- Latest available (Revised)
- Original (As adopted by EU)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation)(Text with EEA relevance)
When the UK left the EU, legislation.gov.uk published EU legislation that had been published by the EU up to IP completion day (31 December 2020 11.00 p.m.). On legislation.gov.uk, these items of legislation are kept up-to-date with any amendments made by the UK since then.
Legislation.gov.uk publishes the UK version. EUR-Lex publishes the EU version. The EU Exit Web Archive holds a snapshot of EUR-Lex’s version from IP completion day (31 December 2020 11.00 p.m.).
Regulation (EU) 2016/679 of the European Parliament and of the Council, CHAPTER VIII is up to date with all changes known to be in force on or before 07 December 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
1.Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with [F2the Commissioner] if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
2.[F3The Commissioner] shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.
Textual Amendments
F1Words in Art. 77 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 56(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F2Words in Art. 77(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 56(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F3Words in Art. 77(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 56(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
1.Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of [F5the Commissioner] concerning them.
2.Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where [F6the Commissioner] does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
F73.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F74.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F4Words in Art. 78 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 57(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F5Words in Art. 78(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 57(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F6Words in Art. 78(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 57(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F7Art. 78(3)(4) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 57(5) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
1.Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with [F8the Commissioner] pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
F92.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F8Words in Art. 79(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 58(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F9Art. 79(2) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 58(3) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
1.The data subject shall have the right to mandate [F10a body or other organisation which meets the conditions in section 187(3) and (4) of the 2018 Act] to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf F11... .
2.[F12The Secretary of State] may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject's mandate, has the right to lodge F13... a complaint with [F14the Commissioner] and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.
[F153.The Secretary of State may exercise the power under paragraph 2 of this Article only by making regulations under section 190 of the 2018 Act.]
Textual Amendments
F10Words in Art. 80(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 59(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F11Words in Art. 80(1) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 59(2)(b) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
F12Words in Art. 80(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 59(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F13Words in Art. 80(2) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 59(3)(b) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
F14Words in Art. 80(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 59(3)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F15Art. 80(3) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 59(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F16Art. 81 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 60 (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
1.Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2.Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3.A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
4.Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
5.Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
F176.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F17Art. 82(6) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 61 (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
1.[F18The Commissioner] shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
2.Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a)the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b)the intentional or negligent character of the infringement;
(c)any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d)the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e)any relevant previous infringements by the controller or processor;
(f)the degree of cooperation with [F19the Commissioner], in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g)the categories of personal data affected by the infringement;
(h)the manner in which the infringement became known to [F20the Commissioner], in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i)where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j)adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k)any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
3.If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
4.Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to [F21£8,700,000], or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a)the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
(b)the obligations of the certification body pursuant to Articles 42 and 43;
(c)the obligations of the monitoring body pursuant to Article 41(4).
5.Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to [F22£17,500,000], or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a)the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
(b)the data subjects' rights pursuant to Articles 12 to 22;
(c)the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
[F23(d)any obligations under Part 5 or 6 of Schedule 2 to the 2018 Act or regulations made under section 16(1)(c) of the 2018 Act;]
(e)non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by [F24the Commissioner] pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
6.Non-compliance with an order by [F25the Commissioner] as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to [F26£17,500,000], or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
F277.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F278.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F279.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
[F2810.In the 2018 Act, section 115(9) makes provision about the exercise of the Commissioner's functions under this Article.]
Textual Amendments
F18Words in Art. 83(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 62(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F19Words in Art. 83(2)(f) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 62(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F20Words in Art. 83(2)(h) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 62(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F21Sum in Art. 83(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 62(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F22Sum in Art. 83(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 62(5)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F23Art. 83(5)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 62(5)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F24Words in Art. 83(5)(e) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 62(5)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F25Words in Art. 83(6) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 62(6)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F26Sum in Art. 83(6) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 62(6)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F27Art. 83(7)(8)(9) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 62(7) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
F28Art. 83(10) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 62(8) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
[F29Part 6 of the 2018 Act makes further provision about penalties applicable to infringements of this Regulation.]
Textual Amendments
F29Words in Art. 84 substituted for Art. 84(1)(2) (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 63 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: