http://www.legislation.gov.uk/id/ukpga/2025/18

Part 5Data protection and privacy

Chapter 1Data protection

Data subject’s rights

77Information to be provided to data subjects

(1)

In Article 13 of the UK GDPR (information to be provided where personal data is collected from the data subject)—

(a)

in paragraph 4, for “shall not apply where and insofar as” substitute “do not apply to the extent that”, and

(b)

at the end insert—

“5.
Paragraph 3 does not apply to the extent that—
(a)
the controller intends to further process the personal data—
(i)
for (and only for) the purposes of scientific or historical research, the purposes of archiving in the public interest or statistical purposes, and
(ii)
in accordance with Article 84B, and
(b)
providing the information is impossible or would involve a disproportionate effort.
6.
For the purposes of paragraph 5(b), whether providing the information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing.
7.
A controller relying on paragraph 5 must take appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, including by making the information available publicly.”

(2)

In Article 14 of the UK GDPR (information to be provided where personal data is not obtained from the data subject)—

(a)

in paragraph 5—

(i)

for “shall not apply where and insofar as” substitute “do not apply to the extent that”,

(ii)

omit point (b),

(iii)

omit the “or” at the end of point (c),

(iv)

in point (d), omit “where”, and

(v)

after that point insert—

“(e)
providing the information is impossible or would involve a disproportionate effort, or
(f)
the obligation referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of the processing for which the personal data are intended.”, and

(b)

at the end insert—

“6.
For the purposes of paragraph 5(e), whether providing the information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing.
7.
A controller relying on paragraph 5(e) or (f) must take appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, including by making the information available publicly.”