (2)(a) and (b) do not apply to the extent that complying with them would—

(a)

undermine a claim described in subsection (1)(a), or

(b)

conflict with a duty described in subsection (1)(b).

(4)

The controller must—

(a)

record the reason for a decision to rely on the exemption in subsection (1), and

(b)

if requested to do so by the Commissioner, make the record available to the Commissioner.

(5)

The reference in subsection (1) to sections 44(2) and 45(1) includes sections 35 to 40 so far as their provisions correspond to the rights and obligations provided for in sections 44(2) and 45(1).

Data subject’s rights to rectification or erasure etc

46Right to rectification

(1)

The controller must, if so requested by a data subject, rectify without undue delay inaccurate personal data relating to the data subject.

(2)

Where personal data is inaccurate because it is incomplete, the controller must, if so requested by a data subject, complete it.

(3)

The duty under subsection (2) may, in appropriate cases, be fulfilled by the provision of a supplementary statement.

(4)

Where the controller would be required to rectify personal data under this section but the personal data must be maintained for the purposes of evidence, the controller must (instead of rectifying the personal data) restrict its processing.

47Right to erasure or restriction of processing

(1)

The controller must erase personal data without undue delay where—

(a)

the processing of the personal data would infringe section 35, 36(1) to (3), 37, 38(1), 39(1), 40, 41 or 42, or

(b)

the controller has a legal obligation to erase the data.

(2)

Where the controller would be required to erase personal data under subsection (1) but the personal data must be maintained for the purposes of evidence, the controller must (instead of erasing the personal data) restrict its processing.

(3)

Where a data subject contests the accuracy of personal data (whether in making a request under this section or section 46 or in any other way), but it is not possible to ascertain whether it is accurate or not, the controller must restrict its processing.

(4)

A data subject may request the controller to erase personal data or to restrict its processing (but the duties of the controller under this section apply whether or not such a request is made).

48Rights under section 46 or 47: supplementary

(1)

Where a data subject requests the rectification or erasure of personal data or the restriction of its processing, the controller must inform the data subject in writing—

(a)

whether the request has been granted, and

(b)

if it has been refused—

(i)

of the reasons for the refusal,

(ii)

of the data subject’s right to make a request to the Commissioner under section 51,

(iii)

of the data subject’s right to lodge a complaint with the Commissioner, and

(iv)

of the data subject’s right to apply to a court under section 167.

(2)

The controller must comply with the duty under subsection (1)—

(a)

without undue delay, and

(b)

in any event, before the end of the applicable time period (see section 54).

(3)

The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (1)(b)(i) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—

(a)

avoid obstructing an official or legal inquiry, investigation or procedure;

(b)

avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)

protect public security;

F14(d)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(e)

protect the rights and freedoms of others.

(4)

Where the rights of a data subject under subsection F15(1)(b)(i) are restricted F16under subsection (3), wholly or partly, the controller must inform the data subject in writing without undue delay—

(a)

that the rights of the data subject have been restricted,

(b)

of the reasons for the restriction,

(c)

of the data subject’s right to lodge a complaint with the Commissioner, and

(d)

of the data subject’s right to apply to a court under section 167.

(5)

Subsection (4)(a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.

(6)

The controller must—

(a)

record the reasons for a decision to restrict (whether wholly or partly) the provision of information to a data subject under subsection (1)(b)(i) F17in reliance on subsection (3), and

(b)

if requested to do so by the Commissioner, make the record available to the Commissioner.

(7)

Where the controller rectifies personal data, it must notify the competent authority (if any) from which the inaccurate personal data originated.

F18(8)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(9)

Where the controller rectifies, erases or restricts the processing of personal data which has been disclosed by the controller—

(a)

the controller must notify the recipients, and

(b)

the recipients must similarly rectify, erase or restrict the processing of the personal data (so far as they retain responsibility for it).

(10)

Where processing is restricted in accordance with section 47(3), the controller must inform the data subject before lifting the restriction.

Automated individual decision-making

F1949Right not to be subject to automated decision-making

(1)

A controller may not take a significant decision based solely on automated processing unless that decision is required or authorised by law.

(2)

A decision is a “significant decision” for the purpose of this section if, in relation to a data subject, it—

(a)

produces an adverse legal effect concerning the data subject, or

(b)

significantly affects the data subject.

F1950Automated decision-making authorised by law: safeguards

(1)

A decision is a “qualifying significant decision” for the purposes of this section if—

(a)

it is a significant decision in relation to a data subject, and

(b)

it is required or authorised by law.

(2)

Where a controller takes a qualifying significant decision in relation to a data subject based solely on automated processing—

(a)

the controller must, as soon as reasonably practicable, notify the data subject in writing that a decision has been taken based solely on automated processing, and

(b)

the data subject may, before the end of the period of 1 month beginning with receipt of the notification, request the controller to—

(i)

reconsider the decision, or

(ii)

take a new decision that is not based solely on automated processing.

(3)

If a request is made to a controller under subsection (2), the controller must, before the end of the period of 1 month beginning with receipt of the request—

(a)

consider the request, including any information provided by the data subject that is relevant to it,

(b)

comply with the request, and

(c)

by notice in writing inform the data subject of—

(i)

the steps taken to comply with the request, and

(ii)

the outcome of complying with the request.

(4)

The Secretary of State may by regulations make such further provision as the Secretary of State considers appropriate to provide suitable measures to safeguard a data subject’s rights, freedoms and legitimate interests in connection with the taking of qualifying significant decisions based solely on automated processing.

(5)

Regulations under subsection (4)—

(a)

may amend this section, and

(b)

are subject to the affirmative resolution procedure.

(6)

In this section “significant decision” has the meaning given by section 49(2).

Annotations:
Commencement Information

I8S. 50 in force at Royal Assent for specified purposes, see s. 212(2)(f)

I9S. 50 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(c)

F1950AAutomated processing and significant decisions

(1)

For the purposes of sections 50B and 50C—

(a)

a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and

(b)

a decision is a significant decision, in relation to a data subject, if—

(i)

it produces an adverse legal effect for the data subject, or

(ii)

it has a similarly significant adverse effect for the data subject.

(2)

When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.

50BRestrictions on automated decision-making based on sensitive processing

(1)

A significant decision based entirely or partly on sensitive processing may not be taken based solely on automated processing, unless one of the following conditions is met.

(2)

The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.

(3)

The second condition is that the decision is required or authorised by law.

50CSafeguards for automated decision-making

(1)

Subject to subsection (3), where a significant decision taken by or on behalf of a controller in relation to a data subject is—

(a)

based entirely or partly on personal data, and

(b)

based solely on automated processing,

the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with subsection (2) and any regulations under section 50D(4).

(2)

The safeguards must consist of or include measures which—

(a)

provide the data subject with information about decisions described in subsection (1) taken in relation to the data subject;

(b)

enable the data subject to make representations about such decisions;

(c)

enable the data subject to obtain human intervention on the part of the controller in relation to such decisions;

(d)

enable the data subject to contest such decisions.

(3)

Subsections (1) and (2) do not apply in relation to a significant decision if—

(a)

exemption from those provisions is required for a reason listed in subsection (4),

(b)

the controller reconsiders the decision as soon as reasonably practicable, and

(c)

there is meaningful human involvement in the reconsideration of the decision.

(4)

Those reasons are—

(a)

to avoid obstructing an official or legal inquiry, investigation or procedure;

(b)

to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)

to protect public security;

(d)

to safeguard national security;

(e)

to protect the rights and freedoms of others.

(5)

When considering whether there is meaningful human involvement in the reconsideration of a decision, a person must consider, among other things, the extent to which the conclusion reached on reconsideration is reached by means of profiling.

50DFurther provision about automated decision-making

(1)

The Secretary of State may by regulations provide that, for the purposes of sections 50A(1)(a) and 50C(3)(c), there is, or is not, to be taken to be meaningful human involvement in the taking or reconsideration of a decision in cases described in the regulations.

(2)

The Secretary of State may by regulations provide that, for the purposes of section 50A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant adverse effect for the data subject.

(3)

Regulations under subsection (1) or (2) may amend section 50A.

(4)

The Secretary of State may by regulations make the following types of provision about the safeguards required under section 50C(1)—

(a)

provision requiring the safeguards to include measures in addition to those described in section 50C(2),

(b)

provision imposing requirements which supplement what section 50C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in section 50C(2) must be done or be capable of being done), and

(c)

provision about measures which are not to be taken to satisfy one or more of paragraphs (a) to (d) of section 50C(2).

(5)

Regulations under this section are subject to the affirmative resolution procedure.

Supplementary

51Exercise of rights through the Commissioner

(1)

This section applies where a controller—

(a)

restricts under section 44(4) the information provided to the data subject under section 44(2) (duty of the controller to give the data subject additional information),

(b)

restricts under section 45(4) the data subject’s rights under section 45(1) (right of access),

F20(ba)

relies on the exemption from sections 44(2) and 45(1) in section 45A (legal professional privilege), or

(c)

refuses a request by the data subject for rectification under section 46 or for erasure or restriction of processing under section 47.

(2)

The data subject may—

(a)

where subsection (1)(a) or (b) applies, request the Commissioner to check that the restriction imposed by the controller was lawful;

F21(aa)

where subsection (1)(ba) applies, request the Commissioner to check that the controller was entitled to rely on the exemption;

(b)

where subsection (1)(c) applies, request the Commissioner to check that the refusal of the data subject’s request was lawful.

(3)

The Commissioner must take such steps as appear to the Commissioner to be appropriate to respond to a request under subsection (2) (which may include the exercise of any of the powers conferred by sections 142 and 146).

(4)

After taking those steps, the Commissioner must inform the data subject—

(a)

where subsection (1)(a) or (b) applies, whether the Commissioner is satisfied that the restriction imposed by the controller was lawful;

F22(aa)

where subsection (1)(ba) applies, whether the Commissioner is satisfied that the controller was entitled to rely on the exemption;

(b)

where subsection (1)(c) applies, whether the Commissioner is satisfied that the controller’s refusal of the data subject’s request was lawful.

(5)

The Commissioner must also inform the data subject of the data subject’s right to apply to a court under section 167.

(6)

Where the Commissioner is not satisfied as mentioned in subsection (4)(a) F23, (aa) or (b), the Commissioner may also inform the data subject of any further steps that the Commissioner is considering taking under Part 6 .

52Form of provision of information etc

(1)

The controller must take reasonable steps to ensure that any information that is required by this Chapter to be provided to the data subject is provided in a concise, intelligible and easily accessible form, using clear and plain language.

(2)

Subject to subsection (3), the information may be provided in any form, including electronic form.

(3)

Where information is provided in response to a request by the data subject under section 45, 46, 47 or 50, the controller must provide the information in the same form as the request where it is practicable to do so.

(4)

Where the controller has reasonable doubts about the identity of an individual making a request under section 45, 46 or 47, the controller may—

(a)

request the provision of additional information to enable the controller to confirm the identity, and

(b)

delay dealing with the request until the identity is confirmed.

(5)

Subject to section 53, any information that is required by this Chapter to be provided to the data subject must be provided free of charge.

(6)

The controller must facilitate the exercise of the rights of the data subject under sections 45 to 50.

53Manifestly unfounded or excessive requests by the data subject

(1)

Where a request from a data subject under section 45, 46, 47 or 50 is manifestly unfounded or excessive, the controller may—

(a)

charge a reasonable fee for dealing with the request, or

(b)

refuse to act on the request.

(2)

An example of a request that may be excessive is one that merely repeats the substance of previous requests.

(3)

In any proceedings where there is an issue as to whether a request under section 45, 46, 47 or 50 is manifestly unfounded or excessive, it is for the controller to show that it is.

(4)

The Secretary of State may by regulations specify limits on the fees that a controller may charge in accordance with subsection (1)(a).

F24(4A)

The Secretary of State may by regulations—

(a)

require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in accordance with subsection (1)(a), and

(b)

specify what the guidance must include.

(5)

Regulations under subsection (4) are subject to the negative resolution procedure.

54Meaning of “applicable time period”

(1)

This section defines “the applicable time period” for the purposes of sections 45(3)(b) and 48(2)(b).

(2)

The applicable time period” means the period of 1 month, or such longer period as may be specified in regulations, beginning with the relevant time.

(3)

The relevant time” means the latest of the following—

(a)

when the controller receives the request in question;

(b)

when the controller receives the information (if any) requested in connection with a request under section 52(4);

(c)

when the fee (if any) charged in connection with the request under section 53 is paid.

(4)

The power to make regulations under subsection (2) is exercisable by the Secretary of State.

(5)

Regulations under subsection (2) may not specify a period which is longer than 3 months.

(6)

Regulations under subsection (2) are subject to the negative resolution procedure.

Annotations:
Commencement Information

I14S. 54 in force at Royal Assent for specified purposes, see s. 212(2)(f)

I15S. 54 in force at 25.5.2018 in so far as not already in force by S.I. 2018/625, reg. 2(1)(c)