In this Chapter—
“the 2018 Act” means the Data Protection Act 2018;
“the UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Commencement Information
I1S. 66 in force at Royal Assent, see s. 142(2)(a)
(1)In Article 4 of the UK GDPR (definitions)—
(a)the existing text becomes paragraph 1, and
(b)after that paragraph insert—
“2.References in this Regulation to the processing of personal data for the purposes of scientific research (including references to processing for “scientific research purposes”) are references to processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity.
3.Such references—
(a)include processing for the purposes of technological development or demonstration, fundamental research or applied research, so far as those activities can reasonably be described as scientific, but
(b)only include processing for the purposes of a study in the area of public health that can reasonably be described as scientific where the study is conducted in the public interest.
4.References in this Regulation to the processing of personal data for the purposes of historical research (including references to processing for “historical research purposes”) include processing for the purposes of genealogical research.
5.References in this Regulation to the processing of personal data for statistical purposes are references to processing for statistical surveys or for the production of statistical results where—
(a)the information that results from the processing is aggregate data that is not personal data, and
(b)the controller does not use the personal data processed, or the information that results from the processing, in support of measures or decisions with respect to a particular data subject to whom the personal data relates.”
(2)In consequence of the amendment made by subsection (1)(a), in section 6 of the 2018 Act (meaning of “controller”), for “4(7)” substitute “4(1)(7)”.
Commencement Information
I2S. 67 not in force at Royal Assent, see s. 142(1)
I3S. 67 in force at 5.2.2026 by S.I. 2026/82, reg. 2(a)
(1)Article 4 of the UK GDPR (definitions) is amended as follows.
(2)In point (11) of paragraph 1 (definition of “consent”), at the end insert “(and see paragraphs 6 and 7 of this Article)”.
(3)After paragraph 5 (inserted by section 67 of this Act) insert—
“6.A data subject’s consent is to be treated as falling within the definition of “consent” in point (11) of paragraph 1 if—
(a)it does not fall within that definition because (and only because) the consent is given to the processing of personal data for the purposes of an area of scientific research,
(b)at the time the consent is sought, it is not possible to identify fully the purposes for which personal data is to be processed,
(c)seeking consent in relation to the area of scientific research is consistent with generally recognised ethical standards relevant to the area of research, and
(d)so far as the intended purposes of the processing allow, the data subject is given the opportunity to consent only to processing for part of the research.
7.References in this Regulation to consent given for a specific purpose (however expressed) include consent described in paragraph 6.”
Commencement Information
I4S. 68 not in force at Royal Assent, see s. 142(1)
I5S. 68 in force at 5.2.2026 by S.I. 2026/82, reg. 2(b)
(1)The 2018 Act is amended as follows.
(2)In section 33 (definitions), after subsection (1) insert—
“(1A)“Consent” of the data subject to the processing of personal data means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data (and see section 40A).”
(3)In section 34(2) (overview of Chapter 2 of Part 3), after paragraph (a) (but before the “and” at the end of that paragraph) insert—
“(aa)section 40A makes provision about processing carried out in reliance on the consent of the data subject,”.
(4)After section 40 insert—
(1)This section is about processing of personal data that is carried out in reliance on the consent of the data subject.
(2)The controller must be able to demonstrate that the data subject consented to the processing.
(3)If the data subject’s consent is given in writing as part of a document which also concerns other matters, the request for consent must be made—
(a)in a manner which clearly distinguishes the request from the other matters,
(b)in an intelligible and easily accessible form, and
(c)in clear and plain language.
(4)Any part of a document described in subsection (3) which constitutes an infringement of this Part is not binding.
(5)The data subject may withdraw the consent at any time (but the withdrawal of consent does not affect the lawfulness of processing in reliance on the consent before its withdrawal).
(6)Processing may only be carried out in reliance on consent if—
(a)before the consent is given, the controller or processor informs the data subject of the right to withdraw it, and
(b)it is as easy for the data subject to withdraw the consent as to give it.
(7)When assessing whether consent is freely given, account must be taken of, among other things, whether the provision of a service is conditional on consent to the processing of personal data that is not necessary for the provision of that service.”
(5)In section 206 (index of defined expressions), in the Table, in the entry for “consent”—
(a)after “consent” insert “(to processing of personal data)”,
(b)for “Part” substitute “Parts 3 and”, and
(c)for “section” substitute “sections 33, 40A and”.
Commencement Information
I6S. 69 in force at 19.8.2025, see s. 142(3)(a)
(1)The UK GDPR is amended in accordance with subsections (2) to (5).
(2)In Article 6(1) (lawful processing)—
(a)in point (e)—
(i)after “task” insert “of the controller”, and
(ii)after “or” insert “a task carried out”,
(b)after that point insert—
“(ea)processing is necessary for the purposes of a recognised legitimate interest;”, and
(c)in the words after point (f), for “Point (f)” substitute “Points (ea) and (f)”.
(3)In Article 6(3) (basis for processing etc), in the last subparagraph, in the first sentence—
(a)after “task” insert “of the controller”, and
(b)after “interest or” insert “a task carried out”.
(4)In Article 6, at the end insert—
“5.For the purposes of paragraph 1(ea), processing is necessary for the purposes of a recognised legitimate interest only if it meets a condition in Annex 1.
6.The Secretary of State may by regulations amend Annex 1 by—
(a)adding or varying provisions, or
(b)omitting provisions added by regulations made under this paragraph.
7.The Secretary of State may only make regulations under paragraph 6 where—
(a)the requirement in paragraph 8 is satisfied, and
(b)if the regulations add a case to Annex 1, the requirement in paragraph 9 is also satisfied.
8.The requirement in this paragraph is that the Secretary of State considers it appropriate to make the regulations having regard to, among other things—
(a)the interests and fundamental rights and freedoms of data subjects which require protection of personal data, and
(b)where relevant, the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.
9.The requirement in this paragraph is that the Secretary of State considers that processing in the case to be added to Annex 1 is necessary to safeguard an objective listed in Article 23(1)(c) to (j).
10.Regulations under paragraph 6 are subject to the affirmative resolution procedure.
11.For the purposes of paragraph 1(f), examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include—
(a)processing that is necessary for the purposes of direct marketing,
(b)intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and
(c)processing that is necessary for the purposes of ensuring the security of network and information systems.
12.In paragraph 11—
“intra-group transmission” means transmission between members of a group of undertakings or between members of a group of institutions affiliated to a central body;
“security of network and information systems” has the same meaning as in the Network and Information Systems Regulations 2018 (S.I. 2018/506) (see regulation 1(3)(g)).”
(5)In Article 21(1) (right to object), after “point (e)” insert “, (ea)”.
(6)Schedule 4 to this Act inserts Annex 1 to the UK GDPR.
(7)In section 8 of the 2018 Act (lawfulness of processing: public interest etc), omit “the controller’s”.
(8)In the provisions listed in subsection (9)—
(a)for “gateway” substitute “gateways”, and
(b)for “were omitted” substitute “disapplied only the gateway in point (ea) (recognised legitimate interests)”.
(9)The provisions are—
(a)section 40(8) of the Freedom of Information Act 2000 (personal data which is exempt information);
(b)section 38(5A) of the Freedom of Information (Scotland) Act 2002 (asp 13) (personal data which is exempt information);
(c)regulation 13(6) of the Environmental Information Regulations 2004 (S.I. 2004/3391) (restriction on disclosure of personal data);
(d)regulation 11(7) of the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520) (restriction on disclosure of personal data);
(e)regulation 45(1E) of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042) (personal data which is sensitive information);
(f)regulation 39(1E) of the Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494) (personal data which is sensitive information);
(g)regulation 9(9) of the INSPIRE Regulations 2009 (S.I. 2009/3157) (limitation of public access to personal data included in a spatial data set);
(h)regulation 10(8) of the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440) (limitation of public access to personal data included in a spatial data set).
Commencement Information
I7S. 70 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I8S. 70 in force at 5.2.2026 in so far as not already in force by S.I. 2026/82, reg. 2(c)
(1)The UK GDPR is amended in accordance with subsections (2) to (5).
(2)In Article 5(1)(b) (purpose limitation)—
(a)after “collected” insert “(whether from the data subject or otherwise)”,
(b)after “further processed” insert “by or on behalf of a controller”, and
(c)for the words from “those purposes;” to “initial purposes” substitute “the purposes for which the controller collected the data”.
(3)In Article 5, at the end insert—
“3.For the avoidance of doubt, processing is not lawful by virtue only of being processing in a manner that is compatible with the purposes for which the personal data was collected.”
(4)In Article 6 (lawfulness of processing), omit paragraph 4.
(5)After Article 8 insert—
1.This Article is about the determination, for the purposes of Article 5(1)(b) (purpose limitation), of whether processing of personal data by or on behalf of a controller for a purpose (a “new purpose”) other than the purpose for which the controller collected the data (“the original purpose”) is processing in a manner compatible with the original purpose.
2.In making the determination, a person must take into account, among other things—
(a)any link between the original purpose and the new purpose;
(b)the context in which the personal data was collected, including the relationship between the data subject and the controller;
(c)the nature of the processing, including whether it is processing described in Article 9(1) (processing of special categories of personal data) or Article 10(1) (processing of personal data relating to criminal convictions etc);
(d)the possible consequences of the intended processing for data subjects;
(e)the existence of appropriate safeguards (for example, encryption or pseudonymisation).
3.Processing of personal data for a new purpose is to be treated as processing in a manner compatible with the original purpose where—
(a)the data subject consents to the processing of personal data for the new purpose and the new purpose is specified, explicit and legitimate,
(b)the processing is carried out in accordance with Article 84B—
(i)for the purposes of scientific research or historical research,
(ii)for the purposes of archiving in the public interest, or
(iii)for statistical purposes,
(c)the processing is carried out for the purposes of ensuring that processing of personal data complies with Article 5(1) or demonstrating that it does so,
(d)the processing meets a condition in Annex 2, or
(e)the processing is necessary to safeguard an objective listed in Article 23(1)(c) to (j) and is authorised by an enactment or rule of law.
4.Where the controller collected the personal data based on Article 6(1)(a) (data subject’s consent), processing for a new purpose is only processing in a manner compatible with the original purpose if—
(a)it falls within paragraph 3(a) or (c), or
(b)it falls within paragraph 3(d) or (e) and the controller cannot reasonably be expected to obtain the data subject’s consent.
5.The Secretary of State may by regulations amend Annex 2 by—
(a)adding or varying provisions, or
(b)omitting provisions added by regulations made under this paragraph.
6.The Secretary of State may only make regulations under paragraph 5 adding a case to Annex 2 where the Secretary of State considers that processing in that case is necessary to safeguard an objective listed in Article 23(1)(c) to (j).
7.Regulations under paragraph 5 may make provision identifying processing by any means, including by reference to the controller, the data subject, the personal data or the provision of Article 6(1) relied on for the purposes of the processing.
8.Regulations under paragraph 5 are subject to the affirmative resolution procedure.”
(6)Schedule 5 to this Act inserts Annex 2 to the UK GDPR.
(7)The 2018 Act is amended in accordance with subsections (8) to (10).
(8)In section 36(1) (the second data protection principle)—
(a)in paragraph (a), for “on any occasion” substitute “(whether from the data subject or otherwise)”, and
(b)in paragraph (b)—
(i)after “processed” insert “by or on behalf of a controller”, and
(ii)for “it was collected” substitute “the controller collected it”.
(9)In section 87(1) (the second data protection principle)—
(a)in paragraph (a), for “on any occasion” substitute “(whether from the data subject or otherwise)”, and
(b)in paragraph (b)—
(i)after “processed” insert “by or on behalf of a controller”, and
(ii)for “it was collected” substitute “the controller collected it”.
(10)In paragraph 1 of Schedule 2 (exemptions etc from the UK GDPR: provisions to be adapted or restricted), omit sub-paragraph (b)(ii).
Commencement Information
I9S. 71 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I10S. 71 in force at 5.2.2026 in so far as not already in force by S.I. 2026/82, reg. 2(d)
(1)The UK GDPR is amended in accordance with subsections (2) to (5).
(2)In Article 6(3) (lawfulness of processing: basis in domestic law)—
(a)in the first subparagraph, omit “and (e)”,
(b)after that subparagraph insert—
“The basis for the processing referred to in point (e) of paragraph 1 must be laid down by domestic law or relevant international law (see section 9A of the 2018 Act).”, and
(c)in the last subparagraph, in the last sentence, after “domestic law” insert “or relevant international law”.
(3)In Article 8A(3)(e) (purpose limitation: further processing necessary to safeguard an objective listed in Article 23(1)) (inserted by section 71 of this Act), at the end insert “or by relevant international law (see section 9A of the 2018 Act)”.
(4)In Article 9 (processing of special categories of personal data)—
(a)in paragraph 2(g) (substantial public interest), after “domestic law” insert “, or relevant international law,”, and
(b)in paragraph 5, before point (a) insert—
“(za)section 9A makes provision about when the requirement in paragraph 2(g) of this Article for a basis in relevant international law is met;”.
(5)In Article 10 (processing of personal data relating to criminal convictions and offences)—
(a)in paragraph 1, after “domestic law” insert “, or relevant international law,”, and
(b)in paragraph 2, before point (a) insert—
“(za)section 9A makes provision about when the requirement in paragraph 1 of this Article for authorisation by relevant international law is met;”.
(6)The 2018 Act is amended in accordance with subsections (7) and (8).
(7)Before section 10 (and the italic heading before that section) insert—
(1)Processing of personal data meets the requirement in Article 6(3), 8A(3)(e), 9(2)(g) or 10(1) of the UK GDPR for a basis in, or authorisation by, relevant international law only if it meets a condition in Schedule A1.
(2)A condition in Schedule A1 may be relied on for the purposes of any of those provisions, unless that Schedule provides otherwise.
(3)The Secretary of State may by regulations amend Schedule A1 by adding, varying or omitting—
(a)conditions,
(b)provision about the purposes for which a condition may be relied on, and
(c)safeguards in connection with processing carried out in reliance on a condition in the Schedule.
(4)Regulations under this section may only add a condition relating entirely or partly to a treaty ratified by the United Kingdom.
(5)Regulations under this section are subject to the affirmative resolution procedure.
(6)In this section, “treaty” and “ratified” have the same meaning as in Part 2 of the Constitutional Reform and Governance Act 2010 (see section 25 of that Act).”
(8)Before Schedule 1 insert—
Section 9A
This condition is met where the processing is necessary for the purposes of responding to a request made in accordance with the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 3 October 2019.”
Commencement Information
I11S. 72 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I12S. 72(1)(2)(4)-(6)(8) in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(b)
I13S. 72(3)(7) in force at 5.2.2026 in so far as not already in force by S.I. 2026/82, reg. 2(e)
I14S. 72(7) in force at 20.8.2025 for specified purposes by S.I. 2025/904, reg. 2(b)
In paragraph 23 of Schedule 1 to the 2018 Act (processing of special categories of personal data: elected representatives responding to requests), in sub-paragraph (4), for “fourth day after” substitute “period of 30 days beginning with the day after”.
Commencement Information
I15S. 73 not in force at Royal Assent, see s. 142(1)
I16S. 73 in force at 5.2.2026 by S.I. 2026/82, reg. 2(f)
(1)In Chapter 2 of the UK GDPR, after Article 11 insert—
1.The Secretary of State may by regulations—
(a)make provision so that an additional description of processing of personal data is subject to the prohibition in Article 9(1),
(b)make provision so that added processing is not subject to that prohibition,
(c)make provision so that an exception in Article 9(2) may or may not be relied on in connection with added processing, and
(d)make provision varying such an exception as it applies in connection with added processing.
2.In paragraph 1, “added processing” means a description of processing which is subject to the prohibition in Article 9(1) by virtue of provision made under paragraph 1(a).
3.Regulations made under this Article (in reliance on Article 91A(4)(b)) may amend section 5, 205 or 206 of the 2018 Act (interpretation).
4.Regulations under this Article are subject to the affirmative resolution procedure.”
(2)The 2018 Act is amended in accordance with subsections (3) to (9).
(3)In section 33 (definitions of expressions used in Part 3), after subsection (6) insert—
“(6A)“Sensitive processing” has the meaning given in section 35(8).”
(4)In section 35 (the first data protection principle)—
(a)in subsection (6)(b) (power to omit conditions added to Schedule 8 by regulations), after “by”, in the first place it occurs, insert “varying or”, and
(b)in subsection (8) (definition of “sensitive processing”), for “section” substitute “Part”.
(5)After section 42 insert—
(1)The Secretary of State may by regulations—
(a)make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part,
(b)make provision so that added processing is not sensitive processing for the purposes of this Part,
(c)make provision so that a protected condition in Schedule 8 may or may not be relied on in connection with added processing, and
(d)make provision varying such a condition as it relates to added processing.
(2)In subsection (1)—
“added processing” means a description of processing which is sensitive processing by virtue of provision made under subsection (1)(a);
“protected condition in Schedule 8” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 35(6).
(3)Regulations under this section may amend this Part and sections 205 and 206.
(4)Regulations under this section are subject to the affirmative resolution procedure.”
(6)In section 84 (definitions of expressions used in Part 4), after subsection (6) insert—
“(6A)“Sensitive processing” has the meaning given in section 86(7).”
(7)In section 86 (the first data protection principle)—
(a)in subsection (3)(b) (power to omit conditions added to Schedule 10 by regulations), after “by”, in the first place it occurs, insert “varying or”, and
(b)in subsection (7) (definition of “sensitive processing”), for “section” substitute “Part”.
(8)After section 91 insert—
(1)The Secretary of State may by regulations—
(a)make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part,
(b)make provision so that added processing is not sensitive processing for the purposes of this Part,
(c)make provision so that a protected condition in Schedule 10 may or may not be relied on in connection with added processing, and
(d)make provision varying such a condition as it relates to added processing.
(2)In subsection (1)—
“added processing” means a description of processing which is sensitive processing by virtue of provision made under subsection (1)(a);
“protected condition in Schedule 10” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 86(3).
(3)Regulations under this section may amend this Part and sections 205 and 206.
(4)Regulations under this section are subject to the affirmative resolution procedure.”
(9)In section 206 (index of defined expressions), in the Table, at the appropriate place insert—
| “sensitive processing (in Parts 3 and 4) | sections 35 and 86”. |
(10)The Investigatory Powers Act 2016 is amended in accordance with subsections (11) to (13).
(11)In section 202(4) (restrictions on use of class BPD warrants: definitions), omit the definition of “sensitive personal data” and insert—
““sensitive personal data” means personal data whose retention, or (as appropriate) retention and examination, would be sensitive processing;
“sensitive processing” means—
processing of personal data relating to a living individual that is processing of a kind described in section 86(7)(a) to (e) of the Data Protection Act 2018, or
processing of personal data relating to a deceased individual that would be that kind of processing if the personal data related to a living individual.”
(12)After that section insert—
(1)The Secretary of State may by regulations—
(a)make provision so that a description of Part 4 sensitive processing, or of processing that would be such processing if the information processed related to a living individual, is sensitive processing for the purposes of section 202, and
(b)make provision so that added processing is not sensitive processing for the purposes of that section.
(2)In this section—
“added processing” means a description of processing that is sensitive processing for the purposes of section 202 by virtue of provision made under subsection (1)(a);
“Part 4 sensitive processing” means processing of personal data that, at the time the regulations are made, is sensitive processing for the purposes of Part 4 of the Data Protection Act 2018 by virtue of regulations made under section 91A of that Act.
(3)Regulations under this section may amend section 202.”
(13)In section 267(3) (regulations subject to the affirmative procedure), after paragraph (e) insert—
“(ea)section 202A,”.
Commencement Information
I17S. 74 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I18S. 74 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(c)
(1)The 2018 Act is amended as follows.
(2)In section 53 (manifestly unfounded or excessive requests by the data subject under Part 3)—
(a)after subsection (4) insert—
“(4A)The Secretary of State may by regulations—
(a)require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in accordance with subsection (1)(a), and
(b)specify what the guidance must include.”,
(b)in subsection (5), for “subsection (4)” substitute “this section”, and
(c)after subsection (5) insert—
“(6)If, in reliance on subsection (1)(b), the controller does not take action on the request, the controller must inform the data subject of—
(a)the reasons for not doing so, and
(b)the data subject’s right to lodge a complaint with the Commissioner.
(7)The controller must comply with subsection (6)—
(a)without undue delay, and
(b)in any event, before the end of the applicable time period (as to which see section 54).”
(3)In section 54(1) (meaning of “applicable time period”), for “and 48(2)(b)” substitute “, 48(2)(b) and 53(7)”.
Commencement Information
I19S. 75 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I20S. 75 in force at 5.2.2026 in so far as not already in force by S.I. 2026/82, reg. 2(g)
(1)The UK GDPR is amended in accordance with subsections (2) and (3).
(2)In Article 12 (transparent information, communication and modalities for the exercise of rights of the data subject)—
(a)in paragraph 3—
(i)for “within one month of receipt of the request” substitute “before the end of the applicable time period (see Article 12A)”, and
(ii)omit the second and third sentences,
(b)in paragraph 4, for “without delay and at the latest within one month of receipt of the request” substitute “without undue delay, and in any event before the end of the applicable time period (see Article 12A),”, and
(c)in paragraph 6—
(i)after “may” insert “—
(a)”, and
(ii)at the end insert “, and
(b)delay dealing with the request until the identity is confirmed.”
(3)After Article 12 insert—
1.In Article 12, “the applicable time period” means the period of one month beginning with the relevant time, subject to paragraph 3.
2.“The relevant time” means the latest of the following—
(a)when the controller receives the request in question;
(b)when the controller receives the information (if any) requested in connection with a request under Article 12(6);
(c)when the fee (if any) charged in connection with the request under Article 12(5) is paid.
3.The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—
(a)the complexity of requests made by the data subject, or
(b)the number of such requests.
4.A notice under paragraph 3 must—
(a)be given before the end of the period of one month beginning with the relevant time, and
(b)state the reasons for the delay.
5.Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under Article 15 relates—
(a)the controller may ask the data subject to provide the further information, and
(b)the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards—
(i)the applicable time period, or
(ii)the period described in paragraph 4(a).
6.An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.”
(4)The 2018 Act is amended in accordance with subsections (5) to (7).
(5)In section 45(5) (right of access by the data subject), after “delay” insert “and in any event before the end of the applicable time period (as to which see section 54)”.
(6)In section 54 (meaning of “applicable time period” for responding to data subjects’ requests)—
(a)in subsection (1), after “45(3)(b)” insert “and (5)”,
(b)in subsection (2)—
(i)for “1 month, or such longer period as may be specified in regulations,” substitute “one month”, and
(ii)at the end insert “, subject to subsection (3A)”,
(c)after subsection (3) insert—
“(3A)The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—
(a)the complexity of requests made by the data subject, or
(b)the number of such requests.
(3B)A notice under subsection (3A) must—
(a)be given before the end of the period of one month beginning with the relevant time, and
(b)state the reasons for the delay.
(3C)Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under section 45(1) relates—
(a)the controller may ask the data subject to provide the further information, and
(b)the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards—
(i)the applicable time period, or
(ii)the period described in subsection (3B)(a).
(3D)An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.”, and
(d)omit subsections (4) to (6).
(7)In section 94 (right of access under Part 4)—
(a)in subsection (14), for the definition of “the applicable time period” substitute—
““the applicable time period” means the period of one month beginning with the relevant time, subject to subsection (14A);”, and
(b)after subsection (14) insert—
“(14A)The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—
(a)the complexity of requests made by the data subject, or
(b)the number of such requests.
(14B)A notice under subsection (14A) must—
(a)be given before the end of the period of one month beginning with the relevant time, and
(b)state the reasons for the delay.”
Commencement Information
I21S. 76 not in force at Royal Assent, see s. 142(1)
I22S. 76 in force at 5.2.2026 by S.I. 2026/82, reg. 2(h) (with reg. 4)
(1)In Article 13 of the UK GDPR (information to be provided where personal data is collected from the data subject)—
(a)in paragraph 4, for “shall not apply where and insofar as” substitute “do not apply to the extent that”, and
(b)at the end insert—
“5.Paragraph 3 does not apply to the extent that—
(a)the controller intends to further process the personal data—
(i)for (and only for) the purposes of scientific or historical research, the purposes of archiving in the public interest or statistical purposes, and
(ii)in accordance with Article 84B, and
(b)providing the information is impossible or would involve a disproportionate effort.
6.For the purposes of paragraph 5(b), whether providing the information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing.
7.A controller relying on paragraph 5 must take appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, including by making the information available publicly.”
(2)In Article 14 of the UK GDPR (information to be provided where personal data is not obtained from the data subject)—
(a)in paragraph 5—
(i)for “shall not apply where and insofar as” substitute “do not apply to the extent that”,
(ii)omit point (b),
(iii)omit the “or” at the end of point (c),
(iv)in point (d), omit “where”, and
(v)after that point insert—
“(e)providing the information is impossible or would involve a disproportionate effort, or
(f)the obligation referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of the processing for which the personal data are intended.”, and
(b)at the end insert—
“6.For the purposes of paragraph 5(e), whether providing the information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing.
7.A controller relying on paragraph 5(e) or (f) must take appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, including by making the information available publicly.”
Commencement Information
I23S. 77 not in force at Royal Assent, see s. 142(1)
I24S. 77 in force at 5.2.2026 by S.I. 2026/82, reg. 2(i)
(1)In Article 15 of the UK GDPR (right of access by the data subject)—
(a)after paragraph 1 insert—
“1A.Under paragraph 1, the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that paragraph.”, and
(b)in paragraph 3, after “processing” insert “to which the data subject is entitled under paragraph 1”.
(2)The 2018 Act is amended in accordance with subsections (3) and (4).
(3)In section 45 (law enforcement processing: right of access by the data subject), after subsection (2) insert—
“(2A)Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.”
(4)In section 94 (intelligence services processing: right of access by the data subject), after subsection (2) insert—
“(2A)Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.”
(5)The amendments made by this section are to be treated as having come into force on 1 January 2024.
Commencement Information
I25S. 78 in force at Royal Assent, see s. 142(2)(b)
(1)The 2018 Act is amended as follows.
(2)In section 43 (overview and scope of Chapter 3 of Part 3: rights of the data subject in connection with law enforcement processing)—
(a)in subsection (1)(a), for “section 44” substitute “sections 44 and 45A”, and
(b)in subsection (1)(b), for “section 45” substitute “sections 45 and 45A”.
(3)For the italic heading before section 44 substitute—
(4)In the heading of section 44, omit “Information:”.
(5)Omit the italic heading before section 45.
(6)After that section insert—
(1)Sections 44(2) and 45(1) do not require the controller to give the data subject—
(a)information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications could be maintained in legal proceedings, or
(b)information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.
(2)A controller relying on the exemption in subsection (1) must inform the data subject in writing without undue delay of—
(a)the decision to rely on the exemption,
(b)the reason for the decision,
(c)the data subject’s right to make a request to the Commissioner under section 51,
(d)the data subject’s right to lodge a complaint with the Commissioner under section 165, and
(e)the data subject’s right to apply to a court under section 167.
(3)Subsection (2)(a) and (b) do not apply to the extent that complying with them would—
(a)undermine a claim described in subsection (1)(a), or
(b)conflict with a duty described in subsection (1)(b).
(4)The controller must—
(a)record the reason for a decision to rely on the exemption in subsection (1), and
(b)if requested to do so by the Commissioner, make the record available to the Commissioner.
(5)The reference in subsection (1) to sections 44(2) and 45(1) includes sections 35 to 40 so far as their provisions correspond to the rights and obligations provided for in sections 44(2) and 45(1).”
(7)In section 51 (exercise of rights through the Commissioner)—
(a)in subsection (1), after paragraph (b) (but before the “or” at the end of that paragraph) insert—
“(ba)relies on the exemption from sections 44(2) and 45(1) in section 45A (legal professional privilege),”,
(b)in subsection (2), after paragraph (a) insert—
“(aa)where subsection (1)(ba) applies, request the Commissioner to check that the controller was entitled to rely on the exemption;”,
(c)in subsection (4), after paragraph (a) insert—
“(aa)where subsection (1)(ba) applies, whether the Commissioner is satisfied that the controller was entitled to rely on the exemption;”, and
(d)in subsection (6), after “(a)” insert “, (aa)”.
Commencement Information
I26S. 79 not in force at Royal Assent, see s. 142(1)
I27S. 79 in force at 5.9.2025 by S.I. 2025/996, reg. 2(1)(a) (with reg. 3)
(1)For Article 22 of the UK GDPR (automated individual decision-making, including profiling) substitute—
1.For the purposes of Articles 22B and 22C—
(a)a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and
(b)a decision is a significant decision, in relation to a data subject, if—
(i)it produces a legal effect for the data subject, or
(ii)it has a similarly significant effect for the data subject.
2.When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.
1.A significant decision based entirely or partly on processing described in Article 9(1) (processing of special categories of personal data) may not be taken based solely on automated processing, unless one of the following conditions is met.
2.The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.
3.The second condition is that—
(a)the decision is—
(i)necessary for entering into, or performing, a contract between the data subject and a controller, or
(ii)required or authorised by law, and
(b)point (g) of Article 9(2) applies.
4.A significant decision may not be taken based solely on automated processing if the processing of personal data carried out by, or on behalf of, the decision-maker for the purposes of the decision is carried out entirely or partly in reliance on Article 6(1)(ea).
1.Where a significant decision taken by or on behalf of a controller in relation to a data subject is—
(a)based entirely or partly on personal data, and
(b)based solely on automated processing,
the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with paragraph 2 and any regulations under Article 22D(3).
2.The safeguards must consist of or include measures which—
(a)provide the data subject with information about decisions described in paragraph 1 taken in relation to the data subject;
(b)enable the data subject to make representations about such decisions;
(c)enable the data subject to obtain human intervention on the part of the controller in relation to such decisions;
(d)enable the data subject to contest such decisions.
1.The Secretary of State may by regulations provide that, for the purposes of Article 22A(1)(a), there is, or is not, to be taken to be meaningful human involvement in the taking of a decision in cases described in the regulations.
2.The Secretary of State may by regulations provide that, for the purposes of Article 22A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant effect for the data subject.
3.The Secretary of State may by regulations make the following types of provision about the safeguards required under Article 22C(1)—
(a)provision requiring the safeguards to include measures in addition to those described in Article 22C(2),
(b)provision imposing requirements which supplement what Article 22C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in Article 22C(2) must be done or be capable of being done), and
(c)provision about measures which are not to be taken to satisfy one or more of points (a) to (d) of Article 22C(2).
4.Regulations under paragraph 3 may not amend Article 22C.
5.Regulations under this Article are subject to the affirmative resolution procedure.”
(2)The 2018 Act is amended in accordance with subsections (3) to (5).
(3)For sections 49 and 50 (law enforcement processing: automated individual decision-making) substitute—
(1)For the purposes of sections 50B and 50C—
(a)a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and
(b)a decision is a significant decision, in relation to a data subject, if—
(i)it produces an adverse legal effect for the data subject, or
(ii)it has a similarly significant adverse effect for the data subject.
(2)When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.
(1)A significant decision based entirely or partly on sensitive processing may not be taken based solely on automated processing, unless one of the following conditions is met.
(2)The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.
(3)The second condition is that the decision is required or authorised by law.
(1)Subject to subsection (3), where a significant decision taken by or on behalf of a controller in relation to a data subject is—
(a)based entirely or partly on personal data, and
(b)based solely on automated processing,
the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with subsection (2) and any regulations under section 50D(4).
(2)The safeguards must consist of or include measures which—
(a)provide the data subject with information about decisions described in subsection (1) taken in relation to the data subject;
(b)enable the data subject to make representations about such decisions;
(c)enable the data subject to obtain human intervention on the part of the controller in relation to such decisions;
(d)enable the data subject to contest such decisions.
(3)Subsections (1) and (2) do not apply in relation to a significant decision if—
(a)exemption from those provisions is required for a reason listed in subsection (4),
(b)the controller reconsiders the decision as soon as reasonably practicable, and
(c)there is meaningful human involvement in the reconsideration of the decision.
(4)Those reasons are—
(a)to avoid obstructing an official or legal inquiry, investigation or procedure;
(b)to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c)to protect public security;
(d)to safeguard national security;
(e)to protect the rights and freedoms of others.
(5)When considering whether there is meaningful human involvement in the reconsideration of a decision, a person must consider, among other things, the extent to which the conclusion reached on reconsideration is reached by means of profiling.
(1)The Secretary of State may by regulations provide that, for the purposes of sections 50A(1)(a) and 50C(3)(c), there is, or is not, to be taken to be meaningful human involvement in the taking or reconsideration of a decision in cases described in the regulations.
(2)The Secretary of State may by regulations provide that, for the purposes of section 50A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant adverse effect for the data subject.
(3)Regulations under subsection (1) or (2) may amend section 50A.
(4)The Secretary of State may by regulations make the following types of provision about the safeguards required under section 50C(1)—
(a)provision requiring the safeguards to include measures in addition to those described in section 50C(2),
(b)provision imposing requirements which supplement what section 50C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in section 50C(2) must be done or be capable of being done), and
(c)provision about measures which are not to be taken to satisfy one or more of paragraphs (a) to (d) of section 50C(2).
(5)Regulations under this section are subject to the affirmative resolution procedure.”
(4)In section 96 (intelligence services processing: right not to be subject to automated decision-making)—
(a)in subsection (1), for “solely on” substitute “on entirely”,
(b)in subsection (3), after “section” insert “and section 97”, and
(c)at the end insert—
“(4)For the purposes of this section and section 97, a decision is based on entirely automated processing if the decision-making process does not include an opportunity for a human being to accept, reject or influence the decision.”
(5)In section 97 (intelligence services processing: right to intervene in automated decision-making)—
(a)in subsection (1)(a), for “solely on” substitute “on entirely”,
(b)in subsection (4)(b), for “solely on” substitute “on entirely”, and
(c)omit subsection (6).
(6)Schedule 6 to this Act contains minor and consequential amendments.
Commencement Information
I28S. 80 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I29S. 80 in force at 5.2.2026 in so far as not already in force by S.I. 2026/82, reg. 2(j) (with reg. 5)
(1)Article 25 of the UK GDPR (data protection by design and by default) is amended as follows.
(2)After paragraph 1 insert—
“1A.In the case of processing carried out in the course of providing information society services which are likely to be accessed by children, when assessing what are appropriate technical and organisational measures in accordance with paragraph 1, the controller must take into account the children’s higher protection matters.
1B.The children’s higher protection matters are—
(a)how children can best be protected and supported when using the services, and
(b)the fact that children—
(i)merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing, and
(ii)have different needs at different ages and at different stages of development.”
(3)In paragraph 3, for “1 and 2” substitute “1 to 2”.
(4)At the end insert—
“4.Paragraphs 1A and 1B are not to be read as implying anything about the matters that may be relevant to the assessment of what are appropriate technical and organisational measures for the purposes of paragraph 1 in cases other than those described in paragraph 1A.
5.In this Article, “information society services” does not include preventive or counselling services.”
Commencement Information
I30S. 81 not in force at Royal Assent, see s. 142(1)
I31S. 81 in force at 5.2.2026 by S.I. 2026/82, reg. 2(k)
In section 62 of the 2018 Act (logging of law enforcement processing)—
(a)in subsection (2)(a), omit “justification for, and”, and
(b)in subsection (3)(a), omit “justification for, and”.
Commencement Information
I32S. 82 in force at 19.8.2025, see s. 142(3)(b)
In Article 41 of the UK GDPR (monitoring of approved codes of conduct)—
(a)in paragraph 4, omit the words from “, including suspension” to the end, and
(b)after that paragraph insert—
“4A.If the action taken by a body under paragraph 4 consists of suspending or excluding a controller or processor from the code, the body must inform the Commissioner, giving reasons for taking that action.”
Commencement Information
I33S. 83 not in force at Royal Assent, see s. 142(1)
I34S. 83 in force at 5.2.2026 by S.I. 2026/82, reg. 2(l)
(1)The 2018 Act is amended as follows.
(2)In section 55(1) (overview and scope of provisions about controllers and processors), at the end insert—
“(e)makes provision about codes of conduct (see section 71A).”
(3)In section 56 (general obligations of the controller), at the end insert—
“(4)Adherence to a code of conduct approved under section 71A may be used by a controller as a means of demonstrating compliance with the requirements of this Part.”
(4)In section 59 (processors), after subsection (7) insert—
“(7A)Adherence to a code of conduct approved under section 71A may be used by a processor as a means of demonstrating sufficient guarantees as described in subsection (2).”
(5)In section 66 (security of processing), at the end insert—
“(3)Adherence to a code of conduct approved under section 71A may be used by a controller or processor as a means of demonstrating compliance with subsection (1).”
(6)After section 71 insert—
(1)The Commissioner must encourage expert public bodies to produce codes of conduct intended to contribute to compliance with this Part.
(2)Under subsection (1), the Commissioner must, among other things, encourage the production of codes which take account of the specific features of the various processing sectors.
(3)For the purposes of this section—
(a)“public body” means a body or other person whose functions are, or include, functions of a public nature, and
(b)a public body is “expert” if, in the Commissioner’s opinion, the body has the knowledge and experience needed to produce a code of conduct described in subsection (1).
(4)A code of conduct described in subsection (1) may, for example, make provision with regard to—
(a)lawful and fair processing;
(b)the collection of personal data;
(c)the information provided to the public and to data subjects;
(d)the exercise of the rights of data subjects;
(e)the measures and procedures referred to in sections 56, 57 and 62;
(f)the notification of personal data breaches to the Commissioner and the communication of personal data breaches to data subjects;
(g)the transfer of personal data to third countries or international organisations;
(h)out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing.
(5)The Commissioner must encourage expert public bodies to submit codes of conduct described in subsection (1) to the Commissioner in draft.
(6)Where an expert public body does so, the Commissioner must—
(a)provide the body with an opinion on whether the code correctly reflects the requirements of this Part,
(b)decide whether to approve the code, and
(c)if the code is approved, register and publish the code.
(7)Subsections (5) and (6) apply in relation to amendments of a code of conduct that is for the time being approved under this section as they apply in relation to a code.”
Commencement Information
I35S. 84 not in force at Royal Assent, see s. 142(1)
I36S. 84 in force at 20.8.2025 by S.I. 2025/904, reg. 2(d)
(1)Schedule 7 amends Chapter 5 of the UK GDPR (general processing and transfers of personal data to third countries and international organisations).
(2)Schedule 8 amends Chapter 5 of Part 3 of the 2018 Act (law enforcement processing and transfers of personal data to third countries and international organisations).
(3)In Schedule 9—
(a)Part 1 contains minor and consequential amendments, and
(b)Part 2 contains transitional provision.
Commencement Information
I37S. 85 not in force at Royal Assent, see s. 142(1)
I38S. 85 in force at 5.2.2026 by S.I. 2026/82, reg. 2(m)
(1)The UK GDPR is amended in accordance with subsections (2) to (4).
(2)After Chapter 8 insert—
1.This Chapter makes provision about the processing of personal data—
(a)for the purposes of scientific research or historical research,
(b)for the purposes of archiving in the public interest, or
(c)for statistical purposes.
2.Those purposes are referred to in this Chapter as “RAS purposes”.
1.Personal data may only be processed for RAS purposes if—
(a)the processing consists of the collection of the personal data (whether from the data subject or otherwise),
(b)the processing is carried out in order to convert the personal data into information which can be processed in a manner which does not permit the identification of a data subject, or
(c)without the processing, the RAS purposes cannot be fulfilled.
2.Processing of personal data for RAS purposes must be carried out subject to appropriate safeguards for the rights and freedoms of the data subject.
1.This Article makes provision about when the requirement under Article 84B(2) for processing of personal data to be carried out subject to appropriate safeguards is satisfied.
2.The requirement is not satisfied if the processing is likely to cause substantial damage or substantial distress to a data subject to whom the personal data relates.
3.The requirement is not satisfied if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject to whom the personal data relates, except where the purposes for which the processing is carried out include the purposes of approved medical research.
4.The requirement is only satisfied if the safeguards include technical and organisational measures for the purpose of ensuring respect for the principle of data minimisation (see Article 5(1)(c)), such as, for example, pseudonymisation.
5.In this Article—
“approved medical research” means medical research carried out by a person who has approval to carry out that research from—
a research ethics committee recognised or established by the Health Research Authority under Chapter 2 of Part 3 of the Care Act 2014, or
a body appointed by any of the following for the purpose of assessing the ethics of research involving individuals—
the Secretary of State, the Scottish Ministers, the Welsh Ministers or a Northern Ireland department;
a relevant NHS body;
United Kingdom Research and Innovation or a body that is a Research Council for the purposes of the Science and Technology Act 1965;
an institution that is a research institution for the purposes of Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003 (see section 457 of that Act);
“relevant NHS body” means—
an NHS trust or NHS foundation trust in England,
an NHS trust or Local Health Board in Wales,
a Health Board or Special Health Board constituted under section 2 of the National Health Service (Scotland) Act 1978,
the Common Services Agency for the Scottish Health Service, or
any of the health and social care bodies in Northern Ireland falling within paragraphs (b) to (e) of section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)).
1.The Secretary of State may by regulations make further provision about when the requirement for appropriate safeguards under Article 84B(2) is, or is not, satisfied.
2.Regulations under this Article may not amend or revoke Article 84C(2), (3) or (4) (but may change the meaning of “approved medical research” for the purposes of Article 84C).
3.Regulations under this Article are subject to the affirmative resolution procedure.”
(3)In the heading of Chapter 9, after “relating to” insert “other”.
(4)Omit Article 89 (safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).
(5)The 2018 Act is amended in accordance with subsections (6) and (7).
(6)Omit section 19 (processing for archiving, research and statistical purposes: safeguards) and the italic heading before it.
(7)In section 41(1) (safeguards: archiving), for “necessary” substitute “carried out”.
Commencement Information
I39S. 86 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I40S. 86 in force at 5.2.2026 in so far as not already in force by S.I. 2026/82, reg. 2(n)
(1)In the UK GDPR—
(a)in Article 5(1)(e) (storage limitation), for “Article 89(1)” to “data subject” substitute “Article 84B”,
(b)in Article 9(2)(j) (processing of special categories of personal data), for “in accordance with Article 89(1) (as supplemented by section 19 of the 2018 Act)” substitute “, is carried out in accordance with Article 84B and is”,
(c)in Article 17(3)(d) (right to erasure), for “Article 89(1)” substitute “Article 84B”, and
(d)in Article 21(6) (right to object), omit “pursuant to Article 89(1)”.
(2)In the 2018 Act—
(a)in section 24(4) (manual unstructured data held by FOI public authorities), after paragraph (b) insert—
“(ba)Chapter 8A (safeguards for processing for research, archiving or statistical purposes);”,
(b)in paragraph 4(b) of Schedule 1 (special categories of personal data and criminal convictions etc data: research etc), for “Article 89(1) of the UK GDPR (as supplemented by section 19)” substitute “Article 84B of the UK GDPR”, and
(c)in Schedule 2 (exemptions etc from the UK GDPR)—
(i)in paragraph 27(3)(a) (research and statistics), for “Article 89(1) of the UK GDPR (as supplemented by section 19)” substitute “Article 84B of the UK GDPR”, and
(ii)in paragraph 28(3) (archiving), for “Article 89(1) of the UK GDPR (as supplemented by section 19)” substitute “Article 84B of the UK GDPR”.
(3)In section 279(2) of the Mental Health (Care and Treatment) (Scotland) Act 2003 (asp 13) (information for research), for “Article 89(1) of the UK GDPR (archiving in the public interest, scientific or historical research and statistics)” substitute “Article 84A of the UK GDPR (research, archives and statistics)”.
Commencement Information
I41S. 87 not in force at Royal Assent, see s. 142(1)
I42S. 87 in force at 5.2.2026 by S.I. 2026/82, reg. 2(o)
(1)The 2018 Act is amended in accordance with subsections (2) to (10).
(2)In section 26(2)(f) (national security and defence exemption), before sub-paragraph (i) insert—
“(ai)Article 77 (right to lodge a complaint with the Commissioner);”.
(3)In section 44 (controller’s general duties to provide information to data subject)—
(a)in subsection (4), omit paragraph (d) (grounds for restricting information provided: national security),
(b)in subsection (5), after “restricted” insert “under subsection (4)”, and
(c)in subsection (7)(a), after “subsection (2)” insert “in reliance on subsection (4)”.
(4)In section 45 (right of access by the data subject)—
(a)in subsection (4), omit paragraph (d) (grounds for restricting information provided: national security),
(b)in subsection (5), after “restricted” insert “under subsection (4)”, and
(c)in subsection (7)(a), after “subsection (1)” insert “in reliance on subsection (4)”.
(5)In section 48 (requests by data subject for rectification or erasure of personal data)—
(a)in subsection (3), omit paragraph (d) (grounds for restricting information provided: national security),
(b)in subsection (4)—
(i)for “(1)” substitute “(1)(b)(i)”, and
(ii)after “restricted” insert “under subsection (3)”, and
(c)in subsection (6)(a), after “subsection (1)(b)(i)” insert “in reliance on subsection (3)”.
(6)In section 68(7) (communication of a personal data breach to the data subject: grounds for restricting information provided), omit paragraph (d) (national security).
(7)In Chapter 6 of Part 3 (law enforcement processing: supplementary), before section 79 insert—
(1)A provision mentioned in subsection (2) does not apply to personal data processed for law enforcement purposes if exemption from the provision is required for the purposes of safeguarding national security.
(2)The provisions are—
(a)Chapter 2 of this Part (principles), except for the provisions listed in subsection (3);
(b)Chapter 3 of this Part (rights of the data subject);
(c)in Chapter 4 of this Part—
(i)section 67 (notification of personal data breach to the Commissioner);
(ii)section 68 (communication of personal data breach to the data subject);
(d)Chapter 5 of this Part (transfers of personal data to third countries etc), except for the provisions listed in subsection (4);
(e)in Part 5—
(i)section 119 (inspection in accordance with international obligations);
(ii)in Schedule 13 (other general functions of the Commissioner), paragraphs 1(1)(a) and (g) and 2;
(f)in Part 6—
(i)sections 142 to 154 and Schedule 15 (Commissioner’s notices and powers of entry and inspection);
(ii)sections 170 to 173 (offences relating to personal data);
(g)in Part 7, section 187 (representation of data subjects).
(3)The provisions of Chapter 2 of this Part (principles) which are excepted from the list in subsection (2) are—
(a)section 35(1) (the first data protection principle) so far as it requires processing of personal data to be lawful;
(b)section 35(2) to (5) (lawfulness of processing and restrictions on sensitive processing);
(c)section 42 (safeguards: sensitive processing);
(d)Schedule 8 (conditions for sensitive processing).
(4)The provisions of Chapter 5 of this Part (transfers of personal data to third countries etc) which are excepted from the list in subsection (2) are—
(a)the following provisions of section 73—
(i)subsection (1)(a) (conditions for transfer), so far as it relates to the condition in subsection (2) of that section, and subsection (2) (transfer must be necessary for a law enforcement purpose);
(ii)subsections (1)(b), (5) and (6) (conditions for transfer of personal data originally made available by a member State);
(b)section 78 (subsequent transfers).”
(8)In section 79 (national security: certificate)—
(a)omit subsections (1) to (3),
(b)after subsection (3) insert—
“(3A)Subject to subsection (5), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions listed in section 78A(2) is, or at any time was, required in relation to any personal data for the purposes of safeguarding national security is conclusive evidence of that fact.”,
(c)in subsection (4), for “subsection (1)” substitute “subsection (3A)—
“(a)may identify the personal data to which it applies by means of a general description, and
(b)”,
(d)in subsection (5), for “subsection (1)” substitute “subsection (3A)”,
(e)in subsection (7)—
(i)for “a restriction falls within a general description in a certificate issued under subsection (1)” substitute “a certificate under subsection (3A) which identifies the personal data to which it applies by means of a general description applies to any personal data”, and
(ii)for “the restriction does not fall within that description” substitute “the certificate does not apply to the personal data in question”,
(f)in subsection (8)—
(i)for “the restriction” substitute “the certificate”, and
(ii)for “to fall within the general description” substitute “so to apply”,
(g)in subsection (10), for “subsection (1)” substitute “subsection (3A)”,
(h)in subsection (11), for “subsection (1)” substitute “subsection (3A)”,
(i)in subsection (12), for “subsection (1)” substitute “subsection (3A)”, and
(j)omit subsection (13).
(9)In section 110(2) (intelligence services processing: national security)—
(a)in paragraph (a), after “Chapter 2” insert “of this Part”,
(b)in paragraph (b), after “Chapter 3” insert “of this Part”, and
(c)in paragraph (c), after “Chapter 4” insert “of this Part”.
(10)In section 186(3) (data subject’s rights etc: exceptions), after paragraph (c) insert—
“(ca)in Part 3 of this Act, section 78A, and”.
(11)In the provisions listed in subsection (12), for “subsection (4) of that section” substitute “section 45(4) or 78A of that Act”.
(12)The provisions are—
(a)section 40(4A)(b) and (5B)(d) of the Freedom of Information Act 2000 (personal data which is exempt information);
(b)section 38(3A)(b) of the Freedom of Information (Scotland) Act 2002 (asp 13) (personal data which is exempt information);
(c)regulation 13(3A)(b) and (5B)(d) of the Environmental Information Regulations 2004 (S.I. 2004/3391) (restriction on disclosure of personal data);
(d)regulation 11(4A)(b) of the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520) (restriction on disclosure of personal data);
(e)regulation 45(1C)(b) of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042) (personal data which is sensitive information);
(f)regulation 39(1C)(b) of the Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494) (personal data which is sensitive information).
Commencement Information
I43S. 88 not in force at Royal Assent, see s. 142(1)
I44S. 88 in force at 5.9.2025 by S.I. 2025/996, reg. 2(1)(b) (with reg. 4)
(1)Part 4 of the 2018 Act (intelligence services processing) is amended as follows.
(2)In section 82 (processing to which Part 4 applies)—
(a)before subsection (1) insert—
“(A1)This Part—
(a)applies to processing of personal data by an intelligence service, and
(b)applies to processing of personal data by a qualifying competent authority where the processing is the subject of a designation notice that is for the time being in force (see sections 82A to 82E).”,
(b)in subsection (1)—
(i)after “applies” insert “only”,
(ii)in paragraph (a), for “the processing by an intelligence service” substitute “processing”, and
(iii)in paragraph (b), for “the processing by an intelligence service” substitute “processing”,
(c)after subsection (2) insert—
“(2A)In this Part—
“competent authority” has the same meaning as in Part 3;
“qualifying competent authority” means a competent authority specified or described in regulations made by the Secretary of State.”, and
(d)after subsection (3) insert—
“(4)Regulations under this section are subject to the affirmative resolution procedure.”
(3)After section 82 insert—
(1)For the purposes of this Part, the Secretary of State may give a notice designating processing of personal data by a qualifying competent authority (a “designation notice”) where—
(a)an application for designation of the processing is made in accordance with this section, and
(b)the Secretary of State considers that designation of the processing is required for the purposes of safeguarding national security.
(2)The Secretary of State may only designate processing by a qualifying competent authority that is carried out by the authority as a joint controller with at least one intelligence service.
(3)The Secretary of State may not designate processing by a qualifying competent authority that consists of the transfer of personal data to—
(a)a country or territory outside the United Kingdom, or
(b)an international organisation.
(4)A designation notice must—
(a)specify or describe the processing and qualifying competent authority that are designated, and
(b)be given to the applicants for the designation (and see also section 82D).
(5)An application for designation of processing of personal data by a qualifying competent authority must be made jointly by—
(a)the qualifying competent authority, and
(b)the intelligence service with which the processing is to be carried out.
(6)An application may be made in respect of more than one qualifying competent authority and in respect of processing with more than one intelligence service.
(7)The application must—
(a)describe the processing, including the intended purposes and means of processing, and
(b)explain why the applicants consider that designation is required for the purposes of safeguarding national security.
(8)Before giving a designation notice, the Secretary of State must consult the Commissioner.
(9)In this section, “joint controller”, in relation to processing of personal data, means a controller whose responsibilities for compliance with this Part in relation to the processing are determined in an arrangement under section 104.
(1)A designation notice must state when it comes into force.
(2)A designation notice ceases to be in force at the earliest of the following times—
(a)at the end of the period of 5 years beginning when the notice comes into force;
(b)(if relevant) at the end of a shorter period specified in the notice;
(c)when the notice is withdrawn under section 82C.
(3)The Secretary of State may give a further designation notice in respect of processing that is, or has been, the subject of a previous designation notice.
(1)Subsections (2) to (4) apply where processing is the subject of a designation notice for the time being in force.
(2)A person who applied for the designation of the processing must notify the Secretary of State without undue delay if the person considers that the designation is no longer required for the purposes of safeguarding national security.
(3)A person who applied for the designation of the processing must, on a request from the Secretary of State, provide—
(a)a description of the processing that is being, or is intended to be, carried out in reliance on the notice, and
(b)an explanation of why the person considers that designation of the processing continues to be required for the purposes of safeguarding national security.
(4)The Secretary of State must at least annually—
(a)review each designation notice that is for the time being in force, and
(b)consider whether designation of the processing which is the subject of the notice continues to be required for the purposes of safeguarding national security.
(5)The Secretary of State—
(a)may withdraw a designation notice by giving a further notice (a “withdrawal notice”) to the persons who applied for the designation, and
(b)must give a withdrawal notice if the Secretary of State considers that designation of some or all of the processing to which the notice applies is no longer required for the purposes of safeguarding national security (whether as a result of a review required under subsection (4) or otherwise).
(6)A withdrawal notice must—
(a)withdraw the designation notice completely, and
(b)state when it comes into force.
(7)In determining when a withdrawal notice required under subsection (5)(b) comes into force, the Secretary of State must consider—
(a)the desirability of the processing ceasing to be designated as soon as possible, and
(b)where relevant, the time needed to effect an orderly transition to new arrangements for the processing of personal data.
(1)Where the Secretary of State gives a designation notice—
(a)the Secretary of State must send a copy of the notice to the Commissioner, and
(b)the Commissioner must publish a record of the notice.
(2)The record must contain—
(a)the Secretary of State’s name,
(b)the date on which the notice was given,
(c)the date on which the notice ceases to have effect (if not previously withdrawn), and
(d)subject to subsection (3), the rest of the text of the notice.
(3)The Commissioner must not publish the text, or a part of the text, of the notice if—
(a)the Secretary of State has determined that publishing the text or that part of the text—
(i)would be against the interests of national security,
(ii)would be contrary to the public interest, or
(iii)might jeopardise the safety of any person, and
(b)the Secretary of State has notified the Commissioner of that determination.
(4)The Commissioner must keep the record of the notice available to the public while the notice is in force.
(5)Where the Secretary of State gives a withdrawal notice, the Secretary of State must send a copy of the notice to the Commissioner.
(1)A person directly affected by a designation notice may appeal to the Tribunal against the notice.
(2)If, on an appeal under this section, the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Secretary of State did not have reasonable grounds for giving the notice, the Tribunal may—
(a)allow the appeal, and
(b)quash the notice.”
Commencement Information
I45S. 89 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I46S. 89 in force at 17.11.2025 in so far as not already in force by S.I. 2025/996, reg. 2(2)(a)
(1)The 2018 Act is amended in accordance with subsections (2) to (9).
(2)In section 1(5) (overview: Part 4), at the end insert “(and certain processing carried out by competent authorities jointly with the intelligence services)”.
(3)In section 29 (processing to which Part 3 applies), after subsection (1) insert—
“(1A)This Part does not apply to processing to which Part 4 applies by virtue of a designation notice (see section 82A).”
(4)In section 83 (meaning of “controller” and “processor” in Part 4)—
(a)before subsection (1) insert—
“(A1)For the purposes of this Part—
(a)an intelligence service is the “controller” in relation to the processing of personal data if it satisfies subsection (1) alone or jointly with others, and
(b)a qualifying competent authority is the “controller” in relation to the processing of personal data that is the subject of a designation notice that is for the time being in force if the authority satisfies subsection (1) jointly with others.”,
(b)in subsection (1), for the words before paragraph (a) substitute “This subsection is satisfied by a person who—”, and
(c)in subsection (2), for “intelligence service on which” substitute “person on whom”.
(5)In section 84 (other definitions)—
(a)after subsection (2) insert—
“(2A)“Designation notice” has the meaning given in section 82A.”, and
(b)before subsection (7) insert—
“(6B)“Withdrawal notice” has the meaning given in section 82C.”
(6)In section 104(1) (joint controllers), for “intelligence services” substitute “controllers”.
(7)In section 202(1)(a)(i) (proceedings in the First-tier Tribunal: contempt) after “79,” insert “82E,”.
(8)In section 203(1) (Tribunal Procedure Rules), after “79,” insert “82E,”.
(9)In section 206 (index of defined expressions), in the Table—
(a)in the entry for “competent authority”—
(i)for “Part 3” substitute “Parts 3 and 4”, and
(ii)for “section 30” substitute “sections 30 and 82”, and
(b)at the appropriate places insert—
| “designation notice (in Part 4) | section 84”; |
| “qualifying competent authority (in Part 4) | section 82”; |
| “withdrawal notice (in Part 4) | section 84”. |
(10)In section 199(2)(a) of the Investigatory Powers Act 2016 (bulk personal datasets: meaning of “personal data”), after “section 82(1) of that Act” insert “by an intelligence service”.
Commencement Information
I47S. 90 not in force at Royal Assent, see s. 142(1)
I48S. 90 in force at 17.11.2025 by S.I. 2025/996, reg. 2(2)(b)
(1)The 2018 Act is amended in accordance with subsections (2) to (4).
(2)Omit section 2(2) (duty of Commissioner when carrying out functions).
(3)After section 120 insert—
It is the principal objective of the Commissioner, in carrying out functions under the data protection legislation—
(a)to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and
(b)to promote public trust and confidence in the processing of personal data.
In carrying out functions under the data protection legislation, the Commissioner must have regard to such of the following as appear to the Commissioner to be relevant in the circumstances—
(a)the desirability of promoting innovation;
(b)the desirability of promoting competition;
(c)the importance of the prevention, investigation, detection and prosecution of criminal offences;
(d)the need to safeguard public security and national security;
(e)the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.
(1)The Commissioner must prepare a strategy for carrying out the Commissioner’s functions under the data protection legislation in accordance with the Commissioner’s duties under—
(a)sections 120A and 120B,
(b)section 108 of the Deregulation Act 2015 (exercise of regulatory functions: economic growth), and
(c)section 21 of the Legislative and Regulatory Reform Act 2006 (exercise of regulatory functions: principles).
(2)The Commissioner must—
(a)review the strategy from time to time, and
(b)revise the strategy as appropriate.
(3)The Commissioner must publish the strategy and any revised strategy.
(1)The Commissioner must, at such times as the Commissioner considers appropriate, consult the persons mentioned in subsection (2) about how the manner in which the Commissioner exercises functions under the data protection legislation may affect economic growth, innovation and competition.
(2)The persons are—
(a)such persons exercising regulatory functions as the Commissioner considers appropriate;
(b)such other persons as the Commissioner considers appropriate.
(3)In this section, “regulatory function” has the meaning given by section 111 of the Deregulation Act 2015.”
(4)In section 139 (reporting to Parliament), after subsection (1) insert—
“(1A)In connection with the Commissioner’s functions under the data protection legislation, the report must contain (among other things)—
(a)a review of what the Commissioner has done during the reporting period to comply with the duties under—
(i)sections 120A and 120B,
(ii)section 108 of the Deregulation Act 2015, and
(iii)section 21 of the Legislative and Regulatory Reform Act 2006,
including a review of the operation of the strategy prepared and published under section 120C;
(b)a review of what the Commissioner has done during the reporting period to comply with the duty under section 120D.
(1B)In subsection (1A), “the reporting period” means the period to which the report relates.”
(5)The Information Commissioner must prepare and publish a strategy in accordance with section 120C of the 2018 Act before the end of the period of 18 months beginning with the day on which this section comes into force.
Commencement Information
I49S. 91 not in force at Royal Assent, see s. 142(1)
I50S. 91 in force at 20.8.2025 by S.I. 2025/904, reg. 2(e)
(1)The 2018 Act is amended in accordance with subsections (2) to (6).
(2)After section 124 insert—
(1)The Commissioner must prepare appropriate codes of practice giving guidance as to good practice in the processing of personal data if required to do so by regulations made by the Secretary of State.
(2)Regulations under this section—
(a)must describe the personal data or processing to which the code of practice is to relate, and
(b)may describe the persons or classes of person to whom it is to relate.
(3)Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.
(4)Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—
(a)trade associations;
(b)data subjects;
(c)persons who appear to the Commissioner to represent the interests of data subjects.
(5)A code under this section may include transitional provision or savings.
(6)Regulations under this section are subject to the negative resolution procedure.
(7)In this section—
“good practice in the processing of personal data” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation;
“trade association” includes a body representing controllers or processors.”
(3)In section 125 (approval of codes prepared under sections 121 to 124)—
(a)in the heading, for “124” substitute “124A”,
(b)in subsection (1), for “or 124” substitute “, 124 or 124A”,
(c)in subsection (3), for “or 124” substitute “, 124 or 124A”,
(d)for subsection (5) substitute—
“(5)If the Commissioner is prevented by subsection (3) from issuing a code that is not a replacement code, the Commissioner must prepare another version of the code.”, and
(e)in subsection (9), for “or 124” substitute “, 124 or 124A”.
(4)In section 126 (publication and review of codes issued under section 125(4)), in subsection (4), for “or 124(2)” substitute “, 124(2) or 124A(3)”.
(5)Omit section 128 (other codes of practice).
(6)In section 129 (consensual audits), in subsection (3), for “128” substitute “124A”.
(7)In section 19AC of the Registration Service Act 1953 (code of practice), in subsection (11), for “128” substitute “124A”.
(8)In the Statistics and Registration Service Act 2007—
(a)in section 45 (information held by HMRC), in subsection (4A), for “128” substitute “124A”,
(b)in section 45A (information held by other public authorities), in subsection (8), for “128” substitute “124A”,
(c)in section 45E (further provisions about powers in sections 45B, 45C and 45D), in subsection (16), for “128” substitute “124A”, and
(d)in section 53A (disclosure by the Board to devolved administrations), in subsection (9), for “128” substitute “124A”.
(9)In the Digital Economy Act 2017—
(a)in section 43 (code of practice), in subsection (13), for “128” substitute “124A”,
(b)in section 52 (code of practice), in subsection (13), for “128” substitute “124A”,
(c)in section 60 (code of practice), in subsection (13), for “128” substitute “124A”, and
(d)in section 70 (code of practice), in subsection (15), for “128” substitute “124A”.
Commencement Information
I51S. 92 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I52S. 92 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(f)
In the 2018 Act, after section 124A (inserted by section 92 of this Act) insert—
(1)This section applies where a code is prepared under section 121, 122, 123, 124 or 124A, subject to subsection (11).
(2)The Commissioner must establish a panel of individuals to consider the code.
(3)The panel must consist of—
(a)individuals the Commissioner considers have expertise in the subject matter of the code, and
(b)individuals the Commissioner considers—
(i)are likely to be affected by the code, or
(ii)represent persons likely to be affected by the code.
(4)Before the panel begins to consider the code, the Commissioner must—
(a)publish the code in draft, and
(b)publish a statement that—
(i)states that a panel has been established to consider the code,
(ii)identifies the members of the panel,
(iii)explains the process by which they were selected, and
(iv)explains the reasons for their selection.
(5)Where at any time it appears to the Commissioner that a member of the panel is not willing or able to serve as a member of the panel, the Commissioner may select another individual to be a member of the panel.
(6)Where the Commissioner selects an individual to be a member of the panel under subsection (5), the Commissioner must publish a statement that—
(a)identifies the member of the panel,
(b)explains the process by which the member was selected, and
(c)explains the reasons for the member’s selection.
(7)The Commissioner must make arrangements—
(a)for the members of the panel to consider the code with one another (whether in person or otherwise), and
(b)for the panel to prepare and submit to the Commissioner a report on the code within such reasonable period as is determined by the Commissioner.
(8)If the panel submits to the Commissioner a report on the code within the period determined by the Commissioner, the Commissioner must as soon as reasonably practicable—
(a)make any alterations to the code that the Commissioner considers appropriate in the light of the report, and
(b)publish—
(i)the code in draft,
(ii)the report or a summary of it, and
(iii)in a case where a recommendation in the report to alter the code has not been accepted by the Commissioner, an explanation of why it has not been accepted.
(9)The Commissioner may pay remuneration and expenses to the members of the panel.
(10)This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections, subject to subsection (11).
(11)The Secretary of State may by regulations provide that this section does not apply, or applies with modifications, in the case of—
(a)a code prepared under section 124A, or
(b)an amendment of such a code,
that is specified or described in the regulations.
(12)Regulations under this section are subject to the negative resolution procedure.
(1)Where a code is prepared under section 121, 122, 123, 124 or 124A, the Commissioner must carry out and publish an assessment of—
(a)who would be likely to be affected by the code, and
(b)the effect the code would be likely to have on them.
(2)This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections.”
Commencement Information
I53S. 93 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I54S. 93 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(g)
(1)The 2018 Act is amended in accordance with subsections (2) and (3).
(2)In section 135 (manifestly unfounded or excessive requests made to the Commissioner)—
(a)before subsection (1) insert—
“(A1)This section makes provision about cases in which a request made to the Commissioner, to which the Commissioner is required or authorised to respond under the data protection legislation, is manifestly unfounded or excessive.”,
(b)in subsection (1) omit the words from the beginning to “excessive,”,
(c)after subsection (1) insert—
“(1A)In subsection (1)—
(a)the reference in paragraph (a) to charging a reasonable fee is, in a case in which section 134 is relevant, a reference to doing so under that section, and
(b)paragraph (b) is not to be read as implying anything about whether the Commissioner may refuse to act on requests that are neither manifestly unfounded nor excessive.”,
(d)in subsection (3), for “(1)” substitute “(A1)”,
(e)omit subsection (4), and
(f)after that subsection insert—
“(5)Article 57(3) of the UK GDPR (performance of Commissioner’s tasks generally to be free of charge for data subject) has effect subject to this section.”
(3)In section 136(1) (guidance about fees), omit paragraph (b) and the “or” before it.
(4)In Article 57 of the UK GDPR (Commissioner’s tasks), omit paragraph 4.
Commencement Information
I55S. 94 not in force at Royal Assent, see s. 142(1)
I56S. 94 in force at 5.2.2026 by S.I. 2026/82, reg. 2(p)
In the 2018 Act, after section 139 insert—
(1)The Commissioner must prepare and publish an analysis of the Commissioner’s performance using key performance indicators.
(2)The analysis must be prepared and published at least annually.
(3)In this section, “key performance indicators” means factors by reference to which the Commissioner’s performance can be measured most effectively.
Commencement Information
I57S. 95 not in force at Royal Assent, see s. 142(1)
I58S. 95 in force at 20.8.2025 by S.I. 2025/904, reg. 2(h)
(1)The 2018 Act is amended in accordance with subsections (2) and (3).
(2)Omit section 141 (notices from the Commissioner).
(3)After that section insert—
(1)This section applies in relation to a notice authorised or required by this Act to be given to a person by the Commissioner.
(2)The notice may be given to the person by—
(a)delivering it by hand to a relevant individual,
(b)leaving it at the person’s proper address,
(c)sending it by post to the person at that address, or
(d)sending it by email to the person’s email address.
(3)A “relevant individual” means—
(a)in the case of a notice to an individual, that individual;
(b)in the case of a notice to a body corporate (other than a partnership), an officer of that body;
(c)in the case of a notice to a partnership, a partner in the partnership or a person who has the control or management of the partnership business;
(d)in the case of a notice to an unincorporated body (other than a partnership), a member of its governing body.
(4)For the purposes of subsection (2)(b) and (c), and section 7 of the Interpretation Act 1978 (services of documents by post) in its application to those provisions, a person’s proper address is—
(a)in a case where the person has specified an address as one at which the person, or someone acting on the person’s behalf, will accept service of notices or other documents, that address;
(b)in any other case, the address determined in accordance with subsection (5).
(5)The address is—
(a)in a case where the person is a body corporate with a registered office in the United Kingdom, that office;
(b)in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office;
(c)in any other case, an address in the United Kingdom at which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of the person.
(6)A person’s email address is—
(a)an email address published for the time being by that person as an address for contacting that person, or
(b)if there is no such published address, an email address by means of which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of that person.
(7)A notice sent by email is treated as given 48 hours after it was sent, unless the contrary is proved.
(8)In this section, “officer”, in relation to a body corporate, means a director, manager, secretary or other similar officer of the body.
(9)This section does not limit other lawful means of giving a notice.”
(4)In Schedule 2 to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696) (Commissioner’s enforcement powers), in paragraph 1(b), for “141” substitute “141A”.
Commencement Information
I59S. 96 in force at 19.8.2025, see s. 142(3)(c)
(1)The 2018 Act is amended as follows.
(2)In section 142 (information notices)—
(a)in subsection (1)—
(i)in paragraph (a), after “information” insert “or documents”, and
(ii)in paragraph (b), after “information” insert “or documents”,
(b)in subsection (2)(b), after “information” insert “or documents”,
(c)in subsection (3)—
(i)in paragraph (a), after “information”, in both places it occurs, insert “or documents”,
(ii)in paragraph (b), after “information” insert “or documents”,
(iii)in paragraph (c), after “information” insert “or documents”, and
(iv)in paragraph (d), after “information” insert “or documents”,
(d)in subsection (5), after “information”, in the second place it occurs, insert “or documents”,
(e)in subsection (6), after “information”, in the second place it occurs, insert “or documents”, and
(f)in subsection (7)—
(i)in paragraph (a), for “is” substitute “or documents are”, and
(ii)in the words after paragraph (b), after “information” insert “or documents”.
(3)In section 143 (information notices: restrictions)—
(a)in subsection (1)(b)(ii), for “is” substitute “or documents are”,
(b)in subsection (2), after “information”, in the second place it occurs, insert “or documents”,
(c)in subsection (3), for “in respect” substitute “or documents to the extent that requiring the person to do so would result in the disclosure”,
(d)in subsection (4), for “in respect” substitute “or documents to the extent that requiring the person to do so would result in the disclosure”, and
(e)in subsection (6), after “information”, in the second place it occurs, insert “or documents”.
(4)In section 145 (information orders)—
(a)in subsection (2)—
(i)in paragraph (a), after “information”, in the first place it occurs, insert “or documents”, and
(ii)in paragraph (b), after “information” insert “or documents”, and
(b)in subsection (3)—
(i)in paragraph (a), after “information” insert “or documents”,
(ii)in paragraph (b), after “information” insert “or documents”, and
(iii)in paragraph (c), after “information” insert “or documents”.
(5)In section 148(1) (destroying or falsifying information and documents etc), in paragraph (a), after “information”, in the second place it occurs, insert “or a document”.
(6)In section 160 (guidance about regulatory action), in subsection (3)(a), for “is” substitute “or documents are”.
(7)In Schedule 17 (review of processing of personal data for the purposes of journalism), in paragraph 2(2) (information notices)—
(a)in paragraph (a), for “is” substitute “or documents are”, and
(b)in the words after paragraph (b), after “information” insert “or documents”.
Commencement Information
I60S. 97 in force at 19.8.2025, see s. 142(3)(d)
(1)The 2018 Act is amended as follows.
(2)In section 146 (assessment notices)—
(a)in subsection (2), after paragraph (i), insert—
“(j)make arrangements for an approved person to prepare a report on a specified matter;
(k)provide to the Commissioner a report prepared in pursuance of such arrangements.”,
(b)after subsection (3) insert—
“(3A)An assessment notice that requires a controller or processor to make arrangements for an approved person to prepare a report may require the arrangements to include specified terms as to—
(a)the preparation of the report;
(b)the contents of the report;
(c)the form in which the report is to be provided;
(d)the date by which the report is to be completed.”,
(c)after subsection (11) insert—
“(11A)Where the Commissioner gives an assessment notice that requires the controller or processor to make arrangements for an approved person to prepare a report, the controller or processor is liable for the payment of the approved person’s remuneration and expenses under the arrangements.”, and
(d)in subsection (12), before the definition of “domestic premises” insert—
““approved person”, in relation to a report, means a person approved to prepare the report in accordance with section 146A;”.
(3)After section 146 insert—
(1)This section applies where an assessment notice requires a controller or processor to make arrangements for an approved person to prepare a report.
(2)The controller or processor must, within such period as is specified in the assessment notice, nominate to the Commissioner a person to prepare the report.
(3)If the Commissioner is satisfied that the nominated person is a suitable person to prepare the report, the Commissioner must by written notice to the controller or processor approve the nominated person to prepare the report.
(4)If the Commissioner is not satisfied that the nominated person is a suitable person to prepare the report, the Commissioner must by written notice to the controller or processor—
(a)inform the controller or processor that the Commissioner has decided not to approve the nominated person to prepare the report,
(b)inform the controller or processor of the reasons for that decision, and
(c)approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so.
(5)If the controller or processor does not nominate a person within the period specified in the assessment notice, the Commissioner must by written notice to the controller or processor approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so.
(6)It is the duty of the controller or processor to give the person approved to prepare the report all such assistance as the person may reasonably require to prepare the report.”
(4)In section 155 (penalty notices), in subsection (1)—
(a)omit the “or” at the end of paragraph (a), and
(b)at the end of paragraph (b) insert “, or
(c)has failed to comply with a duty imposed on the person by section 146A(6).”
(5)In section 160 (guidance about regulatory action), in subsection (4), after paragraph (a) insert—
“(aa)provision specifying factors to be considered in determining whether to give an assessment notice to a person that imposes a requirement of a sort mentioned in section 146(2)(j);
(ab)provision about the factors the Commissioner may take into account when determining the suitability of a person to prepare a report of a sort mentioned in section 146(2)(j);”.
Commencement Information
I61S. 98 not in force at Royal Assent, see s. 142(1)
I62S. 98 in force at 5.2.2026 by S.I. 2026/82, reg. 2(q)
In section 147 of the 2018 Act (assessment notices: restrictions), in subsection (6), omit paragraph (b) and the “or” before it.
Commencement Information
I63S. 99 not in force at Royal Assent, see s. 142(1)
I64S. 99 in force at 5.2.2026 by S.I. 2026/82, reg. 2(r)
(1)The 2018 Act is amended as follows.
(2)After section 148 insert—
(1)This section applies where the Commissioner suspects that a controller or processor—
(a)has failed or is failing as described in section 149(2), or
(b)has committed or is committing an offence under this Act.
(2)For the purpose of investigating the suspected failure or offence, the Commissioner may, by written notice (an “interview notice”), require an individual within subsection (3) to—
(a)attend at a place specified in the notice, and
(b)answer questions with respect to any matter relevant to the investigation.
(3)An individual is within this subsection if the individual—
(a)is the controller or processor,
(b)is or was at any time employed by, or otherwise working for, the controller or processor, or
(c)is or was at any time concerned in the management or control of the controller or processor.
(4)An interview notice must specify the time at which the individual must attend at the specified place and answer questions (but see the restrictions in subsections (6) and (7)).
(5)An interview notice must—
(a)indicate the nature of the suspected failure or offence that is the subject of the investigation,
(b)provide information about the consequences of failure to comply with the notice, and
(c)provide information about the rights under sections 162 and 164 (appeals etc).
(6)An interview notice may not require an individual to attend at the specified place and answer questions before the end of the period within which an appeal can be brought against the notice.
(7)If an appeal is brought against an interview notice, the individual to whom the notice is given need not attend at the specified place and answer questions pending the determination or withdrawal of the appeal.
(8)If an interview notice—
(a)states that, in the Commissioner’s opinion, it is necessary for the individual to attend at the specified place and answer questions urgently, and
(b)gives the Commissioner’s reasons for reaching that opinion,
subsections (6) and (7) do not apply but the notice must not require the individual to attend at the specified place and answer questions before the end of the period of 24 hours beginning when the notice is given.
(9)The Commissioner may cancel or vary an interview notice by written notice to the individual to whom it was given.
(1)An interview notice does not require an individual to answer questions to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament.
(2)An interview notice does not require an individual to answer questions in respect of a communication which is made—
(a)between a professional legal adviser and the adviser’s client, and
(b)in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
(3)An interview notice does not require an individual to answer questions in respect of a communication which is made—
(a)between a professional legal adviser and the adviser’s client or between such an adviser or client and another person,
(b)in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
(c)for the purposes of such proceedings.
(4)In subsections (2) and (3), references to the client of a professional legal adviser include references to a person acting on behalf of the client.
(5)An interview notice does not require an individual to answer questions if doing so would, by revealing evidence of the commission of an offence, expose the individual to proceedings for that offence.
(6)The reference to an offence in subsection (5) does not include an offence under—
(a)this Act;
(b)section 5 of the Perjury Act 1911 (false statements made otherwise than on oath);
(c)section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath);
(d)Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
(7)A statement made by an individual in response to an interview notice may not be used in evidence against that individual on a prosecution for an offence under this Act (other than an offence under section 148C) unless in the proceedings—
(a)in giving evidence the individual provides information inconsistent with the statement, and
(b)evidence relating to the statement is adduced, or a question relating to it is asked, by that individual or on that individual’s behalf.
(8)The Commissioner may not give an interview notice with respect to the processing of personal data for the special purposes.
(9)The Commissioner may not give an interview notice to an individual for the purpose of investigating a suspected failure or offence if the controller or processor suspected of the failure or offence is a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters).
It is an offence for an individual, in response to an interview notice—
(a)to make a statement which the individual knows to be false in a material respect, or
(b)recklessly to make a statement which is false in a material respect.”
(3)In section 149 (enforcement notices), in subsection (9)(b)—
(a)after “an assessment notice” insert “, an interview notice”, and
(b)after “147” insert “, 148A, 148B”.
(4)In section 155 (penalty notices), in subsection (1)(b), after “assessment notice” insert “, an interview notice”.
(5)In section 157 (maximum amount of penalty), in subsection (4), after “assessment notice” insert “, an interview notice”.
(6)In section 160 (guidance about regulatory action)—
(a)in subsection (1), after paragraph (b) insert—
“(ba)interview notices,”, and
(b)after subsection (5) insert—
“(5A)In relation to interview notices, the guidance must include—
(a)provision specifying factors to be considered in determining whether to give an interview notice to an individual;
(b)provision about the circumstances in which the Commissioner would consider it appropriate to give an interview notice to an individual in reliance on section 148A(8) (urgent cases);
(c)provision about the circumstances in which the Commissioner would consider it appropriate to vary the place or time specified in an interview notice at the request of the individual to whom the notice is given;
(d)provision about the nature of interviews carried out in accordance with an interview notice;
(e)provision about how the Commissioner will determine how to proceed if an individual does not comply with an interview notice.”
(7)In section 162 (rights of appeal), in subsection (1), after paragraph (b) insert—
“(ba)an interview notice;”.
(8)In section 164 (applications in respect of urgent notices)—
(a)in subsection (1), after “assessment notice” insert “, an interview notice”, and
(b)in subsection (5), after paragraph (b) (but before the “and” at the end of that paragraph) insert—
“(ba)in relation to an interview notice, a statement under section 148A(8)(a),”.
(9)In section 181 (interpretation of Part 6), at the appropriate place, insert—
““interview notice” has the meaning given in section 148A;”.
(10)In section 196 (penalties for offences), in subsection (2), after “148,” insert “148C,”.
(11)In section 206 (index of defined expressions), at the appropriate place, insert—
| “interview notice (in Part 6) | section 181”. |
(12)In Schedule 17 (review of processing of personal data for the purposes of journalism)—
(a)after paragraph 3 insert—
3A(1)Sub-paragraph (2) applies where the Commissioner gives an interview notice to an individual during a relevant period.
(2)If the interview notice—
(a)states that, in the Commissioner’s opinion, it is necessary for the individual to comply with a requirement in the notice for the purposes of the relevant review, and
(b)gives the Commissioner’s reasons for reaching that opinion,
subsections (6) and (7) of section 148A do not apply but the notice must not require the individual to comply with the requirement before the end of the period of 24 hours beginning when the notice is given.
(3)During a relevant period, section 148B has effect as if for subsection (8) there were substituted—
“(8)The Commissioner may not give an individual an interview notice with respect to the processing of personal data for the special purposes unless a determination under section 174 with respect to the data or the processing has taken effect.””, and
(b)in paragraph 4 (applications in respect of urgent notices)—
(i)for “or assessment notice” substitute “, assessment notice or interview notice”,
(ii)for “or 3(2)(a)” substitute “, 3(2)(a) or 3A(2)(a)”, and
(iii)for “or 146(8)(a)” substitute “, 146(8)(a) or 148A(8)(a)”.
Commencement Information
I65S. 100 not in force at Royal Assent, see s. 142(1)
I66S. 100 in force at 5.2.2026 by S.I. 2026/82, reg. 2(s)
(1)The 2018 Act is amended as follows.
(2)In paragraph 2 of Schedule 16 (notice of intent to impose penalty), omit sub-paragraphs (2) and (3).
(3)In paragraph 4 of that Schedule (giving a penalty notice)—
(a)before sub-paragraph (1) insert—
“(A1)This paragraph applies where the Commissioner gives a notice of intent to a person.
(A2)Within the period of 6 months beginning when the notice is given, or as soon as reasonably practicable thereafter, the Commission must give to the person—
(a)a penalty notice, or
(b)written notice that the Commissioner has decided not to give a penalty notice to the person.”,
(b)in sub-paragraph (1)—
(i)at the beginning, insert “But”, and
(ii)after “penalty notice” insert “to the person”, and
(c)in sub-paragraph (2), for “a person” substitute “the person”.
(4)In section 160 (guidance about regulatory action), in subsection (7), after paragraph (d) insert—
“(e)provision about the circumstances in which the Commissioner would consider it necessary to comply with the duty in paragraph 4(A2) of Schedule 16 after the period of 6 months mentioned in that paragraph.”
Commencement Information
I67S. 101 not in force at Royal Assent, see s. 142(1)
I68S. 101 in force at 5.2.2026 by S.I. 2026/82, reg. 2(t) (with reg. 6)
(1)The 2018 Act is amended as follows.
(2)In section 139 (reporting to Parliament), before subsection (3) insert—
“(2A)The report under this section may include the annual report under section 161A.”
(3)In the italic heading before section 160, at the end insert “and report”.
(4)After section 161 insert—
(1)The Commissioner must produce and publish an annual report containing the information described in subsections (2) to (5).
(2)The report must include the following information about UK GDPR investigations—
(a)the number of investigations begun, continued or completed by the Commissioner during the reporting period,
(b)the different types of act and omission that were the subject matter of the investigations,
(c)the enforcement powers exercised by the Commissioner in the reporting period in connection with the investigations,
(d)the duration of investigations that ended in the reporting period, and
(e)the different types of outcome in investigations that ended in that period.
(3)The report must include information about the enforcement powers exercised by the Commissioner in the reporting period in connection with—
(a)processing of personal data by a competent authority for any of the law enforcement purposes, and
(b)processing of personal data to which Part 4 applies.
(4)The information included in the report in accordance with subsections (2) and (3) must include information about—
(a)the number of penalty notices given in the reporting period that were given more than 6 months after the notice of intent was given under paragraph 2 of Schedule 16, and
(b)the reasons why that happened.
(5)The report must include a review of how the Commissioner had regard to the guidance published under section 160 when exercising the Commissioner’s enforcement powers as described in subsections (2)(c) and (3).
(6)In this section—
“enforcement powers” means the powers under—
Article 58(1)(c) and (d) and (2)(a) and (b) of the UK GDPR,
sections 142 to 159 of this Act,
paragraph 2(a), (b) and (c) of Schedule 13 to this Act, and
Schedules 15 and 16 to this Act;
“the law enforcement purposes” has the meaning given in section 31 of this Act;
“the reporting period” means the period to which the report relates;
“UK GDPR investigation” means an investigation required under Article 57(1)(h) of the UK GDPR (investigations on the application of the UK GDPR).”
Commencement Information
I69S. 102 not in force at Royal Assent, see s. 142(1)
I70S. 102 in force at 20.8.2025 by S.I. 2025/904, reg. 2(i)
(1)The 2018 Act is amended in accordance with subsections (2) and (3).
(2)Before section 165 (but after the italic heading before it) insert—
(1)A data subject may make a complaint to the controller if the data subject considers that, in connection with personal data relating to the data subject, there is an infringement of the UK GDPR or Part 3 of this Act.
(2)A controller must facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means.
(3)If a controller receives a complaint under this section, the controller must acknowledge receipt of the complaint within the period of 30 days beginning when the complaint is received.
(4)If a controller receives a complaint under this section, the controller must without undue delay—
(a)take appropriate steps to respond to the complaint, and
(b)inform the complainant of the outcome of the complaint.
(5)The reference in subsection (4)(a) to taking appropriate steps to respond to the complaint includes—
(a)making enquiries into the subject matter of the complaint, to the extent appropriate, and
(b)informing the complainant about progress on the complaint.
(1)The Secretary of State may by regulations require a controller to notify the Commissioner of the number of complaints made to the controller under section 164A in periods specified or described in the regulations.
(2)Regulations under this section may provide that a controller is required to make a notification to the Commissioner in respect of a period only in circumstances specified in the regulations.
(3)Regulations under this section may include—
(a)provision about a matter listed in subsection (4), or
(b)provision conferring power on the Commissioner to determine those matters.
(4)The matters are—
(a)the form and manner in which a notification must be made,
(b)the time at which, or period within which, a notification must be made, and
(c)how the number of complaints made to a controller during a period is to be calculated.
(5)Regulations under this section are subject to the negative resolution procedure.”
(3)In section 165 (complaints by data subjects to the Commissioner)—
(a)omit subsection (1), and
(b)in subsection (2), after “infringement of” insert “the UK GDPR or”.
(4)The UK GDPR is amended in accordance with subsections (5) and (6).
(5)In Article 57 (Commissioner’s tasks)—
(a)in paragraph 1, omit point (f), and
(b)omit paragraph 2.
(6)Omit Article 77 (right to lodge a complaint with the Commissioner).
(7)Schedule 10 to this Act contains minor and consequential amendments.
Commencement Information
I71S. 103 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
(1)The 2018 Act is amended as follows.
(2)For the italic heading before section 180 substitute—
(3)After section 180 insert—
(1)This section applies where a court is required to determine whether a data subject is entitled to information by virtue of a right under—
(a)Article 15 of the UK GDPR (right of access by the data subject);
(b)Article 20 of the UK GDPR (right to data portability);
(c)section 45 of this Act (law enforcement processing: right of access by the data subject);
(d)section 94 of this Act (intelligence services processing: right of access by the data subject).
(2)The court may require the controller to make available for inspection by the court so much of the information as is available to the controller.
(3)But, unless and until the question in subsection (1) has been determined in the data subject’s favour, the court may not require the information to be disclosed to the data subject or the data subject’s representatives, whether by discovery (or, in Scotland, recovery) or otherwise.
(4)Where the question in subsection (1) relates to a right under a provision listed in subsection (1)(a), (c) or (d), this section does not confer power on the court to require the controller to carry out a search for information that is more extensive than the reasonable and proportionate search required by that provision.”
Commencement Information
I72S. 104 not in force at Royal Assent, see s. 142(1)
I73S. 104 in force at 20.8.2025 by S.I. 2025/904, reg. 2(j)
(1)Schedule 2 to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696) (Commissioner’s enforcement powers) is amended as follows.
(2)In paragraph 1 (provisions of the 2018 Act applied for enforcement purposes)—
(a)after paragraph (g) insert—
“(ga)section 146A (assessment notices: approval of person to prepare report etc);”, and
(b)after paragraph (i) insert—
“(ia)section 148A (interview notices);
(ib)section 148B (interview notices: restrictions);
(ic)section 148C (false statements made in response to interview notices);”.
(3)In paragraph 4(2) (modification of section 143 (information notices: restrictions))—
(a)in paragraph (b), for “or 148” substitute “, 148 or 148C”, and
(b)in paragraph (c), after “148” insert “or 148C”.
(4)In paragraph 6 (modification of section 146 (assessment notices)), in sub-paragraph (2)—
(a)for paragraph (b) substitute—
“(b)subsection (2) has effect as if—
(i)for “controller or processor” there were substituted “trust service provider”;
(ii)paragraphs (h) and (i) were omitted;”,
(b)in paragraph (c), for “subsections (7), (8), (9) and (10)” substitute “subsections (3A), (7), (8), (9), (10) and (11A)”, and
(c)in paragraph (d), for “or 148” substitute “, 148 or 148C”.
(5)After paragraph 6 insert—
6ASection 146A has effect as if for “controller or processor” (in each place) there were substituted “trust service provider”.”
(6)After paragraph 7 insert—
7ASection 148A has effect as if—
(a)in subsection (1)—
(i)for “controller or processor” there were substituted “trust service provider”;
(ii)in paragraph (a), for “as described in section 149(2)” there were substituted “to comply with the eIDAS requirements”;
(iii)in paragraph (b), for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”;
(b)in subsection (3), for “controller or processor” (in each place) there were substituted “trust service provider”.
7B(1)Section 148B has effect as if subsections (8) and (9) were omitted.
(2)In that section—
(a)subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”;
(b)subsection (6)(a) has effect as if for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”;
(c)subsection (7) has effect as if for “this Act (other than an offence under section 148C)” there were substituted “section 144 or 148 or paragraph 15 of Schedule 15”.”
(7)In paragraph 12 (modification of Schedule 15 (powers of entry and inspection)), in sub-paragraph (2), in the substituted paragraph (a), for “or 148” substitute “, 148 or 148C”.
(8)In paragraph 13 (modification of section 155 (penalty notices)), in sub-paragraph (3)(c), for “for “data subjects”” there were substituted “for the words from “data subjects” to the end”.
(9)Omit paragraph 21 (modification of section 182 (regulations and consultation)) and the heading before it.
(10)In paragraph 22 (modification of section 196 (penalties for offences)), in sub-paragraph (2)(b)—
(a)after “148”, in the first place it occurs, insert “, 148C”, and
(b)for “or 148” substitute “, 148 or 148C”.
Commencement Information
I74S. 105 not in force at Royal Assent, see s. 142(1)
I75S. 105 in force at 5.2.2026 by S.I. 2026/82, reg. 2(u)
(1)The 2018 Act is amended in accordance with subsections (2) to (5).
(2)After section 183 insert—
(1)A relevant enactment or rule of law which imposes a duty, or confers a power, to process personal data does not override a requirement under the main data protection legislation relating to the processing of personal data.
(2)Subsection (1) does not apply—
(a)to a relevant enactment forming part of the main data protection legislation, or
(b)to the extent that an enactment makes express provision to the contrary referring to this section or to the main data protection legislation (or a provision of that legislation).
(3)Subsection (1) does not prevent a duty or power to process personal data from being taken into account for the purpose of determining whether it is possible to rely on an exception to a requirement under the main data protection legislation that is available where there is such a duty or power.
(4)In this section—
“the main data protection legislation” means the data protection legislation other than provision of or made under—
Chapter 6 or 8 of the UK GDPR, or
Parts 5 to 7 of this Act;
“relevant enactment” means an enactment so far as passed or made on or after the day on which section 106(2) of the Data (Use and Access) Act 2025 comes into force;
“requirement” includes a prohibition or restriction.
(5)The reference in subsection (1) to an enactment or rule of law which imposes a duty, or confers a power, to process personal data is a reference to an enactment or rule of law which, directly or indirectly, requires or authorises the processing of personal data, including (for example)—
(a)by authorising one person to require another person to process personal data, or
(b)by removing restrictions on processing personal data,
and the references in subsection (3) to a duty or power are to be read accordingly.”
(3)Before section 184 (and the italic heading before it) insert—
(1)This section is about the relationship between—
(a)a pre-commencement enactment which imposes a duty, or confers a power, to process personal data, and
(b)a provision of the main data protection legislation containing a requirement relating to the processing of personal data.
(2)The relationship is not changed by section 5(A1) of the European Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act).
(3)Where the provision described in subsection (1)(b) is a provision of, or made under, the UK GDPR, section 5(A2) of the European Union (Withdrawal) Act 2018 (assimilated direct legislation subject to domestic enactments) does not apply to the relationship.
(4)Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision with similar effect to section 183A(1) (or applying that provision) is made in connection with one such relationship but not another.
(5)In this section—
(a)“the main data protection legislation” and “requirement” have the same meaning as in section 183A, and
(b)“pre-commencement enactment” means an enactment so far as passed or made before the day on which section 106(2) of the Data (Use and Access) Act 2025 comes into force.
(6)Section 183A(5) applies for the purposes of subsection (1)(a) of this section as it applies for the purposes of section 183A(1).”
(4)In section 186 (data subject’s rights and other prohibitions and restrictions)—
(a)for the heading substitute “Protection of data subject’s rights”,
(b)in subsection (1) omit “, except as provided by or under the provisions listed in subsection (3)”,
(c)after subsection (2) insert—
“(2A)Subsection (1) does not apply—
(a)to an enactment contained in, or made under, a provision listed in subsection (2),
(b)to an enactment contained in, or made under, a provision listed in subsection (3),
(c)to the extent that an enactment makes express provision to the contrary referring to this section or to a provision listed in subsection (2), or
(d)to the extent that subsection (1) is disapplied by section 186A(3).”, and
(d)in subsection (3)—
(i)for “provisions providing exceptions” substitute “provisions referred to in subsection (2A)(b)”, and
(ii)omit paragraph (c) (and the “and” after it).
(5)After section 186 insert—
(1)This section is about the relationship between—
(a)a pre-commencement enactment which prohibits or restricts the disclosure of information or authorises the withholding of information, and
(b)a provision of the UK GDPR or this Act listed in section 186(2).
(2)The relationship is not changed by section 5(A1) of the European Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act).
(3)Subsection (1) of section 186 does not apply to the relationship so far as there is a contrary intention, whether express or implied (taking account of, among other things, subsection (2) of this section).
(4)Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision stating that section 186(1) applies (or with similar effect) is made in connection with one such relationship but not another.
(5)In this section, “pre-commencement enactment” means an enactment so far as passed or made before the day on which section 106(4) of the Data (Use and Access) Act 2025 comes into force, other than an enactment contained in, or made under, a provision listed in section 186(2) or (3).”
(6)In section 5 of the European Union (Withdrawal) Act 2018 (exceptions to savings and incorporation), in subsection (A3)(a)—
(a)for “section” substitute “sections 183A and”,
(b)for “(data subject’s rights and other prohibitions and restrictions)” substitute “(protection of prohibitions, restrictions and data subject’s rights)”, and
(c)at the end insert “(and see also section 183B(3) of that Act)”.
(7)Subsections (3), (5) and (6)(c) are to be treated as having come into force on 1 January 2024.
Commencement Information
I76S. 106 not in force at Royal Assent, see s. 142(1)
I77S. 106 in force at 20.8.2025 by S.I. 2025/904, reg. 2(k)
(1)In the UK GDPR, after Chapter 9 insert—
1.This Article makes provision about regulations made by the Secretary of State under this Regulation (“UK GDPR regulations”).
2.Before making UK GDPR regulations, the Secretary of State must consult—
(a)the Commissioner, and
(b)such other persons as the Secretary of State considers appropriate.
3.Paragraph 2 does not apply to regulations made under Article 49 or 49A where the Secretary of State has made an urgency statement in respect of them.
4.UK GDPR regulations may—
(a)make different provision for different purposes;
(b)include consequential, supplementary, incidental, transitional, transitory or saving provision.
5.UK GDPR regulations are to be made by statutory instrument.
6.For the purposes of this Regulation, where regulations are subject to “the negative resolution procedure”, the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament.
7.For the purposes of this Regulation, where regulations are subject to “the affirmative resolution procedure”, the regulations may not be made unless a draft of the statutory instrument containing them has been laid before Parliament and approved by a resolution of each House of Parliament.
8.For the purposes of this Regulation, where regulations are subject to “the made affirmative resolution procedure”—
(a)the statutory instrument containing the regulations must be laid before Parliament after being made, together with the urgency statement in respect of them, and
(b)the regulations cease to have effect at the end of the period of 120 days beginning with the day on which the instrument is made, unless within that period the instrument is approved by a resolution of each House of Parliament.
9.In calculating the period of 120 days, no account is to be taken of any whole days that fall within a period during which—
(a)Parliament is dissolved or prorogued, or
(b)both Houses of Parliament are adjourned for more than 4 days.
10.Where regulations cease to have effect as a result of paragraph 8, that does not—
(a)affect anything previously done under the regulations, or
(b)prevent the making of new regulations.
11.Any provision that may be included in UK GDPR regulations subject to the negative resolution procedure may be made by regulations made under this Regulation or another enactment that are subject to the affirmative resolution procedure or the made affirmative resolution procedure.
12.A requirement under this Article to consult may be satisfied by consultation before, as well as by consultation after, the provision conferring the power to make regulations comes into force.
13.In this Article, “urgency statement”, in relation to regulations, means a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.”
(2)In section 3(9) of the 2018 Act (definition of “data protection legislation”), in paragraph (d), after “Act” insert “or the UK GDPR”.
Commencement Information
I78S. 107 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I79S. 107 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(l)
Schedule 11 contains further minor provision about data protection.
Commencement Information
I80S. 108 not in force at Royal Assent, see s. 142(1)
I81S. 108 in force at 20.8.2025 by S.I. 2025/904, reg. 2(m)
In this Chapter, “the PEC Regulations” means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426).
Commencement Information
I82S. 109 not in force at Royal Assent, see s. 142(1)
I83S. 109 in force at 20.8.2025 by S.I. 2025/904, reg. 2(n)
(1)Regulation 2 of the PEC Regulations (interpretation) is amended as follows.
(2)In paragraph (1)—
(a)in the definition of “call”, at the end insert “, and a reference to making a call includes a reference to attempting to establish such a connection”,
(b)in the definition of “communication”—
(i)for “exchanged or conveyed between” substitute “transmitted to”, and
(ii)for “conveyed”, in the second place it occurs, substitute “transmitted”, and
(c)at the appropriate place insert—
““direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals;”.
(3)After paragraph (1) insert—
“(1A)In the application of these Regulations in relation to—
(a)information that is sent but not received,
(b)a communication that is transmitted but not received,
(c)an electronic mail that is sent but not received, or
(d)an unsuccessful attempt to make a call,
a reference to the recipient of the information, communication, electronic mail or call is to be read as a reference to the intended recipient.”
(4)In paragraph (4) omit “, without prejudice to paragraph (3),”.
(5)After that paragraph insert—
“(5)References in these Regulations to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of the Periods of Time Regulation, except that Article 3(4) of that Regulation does not apply to the interpretation of a reference to a period in regulation 16A.
(6)In paragraph (5), “the Periods of Time Regulation” means Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.”
Commencement Information
I84S. 110 not in force at Royal Assent, see s. 142(1)
I86S. 110(2)(a)(b)(3) in force at 5.2.2026 by S.I. 2026/82, reg. 2(v)
(1)In regulation 5A of the PEC Regulations (personal data breach)—
(a)in paragraph (2), after “delay” insert “and, where feasible, not later than 72 hours after having become aware of it”, and
(b)after paragraph (3) insert—
“(3A)Where notification under paragraph (2) is not made within 72 hours, it must be accompanied by reasons for the delay.”
(2)In regulation 5C of the PEC Regulations (personal data breach: fixed monetary penalty)—
(a)in paragraph (4)(f), for “from the service of the notice of intent” substitute “beginning when the notice of intent is served”, and
(b)in paragraph (5), for “21 days of receipt of the notice of intent” substitute “the period of 21 days beginning when the notice of intent is received”.
(3)In Article 2 of Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (notification to the Commissioner)—
(a)in paragraph 2—
(i)in the first subparagraph, for the words from “no” to “feasible” substitute “without undue delay and, where feasible, not later than 72 hours after having become aware of it”,
(ii)in the second subparagraph, after “shall” insert “, subject to paragraph 3,”, and
(iii)after the third subparagraph insert—
“This paragraph is to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.”, and
(b)for paragraph 3 substitute—
“3.To the extent that the information set out in Annex 1 is not available to be included in the notification, it may be provided in phases without undue further delay.”
Commencement Information
I87S. 111 not in force at Royal Assent, see s. 142(1)
I88S. 111 in force at 20.8.2025 by S.I. 2025/904, reg. 2(p)
(1)The PEC Regulations are amended in accordance with subsections (2) and (3).
(2)For regulation 6 (storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user) substitute—
(1)Subject to Schedule A1, a person must not store information, or gain access to information stored, in the terminal equipment of a subscriber or user.
(2)In paragraph (1) and Schedule A1—
(a)a reference (however expressed) to storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user includes a reference to instigating the storage or access, and
(b)except as otherwise provided, a reference (however expressed) to gaining access to information stored in the terminal equipment of a subscriber or user includes a reference to collecting or monitoring information automatically emitted by the terminal equipment.”
(3)After regulation 6 insert—
(1)The Secretary of State may by regulations made by statutory instrument—
(a)amend these Regulations—
(i)by adding an exception to the prohibition in regulation 6(1), or
(ii)by omitting or varying an exception to that prohibition, and
(b)make consequential, supplementary, incidental, transitional, transitory or saving provision, including provision amending these Regulations.
(2)Regulations under paragraph (1) may make different provision for different purposes.
(3)Before making regulations under paragraph (1), the Secretary of State must consult—
(a)the Information Commissioner, and
(b)such other persons as the Secretary of State considers appropriate.
(4)A statutory instrument containing regulations under paragraph (1) may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”
(4)Schedule 12 to this Act inserts Schedule A1 to the PEC Regulations.
(5)A requirement to consult under regulation 6A of the PEC Regulations (inserted by subsection (3) of this section) may be satisfied by consultation undertaken before the day on which this Act is passed.
Commencement Information
I89S. 112 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I90S. 112 in force at 5.2.2026 in so far as not already in force by S.I. 2026/82, reg. 2(w)
In regulation 16A of the PEC Regulations (emergency alerts), in paragraph (6), for the words from “7 days” to “paragraph (3)(b)” substitute “the period of 7 days beginning with the day on which the time period specified by the relevant public authority pursuant to paragraph (3)(b) expires”.
Commencement Information
I91S. 113 not in force at Royal Assent, see s. 142(1)
I92S. 113 in force at 20.8.2025 by S.I. 2025/904, reg. 2(q)
(1)Regulation 22 of the PEC Regulations (use of electronic mail for direct marketing purposes) is amended as follows.
(2)In paragraph (2), after “paragraph (3)” insert “or (3A)”.
(3)After paragraph (3) insert—
“(3A)A charity may send or instigate the sending of electronic mail for the purposes of direct marketing where—
(a)the sole purpose of the direct marketing is to further one or more of the charity’s charitable purposes;
(b)the charity obtained the contact details of the recipient of the electronic mail in the course of the recipient—
(i)expressing an interest in one or more of the purposes that were the charity’s charitable purposes at that time; or
(ii)offering or providing support to further one or more of those purposes; and
(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of their contact details for the purposes of direct marketing by the charity, at the time that the details were initially collected, and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication.”
(4)After paragraph (4) insert—
“(5)In this regulation, “charity” means—
(a)a charity as defined in section 1(1) of the Charities Act 2011,
(b)a charity as defined in section 1(1) of the Charities Act (Northern Ireland) 2008 (c. 12 (N.I.)), including an institution treated as such a charity for the purposes of that Act by virtue of the Charities Act 2008 (Transitional Provision) Order (Northern Ireland) 2013 (S.R. (N.I.) 2013 No. 211), and
(c)a body entered in the Scottish Charity Register, other than a body which no longer meets the charity test in section 7 of the Charities and Trustee Investment (Scotland) Act 2005 (asp 10),
and, in relation to such a charity, institution or body, “charitable purpose” has the meaning given in the relevant Act.”
Commencement Information
I93S. 114 not in force at Royal Assent, see s. 142(1)
I94S. 114 in force at 5.2.2026 by S.I. 2026/82, reg. 2(x)
(1)The PEC Regulations are amended in accordance with subsections (2) to (8).
(2)In regulation 5 (security of public electronic communications services), omit paragraph (6).
(3)Omit regulation 5B (personal data breach: audit).
(4)In regulation 5C (personal data breach: fixed monetary penalty)—
(a)in paragraph (10)—
(i)omit “and Northern Ireland”, and
(ii)in paragraph (a), for “a county court” substitute “the county court”, and
(b)after paragraph (11) insert—
“(12)In Northern Ireland, the penalty is recoverable—
(a)if a county court so orders, as if it were payable under an order of that court;
(b)if the High Court so orders, as if it were payable under an order of that court.
(13)The Secretary of State may by regulations made by statutory instrument amend this regulation so as to substitute a different amount for the amount for the time being specified in paragraph (2) or (5).
(14)Regulations under paragraph (13) may make transitional provision.
(15)Before making regulations under paragraph (13), the Secretary of State must consult—
(a)the Information Commissioner, and
(b)such other persons as the Secretary of State considers appropriate.
(16)A statutory instrument containing regulations under this regulation may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”
(5)For regulation 31 substitute—
(1)Schedule 1 provides for certain provisions of Parts 5 to 7 of the Data Protection Act 2018 to apply with modifications for the purposes of enforcing these Regulations.
(2)In regulations 32 and 33, “enforcement functions” means the functions of the Information Commissioner under those provisions, as applied by that Schedule.”
(6)Omit regulation 31A (third party information notices).
(7)Omit regulation 31B (appeals against third party information notices).
(8)For Schedule 1 substitute the Schedule set out in Schedule 13 to this Act.
(9)In paragraph 58(1) of Schedule 20 to the Data Protection Act 2018 (transitional provision relating to the PEC Regulations) for “regulations 2, 31 and 31B of, and Schedule 1 to,” substitute “regulation 2 of”.
(10)A requirement to consult under regulation 5C(15) of the PEC Regulations (inserted by subsection (4)(b) of this section) may be satisfied by consultation undertaken before the day on which this Act is passed.
Commencement Information
I95S. 115 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)
I96S. 115 in force at 5.2.2026 in so far as not already in force by S.I. 2026/82, reg. 2(y) (with regs. 8-11)
(1)The PEC Regulations are amended as follows.
(2)After regulation 32 insert—
(1)The Commissioner must encourage representative bodies to produce codes of conduct intended to contribute to compliance with these Regulations.
(2)Under paragraph (1), the Commissioner must encourage representative bodies to produce codes which take account of, among other things, the specific features of different sectors.
(3)A code of conduct described in paragraph (1) may, for example, make provision with regard to—
(a)rights and obligations under these Regulations;
(b)out-of-court proceedings and other dispute resolution procedures for resolving disputes arising in connection with these Regulations.
(4)The Commissioner must encourage representative bodies to submit codes of conduct described in paragraph (1) to the Commissioner in draft.
(5)Where a representative body does so, the Commissioner must—
(a)provide the representative body with an opinion on whether the code correctly reflects the requirements of these Regulations,
(b)decide whether to approve the code, and
(c)if the code is approved, register and publish the code.
(6)The Commissioner may only approve a code if, among other things—
(a)the code contains a mechanism for monitoring whether persons who undertake to apply the code comply with its provisions, and
(b)in relation to persons other than public bodies, the mechanism involves monitoring by a body which is accredited for that purpose by the Commissioner under regulation 32B.
(7)In relation to amendments of a code of conduct that is for the time being approved under this regulation—
(a)paragraphs (4) and (5) apply as they apply in relation to a code, and
(b)the requirements in paragraph (6) must be satisfied by the code as amended.
(8)A code of conduct described in paragraph (1) may be contained in the same document as a code of conduct described in Article 40 of the UK GDPR (and a provision contained in such a document may be a provision of both codes).
(9)In this regulation—
“public body” has the meaning given in section 7 of the Data Protection Act 2018 (for the purposes of the UK GDPR);
“representative body” means an association or other body representing categories of—
communications providers, or
other persons engaged in activities regulated by these Regulations;
“the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018.
(1)The Commissioner may, in accordance with this regulation, accredit a body for the purpose of monitoring whether persons other than public bodies comply with a code of conduct described in regulation 32A(1).
(2)The Commissioner may accredit a body only where the Commissioner is satisfied that the body has—
(a)demonstrated its independence,
(b)demonstrated that it has an appropriate level of expertise in relation to the subject matter of the code,
(c)established procedures which allow it—
(i)to assess a person’s eligibility to apply the code,
(ii)to monitor compliance with the code, and
(iii)to review the operation of the code periodically,
(d)established procedures and structures to handle complaints about infringements of the code or about the manner in which the code has been, or is being, implemented by a person,
(e)made arrangements to publish information about the procedures and structures described in sub-paragraph (d), and
(f)demonstrated that it does not have a conflict of interest.
(3)The Commissioner must prepare and publish guidance about how the Commissioner proposes to take decisions about accreditation under this regulation.
(4)A body accredited under this regulation in relation to a code must take appropriate action where a person infringes the code.
(5)If the action taken by a body under paragraph (4) consists of suspending or excluding a person from the code, the body must inform the Commissioner, giving reasons for taking that action.
(6)The Commissioner must revoke the accreditation of a body under this regulation if the Commissioner considers that the body—
(a)no longer meets the requirements for accreditation, or
(b)has failed, or is failing, to comply with paragraph (4) or (5).
(7)In this regulation, “public body” has the same meaning as in regulation 32A.
Adherence to a code of conduct approved under regulation 32A may be used by a person as a means of demonstrating compliance with these Regulations.”
(3)In regulation 33 (technical advice to the Commissioner)—
(a)omit “, in connection with his enforcement functions,” and
(b)at the end insert “where the request is made in connection with—
(a)the Commissioner’s enforcement functions, or
(b)the Commissioner’s functions under regulation 32A or 32B (codes of conduct).”
(4)In Schedule 1 (Commissioner’s enforcement powers) (inserted by Schedule 13 to this Act), in paragraph 18(b)(ii) (maximum amount of penalty), for “or 24” substitute “, 24 or 32B(4) or (5)”.
Commencement Information
I97S. 116 not in force at Royal Assent, see s. 142(1)
I98S. 116 in force at 5.2.2026 by S.I. 2026/82, reg. 2(z)