http://www.legislation.gov.uk/id/ukpga/2025/18

Part 5Data protection and privacy

Chapter 1Data protection

Enforcement

102Annual report on regulatory action

(1)

The 2018 Act is amended as follows.

(2)

In section 139 (reporting to Parliament), before subsection (3) insert—

“(2A)
The report under this section may include the annual report under section 161A.”

(3)

In the italic heading before section 160, at the end insert “and report”.

(4)

After section 161 insert—

“161AAnnual report on regulatory action
(1)
The Commissioner must produce and publish an annual report containing the information described in subsections (2) to (5).
(2)
The report must include the following information about UK GDPR investigations—
(a)
the number of investigations begun, continued or completed by the Commissioner during the reporting period,
(b)
the different types of act and omission that were the subject matter of the investigations,
(c)
the enforcement powers exercised by the Commissioner in the reporting period in connection with the investigations,
(d)
the duration of investigations that ended in the reporting period, and
(e)
the different types of outcome in investigations that ended in that period.
(3)
The report must include information about the enforcement powers exercised by the Commissioner in the reporting period in connection with—
(a)
processing of personal data by a competent authority for any of the law enforcement purposes, and
(b)
processing of personal data to which Part 4 applies.
(4)
The information included in the report in accordance with subsections (2) and (3) must include information about—
(a)
the number of penalty notices given in the reporting period that were given more than 6 months after the notice of intent was given under paragraph 2 of Schedule 16, and
(b)
the reasons why that happened.
(5)
The report must include a review of how the Commissioner had regard to the guidance published under section 160 when exercising the Commissioner’s enforcement powers as described in subsections (2)(c) and (3).
(6)
In this section—
“enforcement powers” means the powers under—
(a)
Article 58(1)(c) and (d) and (2)(a) and (b) of the UK GDPR,
(b)
sections 142 to 159 of this Act,
(c)
paragraph 2(a), (b) and (c) of Schedule 13 to this Act, and
(d)
Schedules 15 and 16 to this Act;
“the law enforcement purposes” has the meaning given in section 31 of this Act;
“the reporting period” means the period to which the report relates;
“UK GDPR investigation” means an investigation required under Article 57(1)(h) of the UK GDPR (investigations on the application of the UK GDPR).”