Data (Use and Access) Act 2025

Chapter 1U.K.Data protection

Terms used in this ChapterU.K.

66The 2018 Act and the UK GDPRU.K.

In this Chapter—

• “the 2018 Act” means the Data Protection Act 2018;

• “the UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Definitions in the UK GDPR and the 2018 ActU.K.

69Consent to law enforcement processingU.K.

(1)The 2018 Act is amended as follows.

(2)In section 33 (definitions), after subsection (1) insert—

“(1A)“Consent” of the data subject to the processing of personal data means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data (and see section 40A).”

(3)In section 34(2) (overview of Chapter 2 of Part 3), after paragraph (a) (but before the “and” at the end of that paragraph) insert—

“(aa)section 40A makes provision about processing carried out in reliance on the consent of the data subject,”.

(4)After section 40 insert—

“40AConditions for consent

(1)This section is about processing of personal data that is carried out in reliance on the consent of the data subject.

(2)The controller must be able to demonstrate that the data subject consented to the processing.

(3)If the data subject’s consent is given in writing as part of a document which also concerns other matters, the request for consent must be made—

(a)in a manner which clearly distinguishes the request from the other matters,

(b)in an intelligible and easily accessible form, and

(c)in clear and plain language.

(4)Any part of a document described in subsection (3) which constitutes an infringement of this Part is not binding.

(5)The data subject may withdraw the consent at any time (but the withdrawal of consent does not affect the lawfulness of processing in reliance on the consent before its withdrawal).

(6)Processing may only be carried out in reliance on consent if—

(a)before the consent is given, the controller or processor informs the data subject of the right to withdraw it, and

(b)it is as easy for the data subject to withdraw the consent as to give it.

(7)When assessing whether consent is freely given, account must be taken of, among other things, whether the provision of a service is conditional on consent to the processing of personal data that is not necessary for the provision of that service.”

(5)In section 206 (index of defined expressions), in the Table, in the entry for “consent”—

(a)after “consent” insert “(to processing of personal data)”,

(b)for “Part” substitute “Parts 3 and”, and

(c)for “section” substitute “sections 33, 40A and”.

Data protection principlesU.K.

70Lawfulness of processingU.K.

(1)The UK GDPR is amended in accordance with subsections (2) to (5).

(2)In Article 6(1) (lawful processing)—

(a)in point (e)—

(i)after “task” insert “of the controller”, and

(ii)after “or” insert “a task carried out”,

(b)after that point insert—

“(ea)processing is necessary for the purposes of a recognised legitimate interest;”, and

(c)in the words after point (f), for “Point (f)” substitute “Points (ea) and (f)”.

(3)In Article 6(3) (basis for processing etc), in the last subparagraph, in the first sentence—

(a)after “task” insert “of the controller”, and

(b)after “interest or” insert “a task carried out”.

(4)In Article 6, at the end insert—

“5.For the purposes of paragraph 1(ea), processing is necessary for the purposes of a recognised legitimate interest only if it meets a condition in Annex 1.

6.The Secretary of State may by regulations amend Annex 1 by—

(a)adding or varying provisions, or

(b)omitting provisions added by regulations made under this paragraph.

7.The Secretary of State may only make regulations under paragraph 6 where—

(a)the requirement in paragraph 8 is satisfied, and

(b)if the regulations add a case to Annex 1, the requirement in paragraph 9 is also satisfied.

8.The requirement in this paragraph is that the Secretary of State considers it appropriate to make the regulations having regard to, among other things—

(a)the interests and fundamental rights and freedoms of data subjects which require protection of personal data, and

(b)where relevant, the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.

9.The requirement in this paragraph is that the Secretary of State considers that processing in the case to be added to Annex 1 is necessary to safeguard an objective listed in Article 23(1)(c) to (j).

10.Regulations under paragraph 6 are subject to the affirmative resolution procedure.

11.For the purposes of paragraph 1(f), examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include—

(a)processing that is necessary for the purposes of direct marketing,

(b)intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and

(c)processing that is necessary for the purposes of ensuring the security of network and information systems.

12.In paragraph 11—

• “intra-group transmission” means transmission between members of a group of undertakings or between members of a group of institutions affiliated to a central body;

• “security of network and information systems” has the same meaning as in the Network and Information Systems Regulations 2018 (S.I. 2018/506) (see regulation 1(3)(g)).”

(5)In Article 21(1) (right to object), after “point (e)” insert “, (ea)”.

(6)Schedule 4 to this Act inserts Annex 1 to the UK GDPR.

(7)In section 8 of the 2018 Act (lawfulness of processing: public interest etc), omit “the controller’s”.

(8)In the provisions listed in subsection (9)—

(a)for “gateway” substitute “gateways”, and

(b)for “were omitted” substitute “disapplied only the gateway in point (ea) (recognised legitimate interests)”.

(9)The provisions are—

(a)section 40(8) of the Freedom of Information Act 2000 (personal data which is exempt information);

(b)section 38(5A) of the Freedom of Information (Scotland) Act 2002 (asp 13) (personal data which is exempt information);

(c)regulation 13(6) of the Environmental Information Regulations 2004 (S.I. 2004/3391) (restriction on disclosure of personal data);

(d)regulation 11(7) of the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520) (restriction on disclosure of personal data);

(e)regulation 45(1E) of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042) (personal data which is sensitive information);

(f)regulation 39(1E) of the Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494) (personal data which is sensitive information);

(g)regulation 9(9) of the INSPIRE Regulations 2009 (S.I. 2009/3157) (limitation of public access to personal data included in a spatial data set);

(h)regulation 10(8) of the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440) (limitation of public access to personal data included in a spatial data set).

71The purpose limitationU.K.

(1)The UK GDPR is amended in accordance with subsections (2) to (5).

(2)In Article 5(1)(b) (purpose limitation)—

(a)after “collected” insert “(whether from the data subject or otherwise)”,

(b)after “further processed” insert “by or on behalf of a controller”, and

(c)for the words from “those purposes;” to “initial purposes” substitute “the purposes for which the controller collected the data”.

(3)In Article 5, at the end insert—

“3.For the avoidance of doubt, processing is not lawful by virtue only of being processing in a manner that is compatible with the purposes for which the personal data was collected.”

(4)In Article 6 (lawfulness of processing), omit paragraph 4.

(5)After Article 8 insert—

“Article 8APurpose limitation: further processing

1.This Article is about the determination, for the purposes of Article 5(1)(b) (purpose limitation), of whether processing of personal data by or on behalf of a controller for a purpose (a “new purpose”) other than the purpose for which the controller collected the data (“the original purpose”) is processing in a manner compatible with the original purpose.

2.In making the determination, a person must take into account, among other things—

(a)any link between the original purpose and the new purpose;

(b)the context in which the personal data was collected, including the relationship between the data subject and the controller;

(c)the nature of the processing, including whether it is processing described in Article 9(1) (processing of special categories of personal data) or Article 10(1) (processing of personal data relating to criminal convictions etc);

(d)the possible consequences of the intended processing for data subjects;

(e)the existence of appropriate safeguards (for example, encryption or pseudonymisation).

3.Processing of personal data for a new purpose is to be treated as processing in a manner compatible with the original purpose where—

(a)the data subject consents to the processing of personal data for the new purpose and the new purpose is specified, explicit and legitimate,

(b)the processing is carried out in accordance with Article 84B—

(i)for the purposes of scientific research or historical research,

(ii)for the purposes of archiving in the public interest, or

(iii)for statistical purposes,

(c)the processing is carried out for the purposes of ensuring that processing of personal data complies with Article 5(1) or demonstrating that it does so,

(d)the processing meets a condition in Annex 2, or

(e)the processing is necessary to safeguard an objective listed in Article 23(1)(c) to (j) and is authorised by an enactment or rule of law.

4.Where the controller collected the personal data based on Article 6(1)(a) (data subject’s consent), processing for a new purpose is only processing in a manner compatible with the original purpose if—

(a)it falls within paragraph 3(a) or (c), or

(b)it falls within paragraph 3(d) or (e) and the controller cannot reasonably be expected to obtain the data subject’s consent.

5.The Secretary of State may by regulations amend Annex 2 by—

(a)adding or varying provisions, or

(b)omitting provisions added by regulations made under this paragraph.

6.The Secretary of State may only make regulations under paragraph 5 adding a case to Annex 2 where the Secretary of State considers that processing in that case is necessary to safeguard an objective listed in Article 23(1)(c) to (j).

7.Regulations under paragraph 5 may make provision identifying processing by any means, including by reference to the controller, the data subject, the personal data or the provision of Article 6(1) relied on for the purposes of the processing.

8.Regulations under paragraph 5 are subject to the affirmative resolution procedure.”

(6)Schedule 5 to this Act inserts Annex 2 to the UK GDPR.

(7)The 2018 Act is amended in accordance with subsections (8) to (10).

(8)In section 36(1) (the second data protection principle)—

(a)in paragraph (a), for “on any occasion” substitute “(whether from the data subject or otherwise)”, and

(b)in paragraph (b)—

(i)after “processed” insert “by or on behalf of a controller”, and

(ii)for “it was collected” substitute “the controller collected it”.

(9)In section 87(1) (the second data protection principle)—

(a)in paragraph (a), for “on any occasion” substitute “(whether from the data subject or otherwise)”, and

(b)in paragraph (b)—

(i)after “processed” insert “by or on behalf of a controller”, and

(ii)for “it was collected” substitute “the controller collected it”.

(10)In paragraph 1 of Schedule 2 (exemptions etc from the UK GDPR: provisions to be adapted or restricted), omit sub-paragraph (b)(ii).

72Processing in reliance on relevant international lawU.K.

(1)The UK GDPR is amended in accordance with subsections (2) to (5).

(2)In Article 6(3) (lawfulness of processing: basis in domestic law)—

(a)in the first subparagraph, omit “and (e)”,

(b)after that subparagraph insert—

“The basis for the processing referred to in point (e) of paragraph 1 must be laid down by domestic law or relevant international law (see section 9A of the 2018 Act).”, and

(c)in the last subparagraph, in the last sentence, after “domestic law” insert “or relevant international law”.

(3)In Article 8A(3)(e) (purpose limitation: further processing necessary to safeguard an objective listed in Article 23(1)) (inserted by section 71 of this Act), at the end insert “or by relevant international law (see section 9A of the 2018 Act)”.

(4)In Article 9 (processing of special categories of personal data)—

(a)in paragraph 2(g) (substantial public interest), after “domestic law” insert “, or relevant international law,”, and

(b)in paragraph 5, before point (a) insert—

“(za)section 9A makes provision about when the requirement in paragraph 2(g) of this Article for a basis in relevant international law is met;”.

(5)In Article 10 (processing of personal data relating to criminal convictions and offences)—

(a)in paragraph 1, after “domestic law” insert “, or relevant international law,”, and

(b)in paragraph 2, before point (a) insert—

“(za)section 9A makes provision about when the requirement in paragraph 1 of this Article for authorisation by relevant international law is met;”.

(6)The 2018 Act is amended in accordance with subsections (7) and (8).

(7)Before section 10 (and the italic heading before that section) insert—

“Relevant international lawU.K.

9AProcessing in reliance on relevant international law

(1)Processing of personal data meets the requirement in Article 6(3), 8A(3)(e), 9(2)(g) or 10(1) of the UK GDPR for a basis in, or authorisation by, relevant international law only if it meets a condition in Schedule A1.

(2)A condition in Schedule A1 may be relied on for the purposes of any of those provisions, unless that Schedule provides otherwise.

(3)The Secretary of State may by regulations amend Schedule A1 by adding, varying or omitting—

(a)conditions,

(b)provision about the purposes for which a condition may be relied on, and

(c)safeguards in connection with processing carried out in reliance on a condition in the Schedule.

(4)Regulations under this section may only add a condition relating entirely or partly to a treaty ratified by the United Kingdom.

(5)Regulations under this section are subject to the affirmative resolution procedure.

(6)In this section, “treaty” and “ratified” have the same meaning as in Part 2 of the Constitutional Reform and Governance Act 2010 (see section 25 of that Act).”

(8)Before Schedule 1 insert—

Section 9A

“Schedule A1U.K.Processing in reliance on relevant international law

This condition is met where the processing is necessary for the purposes of responding to a request made in accordance with the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 3 October 2019.”

Processing of special categories of personal dataU.K.

74Processing of special categories of personal dataU.K.

(1)In Chapter 2 of the UK GDPR, after Article 11 insert—

“Article 11AFurther provision about processing of special categories of personal data

1.The Secretary of State may by regulations—

(a)make provision so that an additional description of processing of personal data is subject to the prohibition in Article 9(1),

(b)make provision so that added processing is not subject to that prohibition,

(c)make provision so that an exception in Article 9(2) may or may not be relied on in connection with added processing, and

(d)make provision varying such an exception as it applies in connection with added processing.

2.In paragraph 1, “added processing” means a description of processing which is subject to the prohibition in Article 9(1) by virtue of provision made under paragraph 1(a).

3.Regulations made under this Article (in reliance on Article 91A(4)(b)) may amend section 5, 205 or 206 of the 2018 Act (interpretation).

4.Regulations under this Article are subject to the affirmative resolution procedure.”

(2)The 2018 Act is amended in accordance with subsections (3) to (9).

(3)In section 33 (definitions of expressions used in Part 3), after subsection (6) insert—

“(6A)“Sensitive processing” has the meaning given in section 35(8).”

(4)In section 35 (the first data protection principle)—

(a)in subsection (6)(b) (power to omit conditions added to Schedule 8 by regulations), after “by”, in the first place it occurs, insert “varying or”, and

(b)in subsection (8) (definition of “sensitive processing”), for “section” substitute “Part”.

(5)After section 42 insert—

“42AFurther provision about sensitive processing

(1)The Secretary of State may by regulations—

(a)make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part,

(b)make provision so that added processing is not sensitive processing for the purposes of this Part,

(c)make provision so that a protected condition in Schedule 8 may or may not be relied on in connection with added processing, and

(d)make provision varying such a condition as it relates to added processing.

(2)In subsection (1)—

• “added processing” means a description of processing which is sensitive processing by virtue of provision made under subsection (1)(a);

• “protected condition in Schedule 8” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 35(6).

(3)Regulations under this section may amend this Part and sections 205 and 206.

(4)Regulations under this section are subject to the affirmative resolution procedure.”

(6)In section 84 (definitions of expressions used in Part 4), after subsection (6) insert—

“(6A)“Sensitive processing” has the meaning given in section 86(7).”

(7)In section 86 (the first data protection principle)—

(a)in subsection (3)(b) (power to omit conditions added to Schedule 10 by regulations), after “by”, in the first place it occurs, insert “varying or”, and

(b)in subsection (7) (definition of “sensitive processing”), for “section” substitute “Part”.

(8)After section 91 insert—

“91AFurther provision about sensitive processing

(1)The Secretary of State may by regulations—

(a)make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part,

(b)make provision so that added processing is not sensitive processing for the purposes of this Part,

(c)make provision so that a protected condition in Schedule 10 may or may not be relied on in connection with added processing, and

(d)make provision varying such a condition as it relates to added processing.

(2)In subsection (1)—

• “added processing” means a description of processing which is sensitive processing by virtue of provision made under subsection (1)(a);

• “protected condition in Schedule 10” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 86(3).

(3)Regulations under this section may amend this Part and sections 205 and 206.

(4)Regulations under this section are subject to the affirmative resolution procedure.”

(9)In section 206 (index of defined expressions), in the Table, at the appropriate place insert—

(10)The Investigatory Powers Act 2016 is amended in accordance with subsections (11) to (13).

(11)In section 202(4) (restrictions on use of class BPD warrants: definitions), omit the definition of “sensitive personal data” and insert—

• ““sensitive personal data” means personal data whose retention, or (as appropriate) retention and examination, would be sensitive processing;

• “sensitive processing” means—

  (a)

  processing of personal data relating to a living individual that is processing of a kind described in section 86(7)(a) to (e) of the Data Protection Act 2018, or

  (b)

  processing of personal data relating to a deceased individual that would be that kind of processing if the personal data related to a living individual.”

(12)After that section insert—

“202AFurther provision about sensitive processing

(1)The Secretary of State may by regulations—

(a)make provision so that a description of Part 4 sensitive processing, or of processing that would be such processing if the information processed related to a living individual, is sensitive processing for the purposes of section 202, and

(b)make provision so that added processing is not sensitive processing for the purposes of that section.

(2)In this section—

• “added processing” means a description of processing that is sensitive processing for the purposes of section 202 by virtue of provision made under subsection (1)(a);

• “Part 4 sensitive processing” means processing of personal data that, at the time the regulations are made, is sensitive processing for the purposes of Part 4 of the Data Protection Act 2018 by virtue of regulations made under section 91A of that Act.

(3)Regulations under this section may amend section 202.”

(13)In section 267(3) (regulations subject to the affirmative procedure), after paragraph (e) insert—

“(ea)section 202A,”.

Data subject’s rightsU.K.

75Fees and reasons for responses to data subjects’ requests about law enforcement processingU.K.

(1)The 2018 Act is amended as follows.

(2)In section 53 (manifestly unfounded or excessive requests by the data subject under Part 3)—

(a)after subsection (4) insert—

“(4A)The Secretary of State may by regulations—

(a)require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in accordance with subsection (1)(a), and

(b)specify what the guidance must include.”,

(b)in subsection (5), for “subsection (4)” substitute “this section”, and

(c)after subsection (5) insert—

“(6)If, in reliance on subsection (1)(b), the controller does not take action on the request, the controller must inform the data subject of—

(a)the reasons for not doing so, and

(b)the data subject’s right to lodge a complaint with the Commissioner.

(7)The controller must comply with subsection (6)—

(a)without undue delay, and

(b)in any event, before the end of the applicable time period (as to which see section 54).”

(3)In section 54(1) (meaning of “applicable time period”), for “and 48(2)(b)” substitute “, 48(2)(b) and 53(7)”.

78Searches in response to data subjects’ requestsU.K.

(1)In Article 15 of the UK GDPR (right of access by the data subject)—

(a)after paragraph 1 insert—

“1A.Under paragraph 1, the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that paragraph.”, and

(b)in paragraph 3, after “processing” insert “to which the data subject is entitled under paragraph 1”.

(2)The 2018 Act is amended in accordance with subsections (3) and (4).

(3)In section 45 (law enforcement processing: right of access by the data subject), after subsection (2) insert—

“(2A)Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.”

(4)In section 94 (intelligence services processing: right of access by the data subject), after subsection (2) insert—

“(2A)Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.”

(5)The amendments made by this section are to be treated as having come into force on 1 January 2024.

79Data subjects’ rights to information: legal professional privilege exemptionU.K.

(1)The 2018 Act is amended as follows.

(2)In section 43 (overview and scope of Chapter 3 of Part 3: rights of the data subject in connection with law enforcement processing)—

(a)in subsection (1)(a), for “section 44” substitute “sections 44 and 45A”, and

(b)in subsection (1)(b), for “section 45” substitute “sections 45 and 45A”.

(3)For the italic heading before section 44 substitute—

“Data subject’s rights to information”.

(4)In the heading of section 44, omit “Information:”.

(5)Omit the italic heading before section 45.

(6)After that section insert—

“45AExemption from sections 44 and 45: legal professional privilege

(1)Sections 44(2) and 45(1) do not require the controller to give the data subject—

(a)information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications could be maintained in legal proceedings, or

(b)information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.

(2)A controller relying on the exemption in subsection (1) must inform the data subject in writing without undue delay of—

(a)the decision to rely on the exemption,

(b)the reason for the decision,

(c)the data subject’s right to make a request to the Commissioner under section 51,

(d)the data subject’s right to lodge a complaint with the Commissioner under section 165, and

(e)the data subject’s right to apply to a court under section 167.

(3)Subsection (2)(a) and (b) do not apply to the extent that complying with them would—

(a)undermine a claim described in subsection (1)(a), or

(b)conflict with a duty described in subsection (1)(b).

(4)The controller must—

(a)record the reason for a decision to rely on the exemption in subsection (1), and

(b)if requested to do so by the Commissioner, make the record available to the Commissioner.

(5)The reference in subsection (1) to sections 44(2) and 45(1) includes sections 35 to 40 so far as their provisions correspond to the rights and obligations provided for in sections 44(2) and 45(1).”

(7)In section 51 (exercise of rights through the Commissioner)—

(a)in subsection (1), after paragraph (b) (but before the “or” at the end of that paragraph) insert—

“(ba)relies on the exemption from sections 44(2) and 45(1) in section 45A (legal professional privilege),”,

(b)in subsection (2), after paragraph (a) insert—

“(aa)where subsection (1)(ba) applies, request the Commissioner to check that the controller was entitled to rely on the exemption;”,

(c)in subsection (4), after paragraph (a) insert—

“(aa)where subsection (1)(ba) applies, whether the Commissioner is satisfied that the controller was entitled to rely on the exemption;”, and

(d)in subsection (6), after “(a)” insert “, (aa)”.

Automated decision-makingU.K.

80Automated decision-makingU.K.

(1)For Article 22 of the UK GDPR (automated individual decision-making, including profiling) substitute—

“Section 4AU.K.Automated individual decision-making

Article 22AAutomated processing and significant decisions

1.For the purposes of Articles 22B and 22C—

(a)a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and

(b)a decision is a significant decision, in relation to a data subject, if—

(i)it produces a legal effect for the data subject, or

(ii)it has a similarly significant effect for the data subject.

2.When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.

Article 22BRestrictions on automated decision-making

1.A significant decision based entirely or partly on processing described in Article 9(1) (processing of special categories of personal data) may not be taken based solely on automated processing, unless one of the following conditions is met.

2.The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.

3.The second condition is that—

(a)the decision is—

(i)necessary for entering into, or performing, a contract between the data subject and a controller, or

(ii)required or authorised by law, and

(b)point (g) of Article 9(2) applies.

4.A significant decision may not be taken based solely on automated processing if the processing of personal data carried out by, or on behalf of, the decision-maker for the purposes of the decision is carried out entirely or partly in reliance on Article 6(1)(ea).

Article 22CSafeguards for automated decision-making

1.Where a significant decision taken by or on behalf of a controller in relation to a data subject is—

(a)based entirely or partly on personal data, and

(b)based solely on automated processing,

the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with paragraph 2 and any regulations under Article 22D(3).

2.The safeguards must consist of or include measures which—

(a)provide the data subject with information about decisions described in paragraph 1 taken in relation to the data subject;

(b)enable the data subject to make representations about such decisions;

(c)enable the data subject to obtain human intervention on the part of the controller in relation to such decisions;

(d)enable the data subject to contest such decisions.

Article 22DFurther provision about automated decision-making

1.The Secretary of State may by regulations provide that, for the purposes of Article 22A(1)(a), there is, or is not, to be taken to be meaningful human involvement in the taking of a decision in cases described in the regulations.

2.The Secretary of State may by regulations provide that, for the purposes of Article 22A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant effect for the data subject.

3.The Secretary of State may by regulations make the following types of provision about the safeguards required under Article 22C(1)—

(a)provision requiring the safeguards to include measures in addition to those described in Article 22C(2),

(b)provision imposing requirements which supplement what Article 22C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in Article 22C(2) must be done or be capable of being done), and

(c)provision about measures which are not to be taken to satisfy one or more of points (a) to (d) of Article 22C(2).

4.Regulations under paragraph 3 may not amend Article 22C.

5.Regulations under this Article are subject to the affirmative resolution procedure.”

(2)The 2018 Act is amended in accordance with subsections (3) to (5).

(3)For sections 49 and 50 (law enforcement processing: automated individual decision-making) substitute—

“50AAutomated processing and significant decisions

(1)For the purposes of sections 50B and 50C—

(a)a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and

(b)a decision is a significant decision, in relation to a data subject, if—

(i)it produces an adverse legal effect for the data subject, or

(ii)it has a similarly significant adverse effect for the data subject.

(2)When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.

50BRestrictions on automated decision-making based on sensitive processing

(1)A significant decision based entirely or partly on sensitive processing may not be taken based solely on automated processing, unless one of the following conditions is met.

(2)The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.

(3)The second condition is that the decision is required or authorised by law.

50CSafeguards for automated decision-making

(1)Subject to subsection (3), where a significant decision taken by or on behalf of a controller in relation to a data subject is—

(a)based entirely or partly on personal data, and

(b)based solely on automated processing,

the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with subsection (2) and any regulations under section 50D(4).

(2)The safeguards must consist of or include measures which—

(a)provide the data subject with information about decisions described in subsection (1) taken in relation to the data subject;

(b)enable the data subject to make representations about such decisions;

(c)enable the data subject to obtain human intervention on the part of the controller in relation to such decisions;

(d)enable the data subject to contest such decisions.

(3)Subsections (1) and (2) do not apply in relation to a significant decision if—

(a)exemption from those provisions is required for a reason listed in subsection (4),

(b)the controller reconsiders the decision as soon as reasonably practicable, and

(c)there is meaningful human involvement in the reconsideration of the decision.

(4)Those reasons are—

(a)to avoid obstructing an official or legal inquiry, investigation or procedure;

(b)to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)to protect public security;

(d)to safeguard national security;

(e)to protect the rights and freedoms of others.

(5)When considering whether there is meaningful human involvement in the reconsideration of a decision, a person must consider, among other things, the extent to which the conclusion reached on reconsideration is reached by means of profiling.

50DFurther provision about automated decision-making

(1)The Secretary of State may by regulations provide that, for the purposes of sections 50A(1)(a) and 50C(3)(c), there is, or is not, to be taken to be meaningful human involvement in the taking or reconsideration of a decision in cases described in the regulations.

(2)The Secretary of State may by regulations provide that, for the purposes of section 50A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant adverse effect for the data subject.

(3)Regulations under subsection (1) or (2) may amend section 50A.

(4)The Secretary of State may by regulations make the following types of provision about the safeguards required under section 50C(1)—

(a)provision requiring the safeguards to include measures in addition to those described in section 50C(2),

(b)provision imposing requirements which supplement what section 50C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in section 50C(2) must be done or be capable of being done), and

(c)provision about measures which are not to be taken to satisfy one or more of paragraphs (a) to (d) of section 50C(2).

(5)Regulations under this section are subject to the affirmative resolution procedure.”

(4)In section 96 (intelligence services processing: right not to be subject to automated decision-making)—

(a)in subsection (1), for “solely on” substitute “on entirely”,

(b)in subsection (3), after “section” insert “and section 97”, and

(c)at the end insert—

“(4)For the purposes of this section and section 97, a decision is based on entirely automated processing if the decision-making process does not include an opportunity for a human being to accept, reject or influence the decision.”

(5)In section 97 (intelligence services processing: right to intervene in automated decision-making)—

(a)in subsection (1)(a), for “solely on” substitute “on entirely”,

(b)in subsection (4)(b), for “solely on” substitute “on entirely”, and

(c)omit subsection (6).

(6)Schedule 6 to this Act contains minor and consequential amendments.

Logging of law enforcement processingU.K.

82Logging of law enforcement processingU.K.

In section 62 of the 2018 Act (logging of law enforcement processing)—

(a)in subsection (2)(a), omit “justification for, and”, and

(b)in subsection (3)(a), omit “justification for, and”.

Codes of conductU.K.

84Law enforcement processing and codes of conductU.K.

(1)The 2018 Act is amended as follows.

(2)In section 55(1) (overview and scope of provisions about controllers and processors), at the end insert—

“(e)makes provision about codes of conduct (see section 71A).”

(3)In section 56 (general obligations of the controller), at the end insert—

“(4)Adherence to a code of conduct approved under section 71A may be used by a controller as a means of demonstrating compliance with the requirements of this Part.”

(4)In section 59 (processors), after subsection (7) insert—

“(7A)Adherence to a code of conduct approved under section 71A may be used by a processor as a means of demonstrating sufficient guarantees as described in subsection (2).”

(5)In section 66 (security of processing), at the end insert—

“(3)Adherence to a code of conduct approved under section 71A may be used by a controller or processor as a means of demonstrating compliance with subsection (1).”

(6)After section 71 insert—

“Codes of conductU.K.

71ACodes of conduct

(1)The Commissioner must encourage expert public bodies to produce codes of conduct intended to contribute to compliance with this Part.

(2)Under subsection (1), the Commissioner must, among other things, encourage the production of codes which take account of the specific features of the various processing sectors.

(3)For the purposes of this section—

(a)“public body” means a body or other person whose functions are, or include, functions of a public nature, and

(b)a public body is “expert” if, in the Commissioner’s opinion, the body has the knowledge and experience needed to produce a code of conduct described in subsection (1).

(4)A code of conduct described in subsection (1) may, for example, make provision with regard to—

(a)lawful and fair processing;

(b)the collection of personal data;

(c)the information provided to the public and to data subjects;

(d)the exercise of the rights of data subjects;

(e)the measures and procedures referred to in sections 56, 57 and 62;

(f)the notification of personal data breaches to the Commissioner and the communication of personal data breaches to data subjects;

(g)the transfer of personal data to third countries or international organisations;

(h)out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing.

(5)The Commissioner must encourage expert public bodies to submit codes of conduct described in subsection (1) to the Commissioner in draft.

(6)Where an expert public body does so, the Commissioner must—

(a)provide the body with an opinion on whether the code correctly reflects the requirements of this Part,

(b)decide whether to approve the code, and

(c)if the code is approved, register and publish the code.

(7)Subsections (5) and (6) apply in relation to amendments of a code of conduct that is for the time being approved under this section as they apply in relation to a code.”

Safeguards for processing for research etc purposesU.K.

86Safeguards for processing for research etc purposesU.K.

(1)The UK GDPR is amended in accordance with subsections (2) to (4).

(2)After Chapter 8 insert—

“CHAPTER 8AU.K.Safeguards for processing for research, archiving or statistical purposes

Article 84AResearch, archives and statistics

1.This Chapter makes provision about the processing of personal data—

(a)for the purposes of scientific research or historical research,

(b)for the purposes of archiving in the public interest, or

(c)for statistical purposes.

2.Those purposes are referred to in this Chapter as “RAS purposes”.

Article 84BAdditional requirements when processing for RAS purposes

1.Personal data may only be processed for RAS purposes if—

(a)the processing consists of the collection of the personal data (whether from the data subject or otherwise),

(b)the processing is carried out in order to convert the personal data into information which can be processed in a manner which does not permit the identification of a data subject, or

(c)without the processing, the RAS purposes cannot be fulfilled.

2.Processing of personal data for RAS purposes must be carried out subject to appropriate safeguards for the rights and freedoms of the data subject.

Article 84CAppropriate safeguards

1.This Article makes provision about when the requirement under Article 84B(2) for processing of personal data to be carried out subject to appropriate safeguards is satisfied.

2.The requirement is not satisfied if the processing is likely to cause substantial damage or substantial distress to a data subject to whom the personal data relates.

3.The requirement is not satisfied if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject to whom the personal data relates, except where the purposes for which the processing is carried out include the purposes of approved medical research.

4.The requirement is only satisfied if the safeguards include technical and organisational measures for the purpose of ensuring respect for the principle of data minimisation (see Article 5(1)(c)), such as, for example, pseudonymisation.

5.In this Article—

• “approved medical research” means medical research carried out by a person who has approval to carry out that research from—

  (a)

  a research ethics committee recognised or established by the Health Research Authority under Chapter 2 of Part 3 of the Care Act 2014, or

  (b)

  a body appointed by any of the following for the purpose of assessing the ethics of research involving individuals—

  (i)

  the Secretary of State, the Scottish Ministers, the Welsh Ministers or a Northern Ireland department;

  (ii)

  a relevant NHS body;

  (iii)

  United Kingdom Research and Innovation or a body that is a Research Council for the purposes of the Science and Technology Act 1965;

  (iv)

  an institution that is a research institution for the purposes of Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003 (see section 457 of that Act);

• “relevant NHS body” means—

  (a)

  an NHS trust or NHS foundation trust in England,

  (b)

  an NHS trust or Local Health Board in Wales,

  (c)

  a Health Board or Special Health Board constituted under section 2 of the National Health Service (Scotland) Act 1978,

  (d)

  the Common Services Agency for the Scottish Health Service, or

  (e)

  any of the health and social care bodies in Northern Ireland falling within paragraphs (b) to (e) of section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)).

Article 84DAppropriate safeguards: further provision

1.The Secretary of State may by regulations make further provision about when the requirement for appropriate safeguards under Article 84B(2) is, or is not, satisfied.

2.Regulations under this Article may not amend or revoke Article 84C(2), (3) or (4) (but may change the meaning of “approved medical research” for the purposes of Article 84C).

3.Regulations under this Article are subject to the affirmative resolution procedure.”

(3)In the heading of Chapter 9, after “relating to” insert “other”.

(4)Omit Article 89 (safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).

(5)The 2018 Act is amended in accordance with subsections (6) and (7).

(6)Omit section 19 (processing for archiving, research and statistical purposes: safeguards) and the italic heading before it.

(7)In section 41(1) (safeguards: archiving), for “necessary” substitute “carried out”.

National securityU.K.

88National security exemptionU.K.

(1)The 2018 Act is amended in accordance with subsections (2) to (10).

(2)In section 26(2)(f) (national security and defence exemption), before sub-paragraph (i) insert—

“(ai)Article 77 (right to lodge a complaint with the Commissioner);”.

(3)In section 44 (controller’s general duties to provide information to data subject)—

(a)in subsection (4), omit paragraph (d) (grounds for restricting information provided: national security),

(b)in subsection (5), after “restricted” insert “under subsection (4)”, and

(c)in subsection (7)(a), after “subsection (2)” insert “in reliance on subsection (4)”.

(4)In section 45 (right of access by the data subject)—

(a)in subsection (4), omit paragraph (d) (grounds for restricting information provided: national security),

(b)in subsection (5), after “restricted” insert “under subsection (4)”, and

(c)in subsection (7)(a), after “subsection (1)” insert “in reliance on subsection (4)”.

(5)In section 48 (requests by data subject for rectification or erasure of personal data)—

(a)in subsection (3), omit paragraph (d) (grounds for restricting information provided: national security),

(b)in subsection (4)—

(i)for “(1)” substitute “(1)(b)(i)”, and

(ii)after “restricted” insert “under subsection (3)”, and

(c)in subsection (6)(a), after “subsection (1)(b)(i)” insert “in reliance on subsection (3)”.

(6)In section 68(7) (communication of a personal data breach to the data subject: grounds for restricting information provided), omit paragraph (d) (national security).

(7)In Chapter 6 of Part 3 (law enforcement processing: supplementary), before section 79 insert—

“78ANational security exemption

(1)A provision mentioned in subsection (2) does not apply to personal data processed for law enforcement purposes if exemption from the provision is required for the purposes of safeguarding national security.

(2)The provisions are—

(a)Chapter 2 of this Part (principles), except for the provisions listed in subsection (3);

(b)Chapter 3 of this Part (rights of the data subject);

(c)in Chapter 4 of this Part—

(i)section 67 (notification of personal data breach to the Commissioner);

(ii)section 68 (communication of personal data breach to the data subject);

(d)Chapter 5 of this Part (transfers of personal data to third countries etc), except for the provisions listed in subsection (4);

(e)in Part 5—

(i)section 119 (inspection in accordance with international obligations);

(ii)in Schedule 13 (other general functions of the Commissioner), paragraphs 1(1)(a) and (g) and 2;

(f)in Part 6—

(i)sections 142 to 154 and Schedule 15 (Commissioner’s notices and powers of entry and inspection);

(ii)sections 170 to 173 (offences relating to personal data);

(g)in Part 7, section 187 (representation of data subjects).

(3)The provisions of Chapter 2 of this Part (principles) which are excepted from the list in subsection (2) are—

(a)section 35(1) (the first data protection principle) so far as it requires processing of personal data to be lawful;

(b)section 35(2) to (5) (lawfulness of processing and restrictions on sensitive processing);

(c)section 42 (safeguards: sensitive processing);

(d)Schedule 8 (conditions for sensitive processing).

(4)The provisions of Chapter 5 of this Part (transfers of personal data to third countries etc) which are excepted from the list in subsection (2) are—

(a)the following provisions of section 73—

(i)subsection (1)(a) (conditions for transfer), so far as it relates to the condition in subsection (2) of that section, and subsection (2) (transfer must be necessary for a law enforcement purpose);

(ii)subsections (1)(b), (5) and (6) (conditions for transfer of personal data originally made available by a member State);

(b)section 78 (subsequent transfers).”

(8)In section 79 (national security: certificate)—

(a)omit subsections (1) to (3),

(b)after subsection (3) insert—

“(3A)Subject to subsection (5), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions listed in section 78A(2) is, or at any time was, required in relation to any personal data for the purposes of safeguarding national security is conclusive evidence of that fact.”,

(c)in subsection (4), for “subsection (1)” substitute “subsection (3A)—

“(a)may identify the personal data to which it applies by means of a general description, and

(b)”,

(d)in subsection (5), for “subsection (1)” substitute “subsection (3A)”,

(e)in subsection (7)—

(i)for “a restriction falls within a general description in a certificate issued under subsection (1)” substitute “a certificate under subsection (3A) which identifies the personal data to which it applies by means of a general description applies to any personal data”, and

(ii)for “the restriction does not fall within that description” substitute “the certificate does not apply to the personal data in question”,

(f)in subsection (8)—

(i)for “the restriction” substitute “the certificate”, and

(ii)for “to fall within the general description” substitute “so to apply”,

(g)in subsection (10), for “subsection (1)” substitute “subsection (3A)”,

(h)in subsection (11), for “subsection (1)” substitute “subsection (3A)”,

(i)in subsection (12), for “subsection (1)” substitute “subsection (3A)”, and

(j)omit subsection (13).

(9)In section 110(2) (intelligence services processing: national security)—

(a)in paragraph (a), after “Chapter 2” insert “of this Part”,

(b)in paragraph (b), after “Chapter 3” insert “of this Part”, and

(c)in paragraph (c), after “Chapter 4” insert “of this Part”.

(10)In section 186(3) (data subject’s rights etc: exceptions), after paragraph (c) insert—

“(ca)in Part 3 of this Act, section 78A, and”.

(11)In the provisions listed in subsection (12), for “subsection (4) of that section” substitute “section 45(4) or 78A of that Act”.

(12)The provisions are—

(a)section 40(4A)(b) and (5B)(d) of the Freedom of Information Act 2000 (personal data which is exempt information);

(b)section 38(3A)(b) of the Freedom of Information (Scotland) Act 2002 (asp 13) (personal data which is exempt information);

(c)regulation 13(3A)(b) and (5B)(d) of the Environmental Information Regulations 2004 (S.I. 2004/3391) (restriction on disclosure of personal data);

(d)regulation 11(4A)(b) of the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520) (restriction on disclosure of personal data);

(e)regulation 45(1C)(b) of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042) (personal data which is sensitive information);

(f)regulation 39(1C)(b) of the Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494) (personal data which is sensitive information).

Intelligence servicesU.K.

89Joint processing by intelligence services and competent authoritiesU.K.

(1)Part 4 of the 2018 Act (intelligence services processing) is amended as follows.

(2)In section 82 (processing to which Part 4 applies)—

(a)before subsection (1) insert—

“(A1)This Part—

(a)applies to processing of personal data by an intelligence service, and

(b)applies to processing of personal data by a qualifying competent authority where the processing is the subject of a designation notice that is for the time being in force (see sections 82A to 82E).”,

(b)in subsection (1)—

(i)after “applies” insert “only”,

(ii)in paragraph (a), for “the processing by an intelligence service” substitute “processing”, and

(iii)in paragraph (b), for “the processing by an intelligence service” substitute “processing”,

(c)after subsection (2) insert—

“(2A)In this Part—

• “competent authority” has the same meaning as in Part 3;

• “qualifying competent authority” means a competent authority specified or described in regulations made by the Secretary of State.”, and

(d)after subsection (3) insert—

“(4)Regulations under this section are subject to the affirmative resolution procedure.”

(3)After section 82 insert—

“82ADesignation of processing by a qualifying competent authority

(1)For the purposes of this Part, the Secretary of State may give a notice designating processing of personal data by a qualifying competent authority (a “designation notice”) where—

(a)an application for designation of the processing is made in accordance with this section, and

(b)the Secretary of State considers that designation of the processing is required for the purposes of safeguarding national security.

(2)The Secretary of State may only designate processing by a qualifying competent authority that is carried out by the authority as a joint controller with at least one intelligence service.

(3)The Secretary of State may not designate processing by a qualifying competent authority that consists of the transfer of personal data to—

(a)a country or territory outside the United Kingdom, or

(b)an international organisation.

(4)A designation notice must—

(a)specify or describe the processing and qualifying competent authority that are designated, and

(b)be given to the applicants for the designation (and see also section 82D).

(5)An application for designation of processing of personal data by a qualifying competent authority must be made jointly by—

(a)the qualifying competent authority, and

(b)the intelligence service with which the processing is to be carried out.

(6)An application may be made in respect of more than one qualifying competent authority and in respect of processing with more than one intelligence service.

(7)The application must—

(a)describe the processing, including the intended purposes and means of processing, and

(b)explain why the applicants consider that designation is required for the purposes of safeguarding national security.

(8)Before giving a designation notice, the Secretary of State must consult the Commissioner.

(9)In this section, “joint controller”, in relation to processing of personal data, means a controller whose responsibilities for compliance with this Part in relation to the processing are determined in an arrangement under section 104.

82BDuration of designation notice

(1)A designation notice must state when it comes into force.

(2)A designation notice ceases to be in force at the earliest of the following times—

(a)at the end of the period of 5 years beginning when the notice comes into force;

(b)(if relevant) at the end of a shorter period specified in the notice;

(c)when the notice is withdrawn under section 82C.

(3)The Secretary of State may give a further designation notice in respect of processing that is, or has been, the subject of a previous designation notice.

82CReview and withdrawal of designation notice

(1)Subsections (2) to (4) apply where processing is the subject of a designation notice for the time being in force.

(2)A person who applied for the designation of the processing must notify the Secretary of State without undue delay if the person considers that the designation is no longer required for the purposes of safeguarding national security.

(3)A person who applied for the designation of the processing must, on a request from the Secretary of State, provide—

(a)a description of the processing that is being, or is intended to be, carried out in reliance on the notice, and

(b)an explanation of why the person considers that designation of the processing continues to be required for the purposes of safeguarding national security.

(4)The Secretary of State must at least annually—

(a)review each designation notice that is for the time being in force, and

(b)consider whether designation of the processing which is the subject of the notice continues to be required for the purposes of safeguarding national security.

(5)The Secretary of State—

(a)may withdraw a designation notice by giving a further notice (a “withdrawal notice”) to the persons who applied for the designation, and

(b)must give a withdrawal notice if the Secretary of State considers that designation of some or all of the processing to which the notice applies is no longer required for the purposes of safeguarding national security (whether as a result of a review required under subsection (4) or otherwise).

(6)A withdrawal notice must—

(a)withdraw the designation notice completely, and

(b)state when it comes into force.

(7)In determining when a withdrawal notice required under subsection (5)(b) comes into force, the Secretary of State must consider—

(a)the desirability of the processing ceasing to be designated as soon as possible, and

(b)where relevant, the time needed to effect an orderly transition to new arrangements for the processing of personal data.

82DRecords of designation notices

(1)Where the Secretary of State gives a designation notice—

(a)the Secretary of State must send a copy of the notice to the Commissioner, and

(b)the Commissioner must publish a record of the notice.

(2)The record must contain—

(a)the Secretary of State’s name,

(b)the date on which the notice was given,

(c)the date on which the notice ceases to have effect (if not previously withdrawn), and

(d)subject to subsection (3), the rest of the text of the notice.

(3)The Commissioner must not publish the text, or a part of the text, of the notice if—

(a)the Secretary of State has determined that publishing the text or that part of the text—

(i)would be against the interests of national security,

(ii)would be contrary to the public interest, or

(iii)might jeopardise the safety of any person, and

(b)the Secretary of State has notified the Commissioner of that determination.

(4)The Commissioner must keep the record of the notice available to the public while the notice is in force.

(5)Where the Secretary of State gives a withdrawal notice, the Secretary of State must send a copy of the notice to the Commissioner.

82EAppeal against designation notice

(1)A person directly affected by a designation notice may appeal to the Tribunal against the notice.

(2)If, on an appeal under this section, the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Secretary of State did not have reasonable grounds for giving the notice, the Tribunal may—

(a)allow the appeal, and

(b)quash the notice.”

90Joint processing: consequential amendmentsU.K.

(1)The 2018 Act is amended in accordance with subsections (2) to (9).

(2)In section 1(5) (overview: Part 4), at the end insert “(and certain processing carried out by competent authorities jointly with the intelligence services)”.

(3)In section 29 (processing to which Part 3 applies), after subsection (1) insert—

“(1A)This Part does not apply to processing to which Part 4 applies by virtue of a designation notice (see section 82A).”

(4)In section 83 (meaning of “controller” and “processor” in Part 4)—

(a)before subsection (1) insert—

“(A1)For the purposes of this Part—

(a)an intelligence service is the “controller” in relation to the processing of personal data if it satisfies subsection (1) alone or jointly with others, and

(b)a qualifying competent authority is the “controller” in relation to the processing of personal data that is the subject of a designation notice that is for the time being in force if the authority satisfies subsection (1) jointly with others.”,

(b)in subsection (1), for the words before paragraph (a) substitute “This subsection is satisfied by a person who—”, and

(c)in subsection (2), for “intelligence service on which” substitute “person on whom”.

(5)In section 84 (other definitions)—

(a)after subsection (2) insert—

“(2A)“Designation notice” has the meaning given in section 82A.”, and

(b)before subsection (7) insert—

“(6B)“Withdrawal notice” has the meaning given in section 82C.”

(6)In section 104(1) (joint controllers), for “intelligence services” substitute “controllers”.

(7)In section 202(1)(a)(i) (proceedings in the First-tier Tribunal: contempt) after “79,” insert “82E,”.

(8)In section 203(1) (Tribunal Procedure Rules), after “79,” insert “82E,”.

(9)In section 206 (index of defined expressions), in the Table—

(a)in the entry for “competent authority”—

(i)for “Part 3” substitute “Parts 3 and 4”, and

(ii)for “section 30” substitute “sections 30 and 82”, and

(b)at the appropriate places insert—

(10)In section 199(2)(a) of the Investigatory Powers Act 2016 (bulk personal datasets: meaning of “personal data”), after “section 82(1) of that Act” insert “by an intelligence service”.

Information Commissioner’s roleU.K.

91Duties of the Commissioner in carrying out functionsU.K.

(1)The 2018 Act is amended in accordance with subsections (2) to (4).

(2)Omit section 2(2) (duty of Commissioner when carrying out functions).

(3)After section 120 insert—

“Duties in carrying out functionsU.K.

120APrincipal objective

It is the principal objective of the Commissioner, in carrying out functions under the data protection legislation—

(a)to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and

(b)to promote public trust and confidence in the processing of personal data.

120BDuties in relation to functions under the data protection legislation

In carrying out functions under the data protection legislation, the Commissioner must have regard to such of the following as appear to the Commissioner to be relevant in the circumstances—

(a)the desirability of promoting innovation;

(b)the desirability of promoting competition;

(c)the importance of the prevention, investigation, detection and prosecution of criminal offences;

(d)the need to safeguard public security and national security;

(e)the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.

120CStrategy

(1)The Commissioner must prepare a strategy for carrying out the Commissioner’s functions under the data protection legislation in accordance with the Commissioner’s duties under—

(a)sections 120A and 120B,

(b)section 108 of the Deregulation Act 2015 (exercise of regulatory functions: economic growth), and

(c)section 21 of the Legislative and Regulatory Reform Act 2006 (exercise of regulatory functions: principles).

(2)The Commissioner must—

(a)review the strategy from time to time, and

(b)revise the strategy as appropriate.

(3)The Commissioner must publish the strategy and any revised strategy.

120DDuty to consult other regulators

(1)The Commissioner must, at such times as the Commissioner considers appropriate, consult the persons mentioned in subsection (2) about how the manner in which the Commissioner exercises functions under the data protection legislation may affect economic growth, innovation and competition.

(2)The persons are—

(a)such persons exercising regulatory functions as the Commissioner considers appropriate;

(b)such other persons as the Commissioner considers appropriate.

(3)In this section, “regulatory function” has the meaning given by section 111 of the Deregulation Act 2015.”

(4)In section 139 (reporting to Parliament), after subsection (1) insert—

“(1A)In connection with the Commissioner’s functions under the data protection legislation, the report must contain (among other things)—

(a)a review of what the Commissioner has done during the reporting period to comply with the duties under—

(i)sections 120A and 120B,

(ii)section 108 of the Deregulation Act 2015, and

(iii)section 21 of the Legislative and Regulatory Reform Act 2006,

including a review of the operation of the strategy prepared and published under section 120C;

(b)a review of what the Commissioner has done during the reporting period to comply with the duty under section 120D.

(1B)In subsection (1A), “the reporting period” means the period to which the report relates.”

(5)The Information Commissioner must prepare and publish a strategy in accordance with section 120C of the 2018 Act before the end of the period of 18 months beginning with the day on which this section comes into force.

92Codes of practice for the processing of personal dataU.K.

(1)The 2018 Act is amended in accordance with subsections (2) to (6).

(2)After section 124 insert—

“124AOther codes of practice

(1)The Commissioner must prepare appropriate codes of practice giving guidance as to good practice in the processing of personal data if required to do so by regulations made by the Secretary of State.

(2)Regulations under this section—

(a)must describe the personal data or processing to which the code of practice is to relate, and

(b)may describe the persons or classes of person to whom it is to relate.

(3)Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.

(4)Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—

(a)trade associations;

(b)data subjects;

(c)persons who appear to the Commissioner to represent the interests of data subjects.

(5)A code under this section may include transitional provision or savings.

(6)Regulations under this section are subject to the negative resolution procedure.

(7)In this section—

• “good practice in the processing of personal data” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation;

• “trade association” includes a body representing controllers or processors.”

(3)In section 125 (approval of codes prepared under sections 121 to 124)—

(a)in the heading, for “124” substitute “124A”,

(b)in subsection (1), for “or 124” substitute “, 124 or 124A”,

(c)in subsection (3), for “or 124” substitute “, 124 or 124A”,

(d)for subsection (5) substitute—

“(5)If the Commissioner is prevented by subsection (3) from issuing a code that is not a replacement code, the Commissioner must prepare another version of the code.”, and

(e)in subsection (9), for “or 124” substitute “, 124 or 124A”.

(4)In section 126 (publication and review of codes issued under section 125(4)), in subsection (4), for “or 124(2)” substitute “, 124(2) or 124A(3)”.

(5)Omit section 128 (other codes of practice).

(6)In section 129 (consensual audits), in subsection (3), for “128” substitute “124A”.

(7)In section 19AC of the Registration Service Act 1953 (code of practice), in subsection (11), for “128” substitute “124A”.

(8)In the Statistics and Registration Service Act 2007—

(a)in section 45 (information held by HMRC), in subsection (4A), for “128” substitute “124A”,

(b)in section 45A (information held by other public authorities), in subsection (8), for “128” substitute “124A”,

(c)in section 45E (further provisions about powers in sections 45B, 45C and 45D), in subsection (16), for “128” substitute “124A”, and

(d)in section 53A (disclosure by the Board to devolved administrations), in subsection (9), for “128” substitute “124A”.

(9)In the Digital Economy Act 2017—

(a)in section 43 (code of practice), in subsection (13), for “128” substitute “124A”,

(b)in section 52 (code of practice), in subsection (13), for “128” substitute “124A”,

(c)in section 60 (code of practice), in subsection (13), for “128” substitute “124A”, and

(d)in section 70 (code of practice), in subsection (15), for “128” substitute “124A”.

93Codes of practice: panels and impact assessmentsU.K.

In the 2018 Act, after section 124A (inserted by section 92 of this Act) insert—

“124BPanels to consider codes of practice

(1)This section applies where a code is prepared under section 121, 122, 123, 124 or 124A, subject to subsection (11).

(2)The Commissioner must establish a panel of individuals to consider the code.

(3)The panel must consist of—

(a)individuals the Commissioner considers have expertise in the subject matter of the code, and

(b)individuals the Commissioner considers—

(i)are likely to be affected by the code, or

(ii)represent persons likely to be affected by the code.

(4)Before the panel begins to consider the code, the Commissioner must—

(a)publish the code in draft, and

(b)publish a statement that—

(i)states that a panel has been established to consider the code,

(ii)identifies the members of the panel,

(iii)explains the process by which they were selected, and

(iv)explains the reasons for their selection.

(5)Where at any time it appears to the Commissioner that a member of the panel is not willing or able to serve as a member of the panel, the Commissioner may select another individual to be a member of the panel.

(6)Where the Commissioner selects an individual to be a member of the panel under subsection (5), the Commissioner must publish a statement that—

(a)identifies the member of the panel,

(b)explains the process by which the member was selected, and

(c)explains the reasons for the member’s selection.

(7)The Commissioner must make arrangements—

(a)for the members of the panel to consider the code with one another (whether in person or otherwise), and

(b)for the panel to prepare and submit to the Commissioner a report on the code within such reasonable period as is determined by the Commissioner.

(8)If the panel submits to the Commissioner a report on the code within the period determined by the Commissioner, the Commissioner must as soon as reasonably practicable—

(a)make any alterations to the code that the Commissioner considers appropriate in the light of the report, and

(b)publish—

(i)the code in draft,

(ii)the report or a summary of it, and

(iii)in a case where a recommendation in the report to alter the code has not been accepted by the Commissioner, an explanation of why it has not been accepted.

(9)The Commissioner may pay remuneration and expenses to the members of the panel.

(10)This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections, subject to subsection (11).

(11)The Secretary of State may by regulations provide that this section does not apply, or applies with modifications, in the case of—

(a)a code prepared under section 124A, or

(b)an amendment of such a code,

that is specified or described in the regulations.

(12)Regulations under this section are subject to the negative resolution procedure.

124CImpact assessments for codes of practice

(1)Where a code is prepared under section 121, 122, 123, 124 or 124A, the Commissioner must carry out and publish an assessment of—

(a)who would be likely to be affected by the code, and

(b)the effect the code would be likely to have on them.

(2)This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections.”

95Analysis of performanceU.K.

In the 2018 Act, after section 139 insert—

“139AAnalysis of performance

(1)The Commissioner must prepare and publish an analysis of the Commissioner’s performance using key performance indicators.

(2)The analysis must be prepared and published at least annually.

(3)In this section, “key performance indicators” means factors by reference to which the Commissioner’s performance can be measured most effectively.

Documents and notices”.

96Notices from the CommissionerU.K.

(1)The 2018 Act is amended in accordance with subsections (2) and (3).

(2)Omit section 141 (notices from the Commissioner).

(3)After that section insert—

“141ANotices from the Commissioner

(1)This section applies in relation to a notice authorised or required by this Act to be given to a person by the Commissioner.

(2)The notice may be given to the person by—

(a)delivering it by hand to a relevant individual,

(b)leaving it at the person’s proper address,

(c)sending it by post to the person at that address, or

(d)sending it by email to the person’s email address.

(3)A “relevant individual” means—

(a)in the case of a notice to an individual, that individual;

(b)in the case of a notice to a body corporate (other than a partnership), an officer of that body;

(c)in the case of a notice to a partnership, a partner in the partnership or a person who has the control or management of the partnership business;

(d)in the case of a notice to an unincorporated body (other than a partnership), a member of its governing body.

(4)For the purposes of subsection (2)(b) and (c), and section 7 of the Interpretation Act 1978 (services of documents by post) in its application to those provisions, a person’s proper address is—

(a)in a case where the person has specified an address as one at which the person, or someone acting on the person’s behalf, will accept service of notices or other documents, that address;

(b)in any other case, the address determined in accordance with subsection (5).

(5)The address is—

(a)in a case where the person is a body corporate with a registered office in the United Kingdom, that office;

(b)in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office;

(c)in any other case, an address in the United Kingdom at which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of the person.

(6)A person’s email address is—

(a)an email address published for the time being by that person as an address for contacting that person, or

(b)if there is no such published address, an email address by means of which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of that person.

(7)A notice sent by email is treated as given 48 hours after it was sent, unless the contrary is proved.

(8)In this section, “officer”, in relation to a body corporate, means a director, manager, secretary or other similar officer of the body.

(9)This section does not limit other lawful means of giving a notice.”

(4)In Schedule 2 to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696) (Commissioner’s enforcement powers), in paragraph 1(b), for “141” substitute “141A”.

EnforcementU.K.

97Power of the Commissioner to require documentsU.K.

(1)The 2018 Act is amended as follows.

(2)In section 142 (information notices)—

(a)in subsection (1)—

(i)in paragraph (a), after “information” insert “or documents”, and

(ii)in paragraph (b), after “information” insert “or documents”,

(b)in subsection (2)(b), after “information” insert “or documents”,

(c)in subsection (3)—

(i)in paragraph (a), after “information”, in both places it occurs, insert “or documents”,

(ii)in paragraph (b), after “information” insert “or documents”,

(iii)in paragraph (c), after “information” insert “or documents”, and

(iv)in paragraph (d), after “information” insert “or documents”,

(d)in subsection (5), after “information”, in the second place it occurs, insert “or documents”,

(e)in subsection (6), after “information”, in the second place it occurs, insert “or documents”, and

(f)in subsection (7)—

(i)in paragraph (a), for “is” substitute “or documents are”, and

(ii)in the words after paragraph (b), after “information” insert “or documents”.

(3)In section 143 (information notices: restrictions)—

(a)in subsection (1)(b)(ii), for “is” substitute “or documents are”,

(b)in subsection (2), after “information”, in the second place it occurs, insert “or documents”,

(c)in subsection (3), for “in respect” substitute “or documents to the extent that requiring the person to do so would result in the disclosure”,

(d)in subsection (4), for “in respect” substitute “or documents to the extent that requiring the person to do so would result in the disclosure”, and

(e)in subsection (6), after “information”, in the second place it occurs, insert “or documents”.

(4)In section 145 (information orders)—

(a)in subsection (2)—

(i)in paragraph (a), after “information”, in the first place it occurs, insert “or documents”, and

(ii)in paragraph (b), after “information” insert “or documents”, and

(b)in subsection (3)—

(i)in paragraph (a), after “information” insert “or documents”,

(ii)in paragraph (b), after “information” insert “or documents”, and

(iii)in paragraph (c), after “information” insert “or documents”.

(5)In section 148(1) (destroying or falsifying information and documents etc), in paragraph (a), after “information”, in the second place it occurs, insert “or a document”.

(6)In section 160 (guidance about regulatory action), in subsection (3)(a), for “is” substitute “or documents are”.

(7)In Schedule 17 (review of processing of personal data for the purposes of journalism), in paragraph 2(2) (information notices)—

(a)in paragraph (a), for “is” substitute “or documents are”, and

(b)in the words after paragraph (b), after “information” insert “or documents”.

102Annual report on regulatory actionU.K.

(1)The 2018 Act is amended as follows.

(2)In section 139 (reporting to Parliament), before subsection (3) insert—

“(2A)The report under this section may include the annual report under section 161A.”

(3)In the italic heading before section 160, at the end insert “and report”.

(4)After section 161 insert—

“161AAnnual report on regulatory action

(1)The Commissioner must produce and publish an annual report containing the information described in subsections (2) to (5).

(2)The report must include the following information about UK GDPR investigations—

(a)the number of investigations begun, continued or completed by the Commissioner during the reporting period,

(b)the different types of act and omission that were the subject matter of the investigations,

(c)the enforcement powers exercised by the Commissioner in the reporting period in connection with the investigations,

(d)the duration of investigations that ended in the reporting period, and

(e)the different types of outcome in investigations that ended in that period.

(3)The report must include information about the enforcement powers exercised by the Commissioner in the reporting period in connection with—

(a)processing of personal data by a competent authority for any of the law enforcement purposes, and

(b)processing of personal data to which Part 4 applies.

(4)The information included in the report in accordance with subsections (2) and (3) must include information about—

(a)the number of penalty notices given in the reporting period that were given more than 6 months after the notice of intent was given under paragraph 2 of Schedule 16, and

(b)the reasons why that happened.

(5)The report must include a review of how the Commissioner had regard to the guidance published under section 160 when exercising the Commissioner’s enforcement powers as described in subsections (2)(c) and (3).

(6)In this section—

• “enforcement powers” means the powers under—

  (a)

  Article 58(1)(c) and (d) and (2)(a) and (b) of the UK GDPR,

  (b)

  sections 142 to 159 of this Act,

  (c)

  paragraph 2(a), (b) and (c) of Schedule 13 to this Act, and

  (d)

  Schedules 15 and 16 to this Act;

• “the law enforcement purposes” has the meaning given in section 31 of this Act;

• “the reporting period” means the period to which the report relates;

• “UK GDPR investigation” means an investigation required under Article 57(1)(h) of the UK GDPR (investigations on the application of the UK GDPR).”

103Complaints by data subjectsU.K.

(1)The 2018 Act is amended in accordance with subsections (2) and (3).

(2)Before section 165 (but after the italic heading before it) insert—

“164AComplaints by data subjects to controllers

(1)A data subject may make a complaint to the controller if the data subject considers that, in connection with personal data relating to the data subject, there is an infringement of the UK GDPR or Part 3 of this Act.

(2)A controller must facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means.

(3)If a controller receives a complaint under this section, the controller must acknowledge receipt of the complaint within the period of 30 days beginning when the complaint is received.

(4)If a controller receives a complaint under this section, the controller must without undue delay—

(a)take appropriate steps to respond to the complaint, and

(b)inform the complainant of the outcome of the complaint.

(5)The reference in subsection (4)(a) to taking appropriate steps to respond to the complaint includes—

(a)making enquiries into the subject matter of the complaint, to the extent appropriate, and

(b)informing the complainant about progress on the complaint.

164BControllers to notify the Commissioner of the number of complaints

(1)The Secretary of State may by regulations require a controller to notify the Commissioner of the number of complaints made to the controller under section 164A in periods specified or described in the regulations.

(2)Regulations under this section may provide that a controller is required to make a notification to the Commissioner in respect of a period only in circumstances specified in the regulations.

(3)Regulations under this section may include—

(a)provision about a matter listed in subsection (4), or

(b)provision conferring power on the Commissioner to determine those matters.

(4)The matters are—

(a)the form and manner in which a notification must be made,

(b)the time at which, or period within which, a notification must be made, and

(c)how the number of complaints made to a controller during a period is to be calculated.

(5)Regulations under this section are subject to the negative resolution procedure.”

(3)In section 165 (complaints by data subjects to the Commissioner)—

(a)omit subsection (1), and

(b)in subsection (2), after “infringement of” insert “the UK GDPR or”.

(4)The UK GDPR is amended in accordance with subsections (5) and (6).

(5)In Article 57 (Commissioner’s tasks)—

(a)in paragraph 1, omit point (f), and

(b)omit paragraph 2.

(6)Omit Article 77 (right to lodge a complaint with the Commissioner).

(7)Schedule 10 to this Act contains minor and consequential amendments.

104Court procedure in connection with subject access requestsU.K.

(1)The 2018 Act is amended as follows.

(2)For the italic heading before section 180 substitute—

“Jurisdiction and court procedure”.

(3)After section 180 insert—

“180AProcedure in connection with subject access requests

(1)This section applies where a court is required to determine whether a data subject is entitled to information by virtue of a right under—

(a)Article 15 of the UK GDPR (right of access by the data subject);

(b)Article 20 of the UK GDPR (right to data portability);

(c)section 45 of this Act (law enforcement processing: right of access by the data subject);

(d)section 94 of this Act (intelligence services processing: right of access by the data subject).

(2)The court may require the controller to make available for inspection by the court so much of the information as is available to the controller.

(3)But, unless and until the question in subsection (1) has been determined in the data subject’s favour, the court may not require the information to be disclosed to the data subject or the data subject’s representatives, whether by discovery (or, in Scotland, recovery) or otherwise.

(4)Where the question in subsection (1) relates to a right under a provision listed in subsection (1)(a), (c) or (d), this section does not confer power on the court to require the controller to carry out a search for information that is more extensive than the reasonable and proportionate search required by that provision.”

Protection of prohibitions, restrictions and data subject’s rightsU.K.

106Protection of prohibitions, restrictions and data subject’s rightsU.K.

(1)The 2018 Act is amended in accordance with subsections (2) to (5).

(2)After section 183 insert—

“Prohibitions and restrictions etc on processingU.K.

183AProtection of prohibitions and restrictions etc on processing: relevant enactments

(1)A relevant enactment or rule of law which imposes a duty, or confers a power, to process personal data does not override a requirement under the main data protection legislation relating to the processing of personal data.

(2)Subsection (1) does not apply—

(a)to a relevant enactment forming part of the main data protection legislation, or

(b)to the extent that an enactment makes express provision to the contrary referring to this section or to the main data protection legislation (or a provision of that legislation).

(3)Subsection (1) does not prevent a duty or power to process personal data from being taken into account for the purpose of determining whether it is possible to rely on an exception to a requirement under the main data protection legislation that is available where there is such a duty or power.

(4)In this section—

• “the main data protection legislation” means the data protection legislation other than provision of or made under—

  (a)

  Chapter 6 or 8 of the UK GDPR, or

  (b)

  Parts 5 to 7 of this Act;

• “relevant enactment” means an enactment so far as passed or made on or after the day on which section 106(2) of the Data (Use and Access) Act 2025 comes into force;

• “requirement” includes a prohibition or restriction.

(5)The reference in subsection (1) to an enactment or rule of law which imposes a duty, or confers a power, to process personal data is a reference to an enactment or rule of law which, directly or indirectly, requires or authorises the processing of personal data, including (for example)—

(a)by authorising one person to require another person to process personal data, or

(b)by removing restrictions on processing personal data,

and the references in subsection (3) to a duty or power are to be read accordingly.”

(3)Before section 184 (and the italic heading before it) insert—

“183BProtection of prohibitions and restrictions etc on processing: other enactments

(1)This section is about the relationship between—

(a)a pre-commencement enactment which imposes a duty, or confers a power, to process personal data, and

(b)a provision of the main data protection legislation containing a requirement relating to the processing of personal data.

(2)The relationship is not changed by section 5(A1) of the European Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act).

(3)Where the provision described in subsection (1)(b) is a provision of, or made under, the UK GDPR, section 5(A2) of the European Union (Withdrawal) Act 2018 (assimilated direct legislation subject to domestic enactments) does not apply to the relationship.

(4)Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision with similar effect to section 183A(1) (or applying that provision) is made in connection with one such relationship but not another.

(5)In this section—

(a)“the main data protection legislation” and “requirement” have the same meaning as in section 183A, and

(b)“pre-commencement enactment” means an enactment so far as passed or made before the day on which section 106(2) of the Data (Use and Access) Act 2025 comes into force.

(6)Section 183A(5) applies for the purposes of subsection (1)(a) of this section as it applies for the purposes of section 183A(1).”

(4)In section 186 (data subject’s rights and other prohibitions and restrictions)—

(a)for the heading substitute “Protection of data subject’s rights”,

(b)in subsection (1) omit “, except as provided by or under the provisions listed in subsection (3)”,

(c)after subsection (2) insert—

“(2A)Subsection (1) does not apply—

(a)to an enactment contained in, or made under, a provision listed in subsection (2),

(b)to an enactment contained in, or made under, a provision listed in subsection (3),

(c)to the extent that an enactment makes express provision to the contrary referring to this section or to a provision listed in subsection (2), or

(d)to the extent that subsection (1) is disapplied by section 186A(3).”, and

(d)in subsection (3)—

(i)for “provisions providing exceptions” substitute “provisions referred to in subsection (2A)(b)”, and

(ii)omit paragraph (c) (and the “and” after it).

(5)After section 186 insert—

“186AProtection of data subject’s rights: further provision

(1)This section is about the relationship between—

(a)a pre-commencement enactment which prohibits or restricts the disclosure of information or authorises the withholding of information, and

(b)a provision of the UK GDPR or this Act listed in section 186(2).

(2)The relationship is not changed by section 5(A1) of the European Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act).

(3)Subsection (1) of section 186 does not apply to the relationship so far as there is a contrary intention, whether express or implied (taking account of, among other things, subsection (2) of this section).

(4)Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision stating that section 186(1) applies (or with similar effect) is made in connection with one such relationship but not another.

(5)In this section, “pre-commencement enactment” means an enactment so far as passed or made before the day on which section 106(4) of the Data (Use and Access) Act 2025 comes into force, other than an enactment contained in, or made under, a provision listed in section 186(2) or (3).”

(6)In section 5 of the European Union (Withdrawal) Act 2018 (exceptions to savings and incorporation), in subsection (A3)(a)—

(a)for “section” substitute “sections 183A and”,

(b)for “(data subject’s rights and other prohibitions and restrictions)” substitute “(protection of prohibitions, restrictions and data subject’s rights)”, and

(c)at the end insert “(and see also section 183B(3) of that Act)”.

(7)Subsections (3), (5) and (6)(c) are to be treated as having come into force on 1 January 2024.

MiscellaneousU.K.

107Regulations under the UK GDPRU.K.

(1)In the UK GDPR, after Chapter 9 insert—

“CHAPTER 9AU.K.Regulations