Legislation – Data Protection Act 2018
PART 1
Preliminary
3 Terms relating to the processing of personal data
PART 2
General processing
CHAPTER 1 Scope and definitions
4 Processing to which this Part applies
Meaning of certain terms used in the UK GDPR
7 Meaning of “public authority” and “public body”
8 Lawfulness of processing: public interest etc
9 Child’s consent in relation to information society services
9A Processing in reliance on relevant international law
Special categories of personal data
10 Special categories of personal data and criminal convictions etc data
11 Special categories of personal data etc: supplementary
12 Limits on fees that may be charged by controllers
13 Obligations of credit reference agencies
14 Automated decision-making authorised by law: safeguards
16 Power to make further exemptions etc by regulations
17 Accreditation of certification providers
Transfers of personal data to third countries etc
17A Transfers based on adequacy regulations
17B Transfers based on adequacy regulations: review etc
17C Standard data protection clauses
18 Transfers of personal data to third countries etc : public interest
Specific processing situations
19 Processing for archiving, research and statistical purposes: safeguards
22 Application of the GDPR to processing to which this Chapter applies
23 Power to make provision in consequence of regulations related to the GDPR
24 Manual unstructured data held by FOI public authorities
25 Manual unstructured data used in longstanding historical research
26 National security and defence exemption
27 National security: certificate
28 National security and defence: modifications to Articles 9 and 32 of the UK GDPR
PART 3
Law enforcement processing
CHAPTER 1 Scope and definitions
29 Processing to which this Part applies
30 Meaning of “competent authority”
31 “The law enforcement purposes”
32 Meaning of “controller” and “processor”
34 Overview and general duty of controller
35 The first data protection principle
36 The second data protection principle
37 The third data protection principle
38 The fourth data protection principle
39 The fifth data protection principle
40 The sixth data protection principle
42 Safeguards: sensitive processing
42A Further provision about sensitive processing
CHAPTER 3 Rights of the data subject
Data subject’s rights to information
44 … Controller’s general duties
45 Right of access by the data subject
45A Exemption from sections 44 and 45: legal professional privilege
Data subject’s rights to rectification or erasure etc
47 Right to erasure or restriction of processing
48 Rights under section 46 or 47: supplementary
Automated individual decision-making
49 Right not to be subject to automated decision-making
50 Automated decision-making authorised by law: safeguards
50A Automated processing and significant decisions
50B Restrictions on automated decision-making based on sensitive processing
50C Safeguards for automated decision-making
50D Further provision about automated decision-making
51 Exercise of rights through the Commissioner
52 Form of provision of information etc
53 Manifestly unfounded or excessive requests by the data subject
54 Meaning of “applicable time period”
CHAPTER 4 Controller and processor
56 General obligations of the controller
57 Data protection by design and default
60 Processing under the authority of the controller or processor
61 Records of processing activities
63 Co-operation with the Commissioner
64 Data protection impact assessment
65 Prior consultation with the Commissioner
Obligations relating to security
Obligations relating to personal data breaches
67 Notification of a personal data breach to the Commissioner
68 Communication of a personal data breach to the data subject
69 Designation of a data protection officer
70 Position of data protection officer
71 Tasks of data protection officer
CHAPTER 5 Transfers of personal data to third countries etc
72 Overview and interpretation
General principles for transfers
73 General principles for transfers of personal data
74 Transfers on the basis of an adequacy decision
74A Transfers based on adequacy regulations
74AA Transfers approved by regulations
74B Transfers based on adequacy regulations: review etc
75 Transfers on the basis of appropriate safeguards
76 Transfers on the basis of special circumstances
Transfers to particular recipients
77 Transfers of personal data to persons other than relevant authorities
78A National security exemption
79 National security: certificate
80 Special processing restrictions
PART 4
Intelligence services processing
CHAPTER 1 Scope and definitions
82 Processing to which this Part applies
83 Meaning of “controller” and “processor”
The data protection principles
86 The first data protection principle
87 The second data protection principle
88 The third data protection principle
89 The fourth data protection principle
90 The fifth data protection principle
91 The sixth data protection principle
91A Further provision about sensitive processing
CHAPTER 3 Rights of the data subject
95 Right of access: supplementary
96 Right not to be subject to automated decision-making
97 Right to intervene in automated decision-making
98 Right to information about decision-making
99 Right to object to processing
100 Rights to rectification and erasure
CHAPTER 4 Controller and processor
102 General obligations of the controller
106 Processing under the authority of the controller or processor
Obligations relating to security
Obligations relating to personal data breaches
108 Communication of a personal data breach
CHAPTER 5 Transfers of personal data outside the United Kingdom
109 Transfers of personal data outside the United Kingdom
111 National security: certificate
113 Power to make further exemptions
PART 5
The Information Commissioner
114 The Information Commissioner
114A The Information Commission
115 General functions under the UK GDPR and safeguards
117 Competence in relation to courts etc
118 Co-operation between parties to the Data Protection Convention
119 Inspection of personal data in accordance with international obligations
119A Standard clauses for transfers to third countries etc
120 Further international role
120B Duties in relation to functions under the data protection legislation
120D Duty to consult other regulators
123 Age-appropriate design code
124 Data protection and journalism code
124B Panels to consider codes of practice
124C Impact assessments for codes of practice
125 Approval of codes prepared under sections 121 to 124A
126 Publication and review of codes issued under section 125(4)
127 Effect of codes issued under section 125(4)
130 Records of national security certificates
131 Disclosure of information to the Commissioner
132 Confidentiality of information
133 Guidance about privileged communications
135 Manifestly unfounded or excessive requests by data subjects etc
137 Charges payable to the Commissioner by controllers
138 Regulations under section 137: supplementary
140 Publication by the Commissioner
141 Notices from the Commissioner
PART 6
Enforcement
143 Information notices: restrictions
144 False statements made in response to information notices
147 Assessment notices: restrictions
148 Destroying or falsifying information and documents etc
150 Enforcement notices: supplementary
151 Enforcement notices: rectification and erasure of personal data etc
152 Enforcement notices: restrictions
153 Enforcement notices: cancellation and variation
154 Powers of entry and inspection
156 Penalty notices: restrictions
158 Fixed penalties for non-compliance with charges regulations
159 Amount of penalties: supplementary
160 Guidance about regulatory action
161 Approval of first guidance about regulatory action
161A Annual report on regulatory action
164 Applications in respect of urgent notices
164A Complaints by data subjects to controllers
164B Controllers to notify the Commissioner of the number of complaints
165 Complaints by data subjects
166 Orders to progress complaints
168 Compensation for contravention of the UK GDPR
169 Compensation for contravention of other data protection legislation
170 Unlawful obtaining etc of personal data
171 Re-identification of de-identified personal data
172 Re-identification: effectiveness testing conditions
173 Alteration etc of personal data to prevent disclosure to data subject
175 Provision of assistance in special purposes proceedings
176 Staying special purposes proceedings
177 Guidance about how to seek redress against media organisations
178 Review of processing of personal data for the purposes of journalism
179 Effectiveness of the media’s dispute resolution procedures
180A Procedure in connection with subject access requests
PART 7
Supplementary and final provision
182 Regulations and consultation
183 Power to reflect changes to the Data Protection Convention
183A Protection of prohibitions and restrictions etc on processing: relevant enactments
183B Protection of prohibitions and restrictions etc on processing: other enactments
184 Prohibition of requirement to produce relevant records
185 Avoidance of certain contractual terms relating to health records
186 Protection of data subject’s rights
186A Protection of data subject’s rights: further provision
187 Representation of data subjects with their authority
188 Representation of data subjects with their authority: collective proceedings
189 Duty to review provision for representation of data subjects
190 Post-review powers to make provision about representation of data subjects
191 Framework for Data Processing by Government
193 Publication and review of the Framework
195 Reserve forces: data-sharing by HMRC
198 Liability of directors etc
200 Guidance about PACE codes of practice
201 Disclosure of information to the Tribunal
202 Proceedings in the First-tier Tribunal: contempt
204 Meaning of “health professional” and “social work professional”
206 Index of defined expressions
207 Territorial application of this Act
211 Minor and consequential provision
SCHEDULES
Schedule A1 Processing in reliance on relevant international law
SCHEDULE 1 Special categories of personal data and criminal convictions etc data
SCHEDULE 2 Exemptions etc from the UK GDPR
SCHEDULE 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data
SCHEDULE 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment
SCHEDULE 5 Accreditation of certification providers: reviews and appeals
SCHEDULE 6 The applied GDPR and the applied Chapter 2
SCHEDULE 7 Competent authorities
SCHEDULE 8 Conditions for sensitive processing under Part 3
SCHEDULE 9 Conditions for processing under Part 4
SCHEDULE 10 Conditions for sensitive processing under Part 4
SCHEDULE 11 Other exemptions under Part 4
SCHEDULE 12 The Information Commissioner
Schedule 12A The Information Commission
SCHEDULE 13 Other general functions of the Commissioner
SCHEDULE 14 Co-operation and mutual assistance
SCHEDULE 15 Powers of entry and inspection
SCHEDULE 17 Review of processing of personal data for the purposes of journalism
SCHEDULE 19 Minor and consequential amendments
Changes to legislation:
Data Protection Act 2018, Section 96 is up to date with all changes known to be in force on or before 29 October 2025. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Changes to Legislation
Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.
PART 4Intelligence services processing
CHAPTER 3Rights of the data subject
Rights
96Right not to be subject to automated decision-making
(1)
The controller may not take a decision significantly affecting a data subject that is based solely on automated processing of personal data relating to the data subject.
(2)
Subsection (1) does not prevent such a decision being made on that basis if—
(a)
the decision is required or authorised by law,
(b)
the data subject has given consent to the decision being made on that basis, or
(c)
the decision is a decision taken in the course of steps taken—
(i)
for the purpose of considering whether to enter into a contract with the data subject,
(ii)
with a view to entering into such a contract, or
(iii)
in the course of performing such a contract.
(3)
For the purposes of this section, a decision that has legal effects as regards an individual is to be regarded as significantly affecting the individual.