Data (Use and Access) Act 2025

Data subject’s rights

75Fees and reasons for responses to data subjects’ requests about law enforcement processing

(1)The 2018 Act is amended as follows.

(2)In section 53 (manifestly unfounded or excessive requests by the data subject under Part 3)—

(a)after subsection (4) insert—

“(4A)The Secretary of State may by regulations—

(a)require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in accordance with subsection (1)(a), and

(b)specify what the guidance must include.”,

(b)in subsection (5), for “subsection (4)” substitute “this section”, and

(c)after subsection (5) insert—

“(6)If, in reliance on subsection (1)(b), the controller does not take action on the request, the controller must inform the data subject of—

(a)the reasons for not doing so, and

(b)the data subject’s right to lodge a complaint with the Commissioner.

(7)The controller must comply with subsection (6)—

(a)without undue delay, and

(b)in any event, before the end of the applicable time period (as to which see section 54).”

(3)In section 54(1) (meaning of “applicable time period”), for “and 48(2)(b)” substitute “, 48(2)(b) and 53(7)”.

76Time limits for responding to data subjects’ requests

(1)The UK GDPR is amended in accordance with subsections (2) and (3).

(2)In Article 12 (transparent information, communication and modalities for the exercise of rights of the data subject)—

(a)in paragraph 3—

(i)for “within one month of receipt of the request” substitute “before the end of the applicable time period (see Article 12A)”, and

(ii)omit the second and third sentences,

(b)in paragraph 4, for “without delay and at the latest within one month of receipt of the request” substitute “without undue delay, and in any event before the end of the applicable time period (see Article 12A),”, and

(c)in paragraph 6—

(i)after “may” insert “—

(a)”, and

(ii)at the end insert “, and

(b)delay dealing with the request until the identity is confirmed.”

(3)After Article 12 insert—

“Article 12AMeaning of “applicable time period”

1.In Article 12, “the applicable time period” means the period of one month beginning with the relevant time, subject to paragraph 3.

2.“The relevant time” means the latest of the following—

(a)when the controller receives the request in question;

(b)when the controller receives the information (if any) requested in connection with a request under Article 12(6);

(c)when the fee (if any) charged in connection with the request under Article 12(5) is paid.

3.The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—

(a)the complexity of requests made by the data subject, or

(b)the number of such requests.

4.A notice under paragraph 3 must—

(a)be given before the end of the period of one month beginning with the relevant time, and

(b)state the reasons for the delay.

5.Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under Article 15 relates—

(a)the controller may ask the data subject to provide the further information, and

(b)the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards—

(i)the applicable time period, or

(ii)the period described in paragraph 4(a).

6.An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.”

(4)The 2018 Act is amended in accordance with subsections (5) to (7).

(5)In section 45(5) (right of access by the data subject), after “delay” insert “and in any event before the end of the applicable time period (as to which see section 54)”.

(6)In section 54 (meaning of “applicable time period” for responding to data subjects’ requests)—

(a)in subsection (1), after “45(3)(b)” insert “and (5)”,

(b)in subsection (2)—

(i)for “1 month, or such longer period as may be specified in regulations,” substitute “one month”, and

(ii)at the end insert “, subject to subsection (3A)”,

(c)after subsection (3) insert—

“(3A)The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—

(a)the complexity of requests made by the data subject, or

(b)the number of such requests.

(3B)A notice under subsection (3A) must—

(a)be given before the end of the period of one month beginning with the relevant time, and

(b)state the reasons for the delay.

(3C)Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under section 45(1) relates—

(a)the controller may ask the data subject to provide the further information, and

(b)the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards—

(i)the applicable time period, or

(ii)the period described in subsection (3B)(a).

(3D)An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.”, and

(d)omit subsections (4) to (6).

(7)In section 94 (right of access under Part 4)—

(a)in subsection (14), for the definition of “the applicable time period” substitute—

• ““the applicable time period” means the period of one month beginning with the relevant time, subject to subsection (14A);”, and

(b)after subsection (14) insert—

“(14A)The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—

(a)the complexity of requests made by the data subject, or

(b)the number of such requests.

(14B)A notice under subsection (14A) must—

(a)be given before the end of the period of one month beginning with the relevant time, and

(b)state the reasons for the delay.”

77Information to be provided to data subjects

(1)In Article 13 of the UK GDPR (information to be provided where personal data is collected from the data subject)—

(a)in paragraph 4, for “shall not apply where and insofar as” substitute “do not apply to the extent that”, and

(b)at the end insert—

“5.Paragraph 3 does not apply to the extent that—

(a)the controller intends to further process the personal data—

(i)for (and only for) the purposes of scientific or historical research, the purposes of archiving in the public interest or statistical purposes, and

(ii)in accordance with Article 84B, and

(b)providing the information is impossible or would involve a disproportionate effort.

6.For the purposes of paragraph 5(b), whether providing the information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing.

7.A controller relying on paragraph 5 must take appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, including by making the information available publicly.”

(2)In Article 14 of the UK GDPR (information to be provided where personal data is not obtained from the data subject)—

(a)in paragraph 5—

(i)for “shall not apply where and insofar as” substitute “do not apply to the extent that”,

(ii)omit point (b),

(iii)omit the “or” at the end of point (c),

(iv)in point (d), omit “where”, and

(v)after that point insert—

“(e)providing the information is impossible or would involve a disproportionate effort, or

(f)the obligation referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of the processing for which the personal data are intended.”, and

(b)at the end insert—

“6.For the purposes of paragraph 5(e), whether providing the information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing.

7.A controller relying on paragraph 5(e) or (f) must take appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, including by making the information available publicly.”

78Searches in response to data subjects’ requests

(1)In Article 15 of the UK GDPR (right of access by the data subject)—

(a)after paragraph 1 insert—

“1A.Under paragraph 1, the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that paragraph.”, and

(b)in paragraph 3, after “processing” insert “to which the data subject is entitled under paragraph 1”.

(2)The 2018 Act is amended in accordance with subsections (3) and (4).

(3)In section 45 (law enforcement processing: right of access by the data subject), after subsection (2) insert—

“(2A)Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.”

(4)In section 94 (intelligence services processing: right of access by the data subject), after subsection (2) insert—

“(2A)Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.”

(5)The amendments made by this section are to be treated as having come into force on 1 January 2024.

79Data subjects’ rights to information: legal professional privilege exemption

(1)The 2018 Act is amended as follows.

(2)In section 43 (overview and scope of Chapter 3 of Part 3: rights of the data subject in connection with law enforcement processing)—

(a)in subsection (1)(a), for “section 44” substitute “sections 44 and 45A”, and

(b)in subsection (1)(b), for “section 45” substitute “sections 45 and 45A”.

(3)For the italic heading before section 44 substitute—

“Data subject’s rights to information”.

(4)In the heading of section 44, omit “Information:”.

(5)Omit the italic heading before section 45.

(6)After that section insert—

“45AExemption from sections 44 and 45: legal professional privilege

(1)Sections 44(2) and 45(1) do not require the controller to give the data subject—

(a)information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications could be maintained in legal proceedings, or

(b)information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.

(2)A controller relying on the exemption in subsection (1) must inform the data subject in writing without undue delay of—

(a)the decision to rely on the exemption,

(b)the reason for the decision,

(c)the data subject’s right to make a request to the Commissioner under section 51,

(d)the data subject’s right to lodge a complaint with the Commissioner under section 165, and

(e)the data subject’s right to apply to a court under section 167.

(3)Subsection (2)(a) and (b) do not apply to the extent that complying with them would—

(a)undermine a claim described in subsection (1)(a), or

(b)conflict with a duty described in subsection (1)(b).

(4)The controller must—

(a)record the reason for a decision to rely on the exemption in subsection (1), and

(b)if requested to do so by the Commissioner, make the record available to the Commissioner.

(5)The reference in subsection (1) to sections 44(2) and 45(1) includes sections 35 to 40 so far as their provisions correspond to the rights and obligations provided for in sections 44(2) and 45(1).”

(7)In section 51 (exercise of rights through the Commissioner)—

(a)in subsection (1), after paragraph (b) (but before the “or” at the end of that paragraph) insert—

“(ba)relies on the exemption from sections 44(2) and 45(1) in section 45A (legal professional privilege),”,

(b)in subsection (2), after paragraph (a) insert—

“(aa)where subsection (1)(ba) applies, request the Commissioner to check that the controller was entitled to rely on the exemption;”,

(c)in subsection (4), after paragraph (a) insert—

“(aa)where subsection (1)(ba) applies, whether the Commissioner is satisfied that the controller was entitled to rely on the exemption;”, and

(d)in subsection (6), after “(a)” insert “, (aa)”.