- Latest available (Revised)
- Original (As adopted by EU)
Regulation (EU) 2016/679 of the European Parliament and of the CouncilShow full title
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) (Text with EEA relevance)
You are here:
- Regulations originating from the EU
- 2016 No. 679
- Annexes only
What Version
Advanced Features
- Show Geographical Extent(e.g. England, Wales, Scotland and Northern Ireland)
- Show Timeline of Changes
More Resources
Revised version PDFs
- Revised 04/05/20160.59 MB
Legislation originating from the EU
When the UK left the EU, legislation.gov.uk published EU legislation that had been published by the EU up to IP completion day (31 December 2020 11.00 p.m.). On legislation.gov.uk, these items of legislation are kept up-to-date with any amendments made by the UK since then.
This item of legislation originated from the EU
Legislation.gov.uk publishes the UK version. EUR-Lex publishes the EU version. The EU Exit Web Archive holds a snapshot of EUR-Lex’s version from IP completion day (31 December 2020 11.00 p.m.).
Changes over time for: Regulation (EU) 2016/679 of the European Parliament and of the Council (Annexes only)
Changes to legislation:
Regulation (EU) 2016/679 of the European Parliament and of the Council is up to date with all changes known to be in force on or before 11 March 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Changes to Legislation
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
Changes and effects yet to be applied to :
- Art. 12(4) words substituted by 2025 c. 18 Sch. 10 para. 2
- Art. 13(2)(d) words substituted by 2025 c. 18 Sch. 10 para. 3(3)
- Art. 13(2)(ca) inserted by 2025 c. 18 Sch. 10 para. 3(2)
- Art. 14(2)(e) words substituted by 2025 c. 18 Sch. 10 para. 4(3)
- Art. 14(2)(da) inserted by 2025 c. 18 Sch. 10 para. 4(2)
- Art. 15(1)(f) words substituted by 2025 c. 18 Sch. 10 para. 5(3)
- Art. 15(1)(ea) inserted by 2025 c. 18 Sch. 10 para. 5(2)
- Art. 17(1)(g)(4)(5) extended (S.N.I.) by 2025 c. 18 Sch. 11 para. 32
- Art. 17(1)(g) inserted by 2024 c. 21 s. 31(2)
- Art. 17(4)(5) inserted by 2024 c. 21 s. 31(3)
- Art. 47(2)(e) words substituted by 2025 c. 18 Sch. 10 para. 6
- Art. 57(1)(f) omitted by 2025 c. 18 s. 103(5)(a)
- Art. 57(2) omitted by 2025 c. 18 s. 103(5)(b)
- Art. 77 omitted by 2025 c. 18 s. 103(6)
- Art. 80(1) word omitted by 2025 c. 18 Sch. 10 para. 7(2)(b)
- Art. 80(1) words substituted by 2025 c. 18 Sch. 10 para. 7(2)(a)
- Art. 80(2) words substituted by 2025 c. 18 Sch. 10 para. 7(3)
Changes and effects yet to be applied to the whole legislation item and associated provisions
- Art. 13(2)(ca) inserted by 2025 c. 18 Sch. 10 para. 3(2)
- Art. 14(2)(da) inserted by 2025 c. 18 Sch. 10 para. 4(2)
- Art. 15(1)(ea) inserted by 2025 c. 18 Sch. 10 para. 5(2)
- Art. 17(1)(g)(4)(5) extended (S.N.I.) by 2025 c. 18 Sch. 11 para. 32
- Art. 17(1)(g) inserted by 2024 c. 21 s. 31(2)
- Art. 17(4)(5) inserted by 2024 c. 21 s. 31(3)
[F1ANNEX 1U.K.LAWFULNESS OF PROCESSING: RECOGNISED LEGITIMATE INTERESTS
Textual Amendments
F1Annex 1 inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 4; S.I. 2026/82, reg. 2(z6)
1U.K.Disclosure for purposes of processing described in Article 6(1)(e)
This condition is met where—
(a)the processing is necessary for the purposes of making a disclosure of personal data to another person in response to a request from the other person, and
(b)the request states that the other person needs the personal data for the purposes of carrying out processing described in Article 6(1)(e) that has a legal basis that satisfies Article 6(3).
2U.K.National security, public security and defence
This condition is met where the processing is necessary—
(a)for the purposes of safeguarding national security,
(b)for the purposes of protecting public security, or
(c)for defence purposes.
3U.K.Emergencies
This condition is met where the processing is necessary for the purposes of responding to an emergency.
4U.K.
In paragraph 3, “emergency” has the same meaning as in Part 2 of the Civil Contingencies Act 2004.
5U.K.Crime
This condition is met where the processing is necessary for the purposes of—
(a)detecting, investigating or preventing crime, or
(b)apprehending or prosecuting offenders.
6U.K.Safeguarding vulnerable individuals
This condition is met where the processing is necessary for the purposes of safeguarding a vulnerable individual.
7U.K.
In paragraph 6—
“safeguarding”, in relation to a vulnerable individual, means—
(a)protecting a vulnerable individual from neglect or physical, mental or emotional harm, or
(b)protecting the physical, mental or emotional well-being of a vulnerable individual;
“vulnerable individual” means an individual—
(a)aged under 18, or
(b)aged 18 or over and at risk.
8U.K.
For the purposes of paragraph 7—
(a)protection of an individual, or of the well-being of an individual, includes both protection relating to a particular individual and protection relating to a type of individual, and
(b)an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—
(i)has needs for care and support,
(ii)is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
(iii)as a result of those needs is unable to protect themselves against the neglect, harm or risk.]
[F2ANNEX 2U.K.PURPOSE LIMITATION: PROCESSING TO BE TREATED AS COMPATIBLE WITH ORIGINAL PURPOSE
Textual Amendments
F2Annex 2 inserted (5.2.2026) by Data (Use and Access) Act 2025 (c. 18), s. 142(1), Sch. 5; S.I. 2026/82, reg. 2(z7)
1U.K.Disclosure for purposes of processing described in Article 6(1)(e)
This condition is met where—
(a)the processing—
(i)is necessary for the purposes of making a disclosure of personal data to another person in response to a request from the other person, and
(ii)is not carried out by a public authority in the performance of its tasks, and
(b)the request states that the other person needs the personal data for the purposes of carrying out processing that—
(i)is described in Article 6(1)(e),
(ii)has a legal basis that satisfies Article 6(3), and
(iii)is necessary to safeguard an objective listed in Article 23(1)(c) to (j).
2U.K.Disclosure for the purposes of archiving in the public interest
This condition is met where—
(a)the processing—
(i)is necessary for the purposes of making a disclosure of personal data to another person (“R”) in response to a request from R, and
(ii)is carried out in accordance with Article 84B,
(b)the controller in relation to the processing collected the personal data based on Article 6(1)(a) (data subject’s consent),
(c)the request from R states that R intends to process the personal data only for the purposes of archiving in the public interest, and
(d)the controller reasonably believes that R will carry out that processing in accordance with generally recognised standards relevant to R’s archiving in the public interest.
3U.K.Public security
This condition is met where the processing is necessary for the purposes of protecting public security.
4U.K.Emergencies
This condition is met where the processing is necessary for the purposes of responding to an emergency.
5U.K.
In paragraph 4, “emergency” has the same meaning as in Part 2 of the Civil Contingencies Act 2004.
6U.K.Crime
This condition is met where the processing is necessary for the purposes of—
(a)detecting, investigating or preventing crime, or
(b)apprehending or prosecuting offenders.
7U.K.Protection of vital interests of data subjects and others
This condition is met where the processing is necessary for the purposes of protecting the vital interests of the data subject or another individual.
8U.K.Safeguarding vulnerable individuals
This condition is met where the processing is necessary for the purposes of safeguarding a vulnerable individual.
9U.K.
In paragraph 8—
“safeguarding”, in relation to a vulnerable individual, means —
(a)protecting a vulnerable individual from neglect or physical, mental or emotional harm, or
(b)protecting the physical, mental or emotional well-being of a vulnerable individual;
“vulnerable individual” means an individual—
(a)aged under 18, or
(b)aged 18 or over and at risk.
10U.K.
For the purposes of paragraph 9—
(a)protection of an individual, or of the well-being of an individual, includes both protection relating to a particular individual and protection relating to a type of individual, and
(b)an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—
(i)has needs for care and support,
(ii)is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
(iii)as a result of those needs is unable to protect themselves against the neglect, harm or risk.
11U.K.Taxation
This condition is met where the processing is necessary for the purposes of the assessment or collection of a tax or duty or an imposition of a similar nature.
12U.K.Legal obligations
This condition is met where the processing is necessary for the purposes of complying with an obligation of the controller under an enactment, a rule of law or an order of a court or tribunal.]
Options/Help
Print Options
PrintThe Whole Regulation
PrintThe Annexes only
Legislation is available in different versions:
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
See additional information alongside the content
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Opening Options
Different options to open legislation in order to view more content on screen at once
More Resources
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the EU Official Journal
- lists of changes made by and/or affecting this legislation item
- all formats of all associated documents
- correction slips
- links to related legislation and further information resources
Timeline of Changes
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
More Resources
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the print copy
- correction slips
Click 'View More' or select 'More Resources' tab for additional information including:
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- links to related legislation and further information resources
All content is available under the Open Government Licence v3.0 except where otherwise stated. This site additionally contains content derived from EUR-Lex, reused under the terms of the Commission Decision 2011/833/EU on the reuse of documents from the EU institutions. For more information see the EUR-Lex public statement on re-use.