Regulation (EU) 2016/679 of the European Parliament and of the CouncilShow full title

CHAPTER IIU.K.Principles

Article 5U.K.Principles relating to processing of personal data

1.Personal data shall be:

(a)processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b)collected [F1(whether from the data subject or otherwise)] for specified, explicit and legitimate purposes and not further processed [F2by or on behalf of a controller] in a manner that is incompatible with [F3those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes] [F3the purposes for which the controller collected the data] (‘purpose limitation’);

(c)adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d)accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f)processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

[F43.For the avoidance of doubt, processing is not lawful by virtue only of being processing in a manner that is compatible with the purposes for which the personal data was collected.]

Article 6U.K.Lawfulness of processing

1.Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b)processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)processing is necessary for compliance with a legal obligation to which the controller is subject;

(d)processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e)processing is necessary for the performance of a task [F5of the controller] carried out in the public interest or [F6a task carried out] in the exercise of official authority vested in the controller;

[F7(ea)processing is necessary for the purposes of a recognised legitimate interest;]

(f)processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

[F8Point (f)][F8Points (ea) and (f)] of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

F92.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.The basis for the processing referred to in point (c) F10... of paragraph 1 shall be laid down by [F11domestic law].

[F12The basis for the processing referred to in point (e) of paragraph 1 must be laid down by domestic law or relevant international law (see section 9A of the 2018 Act).]

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task [F13of the controller] carried out in the public interest or [F14a task carried out] in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. [F15The domestic law] [F16or relevant international law] shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

4.Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on [F17domestic law] which constitutes a necessary and proportionate measure in a democratic society to safeguard [F18national security, defence or any of] the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a)any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b)the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c)the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(d)the possible consequences of the intended further processing for data subjects;

(e)the existence of appropriate safeguards, which may include encryption or pseudonymisation.

[F195.For the purposes of paragraph 1(ea), processing is necessary for the purposes of a recognised legitimate interest only if it meets a condition in Annex 1.

6.The Secretary of State may by regulations amend Annex 1 by—

(a)adding or varying provisions, or

(b)omitting provisions added by regulations made under this paragraph.

7.The Secretary of State may only make regulations under paragraph 6 where—

(a)the requirement in paragraph 8 is satisfied, and

(b)if the regulations add a case to Annex 1, the requirement in paragraph 9 is also satisfied.

8.The requirement in this paragraph is that the Secretary of State considers it appropriate to make the regulations having regard to, among other things—

(a)the interests and fundamental rights and freedoms of data subjects which require protection of personal data, and

(b)where relevant, the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.

9.The requirement in this paragraph is that the Secretary of State considers that processing in the case to be added to Annex 1 is necessary to safeguard an objective listed in Article 23(1)(c) to (j).

10.Regulations under paragraph 6 are subject to the affirmative resolution procedure.

11.For the purposes of paragraph 1(f), examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include—

(a)processing that is necessary for the purposes of direct marketing,

(b)intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and

(c)processing that is necessary for the purposes of ensuring the security of network and information systems.

12.In paragraph 11—

• “intra-group transmission” means transmission between members of a group of undertakings or between members of a group of institutions affiliated to a central body;

• “security of network and information systems” has the same meaning as in the Network and Information Systems Regulations 2018 (S.I. 2018/506) (see regulation 1(3)(g)).]

Article 7U.K.Conditions for consent

1.Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2.If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3.The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4.When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Article 8U.K.Conditions applicable to child's consent in relation to information society services

1.Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least [F2013 years old]. Where the child is below the age [F21of 13 years], such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

F22...

2.The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

3.Paragraph 1 shall not affect the general contract law [F23as it operates in domestic law] such as the rules on the validity, formation or effect of a contract in relation to a child.

[F244.In paragraph 1, the reference to information society services does not include preventive or counselling services.]

[F25Article 8AU.K.Purpose limitation: further processing

1.This Article is about the determination, for the purposes of Article 5(1)(b) (purpose limitation), of whether processing of personal data by or on behalf of a controller for a purpose (a “new purpose”) other than the purpose for which the controller collected the data (“the original purpose”) is processing in a manner compatible with the original purpose.

2.In making the determination, a person must take into account, among other things—

(a)any link between the original purpose and the new purpose;

(b)the context in which the personal data was collected, including the relationship between the data subject and the controller;

(c)the nature of the processing, including whether it is processing described in Article 9(1) (processing of special categories of personal data) or Article 10(1) (processing of personal data relating to criminal convictions etc);

(d)the possible consequences of the intended processing for data subjects;

(e)the existence of appropriate safeguards (for example, encryption or pseudonymisation).

3.Processing of personal data for a new purpose is to be treated as processing in a manner compatible with the original purpose where—

(a)the data subject consents to the processing of personal data for the new purpose and the new purpose is specified, explicit and legitimate,

(b)the processing is carried out in accordance with Article 84B—

(i)for the purposes of scientific research or historical research,

(ii)for the purposes of archiving in the public interest, or

(iii)for statistical purposes,

(c)the processing is carried out for the purposes of ensuring that processing of personal data complies with Article 5(1) or demonstrating that it does so,

(d)the processing meets a condition in Annex 2, or

(e)the processing is necessary to safeguard an objective listed in Article 23(1)(c) to (j) and is authorised by an enactment or rule of law.

4.Where the controller collected the personal data based on Article 6(1)(a) (data subject’s consent), processing for a new purpose is only processing in a manner compatible with the original purpose if—

(a)it falls within paragraph 3(a) or (c), or

(b)it falls within paragraph 3(d) or (e) and the controller cannot reasonably be expected to obtain the data subject’s consent.

5.The Secretary of State may by regulations amend Annex 2 by—

(a)adding or varying provisions, or

(b)omitting provisions added by regulations made under this paragraph.

6.The Secretary of State may only make regulations under paragraph 5 adding a case to Annex 2 where the Secretary of State considers that processing in that case is necessary to safeguard an objective listed in Article 23(1)(c) to (j).

7.Regulations under paragraph 5 may make provision identifying processing by any means, including by reference to the controller, the data subject, the personal data or the provision of Article 6(1) relied on for the purposes of the processing.

8.Regulations under paragraph 5 are subject to the affirmative resolution procedure.]

Article 9U.K.Processing of special categories of personal data

1.Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2.Paragraph 1 shall not apply if [F26the processing is based on Article 6(1) and] one of the following applies:

(a)the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where [F27domestic law provides] that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b)processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by [F28domestic law] or a collective agreement pursuant [F29to domestic law] providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c)processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d)processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e)processing relates to personal data which are manifestly made public by the data subject;

(f)processing is necessary for the establishment, exercise or defence of legal claims or whenever courts [F30or tribunals] are acting in their judicial capacity;

(g)processing is necessary for reasons of substantial public interest, on the basis of [F31domestic law][F32, or relevant international law,] which shall be proportionate to the aim pursued F33... and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h)processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of [F34domestic law] or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i)processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of [F35domestic law] which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j)processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) [F36(as supplemented by section 19 of the 2018 Act)] based on [F37domestic law] which shall be proportionate to the aim pursued F38... and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3.[F39Paragraph 1 is only disapplied by point (h) of paragraph 2 if the personal data is] processed by or under the responsibility of a professional subject to the obligation of professional secrecy under [F40domestic law] or rules established by national competent bodies or by another person also subject to an obligation of secrecy under [F40domestic law] or rules established by national competent bodies.

[F413A.In paragraph 3, ‘national competent bodies’ means competent bodies of the United Kingdom or a part of the United Kingdom.]

F424.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F435.In the 2018 Act—

[F44(za)section 9A makes provision about when the requirement in paragraph 2(g) of this Article for a basis in relevant international law is met;]

(a)section 10 makes provision about when the requirement in paragraph 2(b), (g), (h), (i) or (j) of this Article for authorisation by, or a basis in, domestic law is met;

(b)section 11(1) makes provision about when the processing of personal data is carried out in circumstances described in paragraph 3 of this Article.]

Article 10U.K.Processing of personal data relating to criminal convictions and offences

[F451.] Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by [F46domestic law] [F47, or relevant international law,] providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

[F482.In the 2018 Act—

[F49(za)section 9A makes provision about when the requirement in paragraph 1 of this Article for authorisation by relevant international law is met;]

(a)section 10 makes provision about when the requirement in paragraph 1 of this Article for authorisation by domestic law is met;

(b)section 11(2) makes provision about the meaning of “personal data relating to criminal convictions and offences or related security measures”.]

Article 11U.K.Processing which does not require identification

1.If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

2.Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.

[F50Article 11AU.K.Further provision about processing of special categories of personal data

1.The Secretary of State may by regulations—

(a)make provision so that an additional description of processing of personal data is subject to the prohibition in Article 9(1),

(b)make provision so that added processing is not subject to that prohibition,

(c)make provision so that an exception in Article 9(2) may or may not be relied on in connection with added processing, and

(d)make provision varying such an exception as it applies in connection with added processing.

2.In paragraph 1, “added processing” means a description of processing which is subject to the prohibition in Article 9(1) by virtue of provision made under paragraph 1(a).

3.Regulations made under this Article (in reliance on Article 91A(4)(b)) may amend section 5, 205 or 206 of the 2018 Act (interpretation).

4.Regulations under this Article are subject to the affirmative resolution procedure.]