http://www.legislation.gov.uk/id/ukpga/2025/18

Part 5Data protection and privacy

Chapter 1Data protection

Data protection principles

70Lawfulness of processing

(1)

The UK GDPR is amended in accordance with subsections (2) to (5).

(2)

In Article 6(1) (lawful processing)—

(a)

in point (e)—

(i)

after “task” insert “of the controller”, and

(ii)

after “or” insert “a task carried out”,

(b)

after that point insert—

“(ea)
processing is necessary for the purposes of a recognised legitimate interest;”, and

(c)

in the words after point (f), for “Point (f)” substitute “Points (ea) and (f)”.

(3)

In Article 6(3) (basis for processing etc), in the last subparagraph, in the first sentence—

(a)

after “task” insert “of the controller”, and

(b)

after “interest or” insert “a task carried out”.

(4)

In Article 6, at the end insert—

“5.
For the purposes of paragraph 1(ea), processing is necessary for the purposes of a recognised legitimate interest only if it meets a condition in Annex 1.
6.
The Secretary of State may by regulations amend Annex 1 by—
(a)
adding or varying provisions, or
(b)
omitting provisions added by regulations made under this paragraph.
7.
The Secretary of State may only make regulations under paragraph 6 where—
(a)
the requirement in paragraph 8 is satisfied, and
(b)
if the regulations add a case to Annex 1, the requirement in paragraph 9 is also satisfied.
8.
The requirement in this paragraph is that the Secretary of State considers it appropriate to make the regulations having regard to, among other things—
(a)
the interests and fundamental rights and freedoms of data subjects which require protection of personal data, and
(b)
where relevant, the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.
9.
The requirement in this paragraph is that the Secretary of State considers that processing in the case to be added to Annex 1 is necessary to safeguard an objective listed in Article 23(1)(c) to (j).
10.
Regulations under paragraph 6 are subject to the affirmative resolution procedure.
11.
For the purposes of paragraph 1(f), examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include—
(a)
processing that is necessary for the purposes of direct marketing,
(b)
intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and
(c)
processing that is necessary for the purposes of ensuring the security of network and information systems.
12.
In paragraph 11—
“intra-group transmission” means transmission between members of a group of undertakings or between members of a group of institutions affiliated to a central body;
“security of network and information systems” has the same meaning as in the Network and Information Systems Regulations 2018 (S.I. 2018/506) (see regulation 1(3)(g)).”

(5)

In Article 21(1) (right to object), after “point (e)” insert “, (ea)”.

(6)

Schedule 4 to this Act inserts Annex 1 to the UK GDPR.

(7)

In section 8 of the 2018 Act (lawfulness of processing: public interest etc), omit “the controller’s”.

(8)

In the provisions listed in subsection (9)—

(a)

for “gateway” substitute “gateways”, and

(b)

for “were omitted” substitute “disapplied only the gateway in point (ea) (recognised legitimate interests)”.

(9)

The provisions are—

(a)

section 40(8) of the Freedom of Information Act 2000 (personal data which is exempt information);

(b)

section 38(5A) of the Freedom of Information (Scotland) Act 2002 (asp 13) (personal data which is exempt information);

(c)

regulation 13(6) of the Environmental Information Regulations 2004 (S.I. 2004/3391) (restriction on disclosure of personal data);

(d)

regulation 11(7) of the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520) (restriction on disclosure of personal data);

(e)

regulation 45(1E) of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042) (personal data which is sensitive information);

(f)

regulation 39(1E) of the Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494) (personal data which is sensitive information);

(g)

regulation 9(9) of the INSPIRE Regulations 2009 (S.I. 2009/3157) (limitation of public access to personal data included in a spatial data set);

(h)

regulation 10(8) of the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440) (limitation of public access to personal data included in a spatial data set).