Legislation – Data Protection Act 2018
PART 1
Preliminary
3 Terms relating to the processing of personal data
PART 2
General processing
CHAPTER 1 Scope and definitions
4 Processing to which this Part applies
Meaning of certain terms used in the GDPR
7 Meaning of “public authority” and “public body”
8 Lawfulness of processing: public interest etc
9 Child’s consent in relation to information society services
Special categories of personal data
10 Special categories of personal data and criminal convictions etc data
11 Special categories of personal data etc: supplementary
12 Limits on fees that may be charged by controllers
13 Obligations of credit reference agencies
14 Automated decision-making authorised by law: safeguards
Restrictions on data subject’s rights
16 Power to make further exemptions etc by regulations
Accreditation of certification providers
17 Accreditation of certification providers
Transfers of personal data to third countries etc
18 Transfers of personal data to third countries etc
Specific processing situations
19 Processing for archiving, research and statistical purposes: safeguards
CHAPTER 3 Other general processing
21 Processing to which this Chapter applies
22 Application of the GDPR to processing to which this Chapter applies
23 Power to make provision in consequence of regulations related to the GDPR
24 Manual unstructured data held by FOI public authorities
25 Manual unstructured data used in longstanding historical research
26 National security and defence exemption
27 National security: certificate
28 National security and defence: modifications to Articles 9 and 32 of the applied GDPR
PART 3
Law enforcement processing
CHAPTER 1 Scope and definitions
29 Processing to which this Part applies
30 Meaning of “competent authority”
31 “The law enforcement purposes”
32 Meaning of “controller” and “processor”
34 Overview and general duty of controller
35 The first data protection principle
36 The second data protection principle
37 The third data protection principle
38 The fourth data protection principle
39 The fifth data protection principle
40 The sixth data protection principle
42 Safeguards: sensitive processing
CHAPTER 3 Rights of the data subject
Information: controller’s general duties
44 Information: controller’s general duties
Data subject’s right of access
45 Right of access by the data subject
Data subject’s rights to rectification or erasure etc
47 Right to erasure or restriction of processing
48 Rights under section 46 or 47: supplementary
Automated individual decision-making
49 Right not to be subject to automated decision-making
50 Automated decision-making authorised by law: safeguards
51 Exercise of rights through the Commissioner
52 Form of provision of information etc
53 Manifestly unfounded or excessive requests by the data subject
54 Meaning of “applicable time period”
CHAPTER 4 Controller and processor
56 General obligations of the controller
57 Data protection by design and default
60 Processing under the authority of the controller or processor
61 Records of processing activities
63 Co-operation with the Commissioner
64 Data protection impact assessment
65 Prior consultation with the Commissioner
Obligations relating to security
Obligations relating to personal data breaches
67 Notification of a personal data breach to the Commissioner
68 Communication of a personal data breach to the data subject
69 Designation of a data protection officer
70 Position of data protection officer
71 Tasks of data protection officer
CHAPTER 5 Transfers of personal data to third countries etc
72 Overview and interpretation
General principles for transfers
73 General principles for transfers of personal data
74 Transfers on the basis of an adequacy decision
75 Transfers on the basis of appropriate safeguards
76 Transfers on the basis of special circumstances
Transfers to particular recipients
77 Transfers of personal data to persons other than relevant authorities
79 National security: certificate
80 Special processing restrictions
PART 4
Intelligence services processing
CHAPTER 1 Scope and definitions
82 Processing to which this Part applies
83 Meaning of “controller” and “processor”
The data protection principles
86 The first data protection principle
87 The second data protection principle
88 The third data protection principle
89 The fourth data protection principle
90 The fifth data protection principle
91 The sixth data protection principle
CHAPTER 3 Rights of the data subject
95 Right of access: supplementary
96 Right not to be subject to automated decision-making
97 Right to intervene in automated decision-making
98 Right to information about decision-making
99 Right to object to processing
100 Rights to rectification and erasure
CHAPTER 4 Controller and processor
102 General obligations of the controller
106 Processing under the authority of the controller or processor
Obligations relating to security
Obligations relating to personal data breaches
108 Communication of a personal data breach
CHAPTER 5 Transfers of personal data outside the United Kingdom
109 Transfers of personal data outside the United Kingdom
111 National security: certificate
113 Power to make further exemptions
PART 5
The Information Commissioner
114 The Information Commissioner
115 General functions under the GDPR and safeguards
117 Competence in relation to courts etc
118 Co-operation and mutual assistance
119 Inspection of personal data in accordance with international obligations
120 Further international role
123 Age-appropriate design code
124 Data protection and journalism code
125 Approval of codes prepared under sections 121 to 124
126 Publication and review of codes issued under section 125(4)
127 Effect of codes issued under section 125(4)
130 Records of national security certificates
131 Disclosure of information to the Commissioner
132 Confidentiality of information
133 Guidance about privileged communications
135 Manifestly unfounded or excessive requests by data subjects etc
137 Charges payable to the Commissioner by controllers
138 Regulations under section 137: supplementary
140 Publication by the Commissioner
141 Notices from the Commissioner
PART 6
Enforcement
143 Information notices: restrictions
144 False statements made in response to information notices
147 Assessment notices: restrictions
148 Destroying or falsifying information and documents etc
150 Enforcement notices: supplementary
151 Enforcement notices: rectification and erasure of personal data etc
152 Enforcement notices: restrictions
153 Enforcement notices: cancellation and variation
154 Powers of entry and inspection
156 Penalty notices: restrictions
158 Fixed penalties for non-compliance with charges regulations
159 Amount of penalties: supplementary
160 Guidance about regulatory action
161 Approval of first guidance about regulatory action
164 Applications in respect of urgent notices
165 Complaints by data subjects
166 Orders to progress complaints
168 Compensation for contravention of the GDPR
169 Compensation for contravention of other data protection legislation
170 Unlawful obtaining etc of personal data
171 Re-identification of de-identified personal data
172 Re-identification: effectiveness testing conditions
173 Alteration etc of personal data to prevent disclosure to data subject
175 Provision of assistance in special purposes proceedings
176 Staying special purposes proceedings
177 Guidance about how to seek redress against media organisations
178 Review of processing of personal data for the purposes of journalism
179 Effectiveness of the media’s dispute resolution procedures
PART 7
Supplementary and final provision
182 Regulations and consultation
183 Power to reflect changes to the Data Protection Convention
184 Prohibition of requirement to produce relevant records
185 Avoidance of certain contractual terms relating to health records
186 Data subject’s rights and other prohibitions and restrictions
187 Representation of data subjects with their authority
188 Representation of data subjects with their authority: collective proceedings
189 Duty to review provision for representation of data subjects
190 Post-review powers to make provision about representation of data subjects
191 Framework for Data Processing by Government
193 Publication and review of the Framework
195 Reserve forces: data-sharing by HMRC
198 Liability of directors etc
200 Guidance about PACE codes of practice
201 Disclosure of information to the Tribunal
202 Proceedings in the First-tier Tribunal: contempt
204 Meaning of “health professional” and “social work professional”
206 Index of defined expressions
207 Territorial application of this Act
211 Minor and consequential provision
SCHEDULES
SCHEDULE 1 Special categories of personal data and criminal convictions etc data
SCHEDULE 2 Exemptions etc from the GDPR
SCHEDULE 3 Exemptions etc from the GDPR: health, social work, education and child abuse data
SCHEDULE 4 Exemptions etc from the GDPR: disclosure prohibited or restricted by an enactment
SCHEDULE 5 Accreditation of certification providers: reviews and appeals
SCHEDULE 6 The applied GDPR and the applied Chapter 2
SCHEDULE 7 Competent authorities
SCHEDULE 8 Conditions for sensitive processing under Part 3
SCHEDULE 9 Conditions for processing under Part 4
SCHEDULE 10 Conditions for sensitive processing under Part 4
SCHEDULE 11 Other exemptions under Part 4
SCHEDULE 12 The Information Commissioner
SCHEDULE 13 Other general functions of the Commissioner
SCHEDULE 14 Co-operation and mutual assistance
SCHEDULE 15 Powers of entry and inspection
SCHEDULE 17 Review of processing of personal data for the purposes of journalism
PART 3Law enforcement processing
CHAPTER 3Rights of the data subject
Supplementary
53Manifestly unfounded or excessive requests by the data subject
(1)
Where a request from a data subject under section 45, 46, 47 or 50 is manifestly unfounded or excessive, the controller may—
(a)
charge a reasonable fee for dealing with the request, or
(b)
refuse to act on the request.
(2)
An example of a request that may be excessive is one that merely repeats the substance of previous requests.
(3)
In any proceedings where there is an issue as to whether a request under section 45, 46, 47 or 50 is manifestly unfounded or excessive, it is for the controller to show that it is.
(4)
The Secretary of State may by regulations specify limits on the fees that a controller may charge in accordance with subsection (1)(a).
(5)
Regulations under subsection (4) are subject to the negative resolution procedure.