|
| Introductory Text |
| Part 1 Preliminary (ss. 1-3) |
In force | 1. Overview |
In force | 2. Protection of personal data |
In force | 3. Terms relating to the processing of personal data |
| Part 2 General processing (ss. 4-28) |
| Chapter 1 Scope and definitions (ss. 4-5) |
In force | 4. Processing to which this Part applies |
In force | 5. Definitions |
| Chapter 2 The UK GDPR (ss. 6-20) |
| Meaning of certain terms used in the UK GDPR (ss. 6-7) |
In force | 6. Meaning of "controller" |
In force | 7. Meaning of "public authority" and "public body" |
| Lawfulness of processing (ss. 8-9) |
In force | 8. Lawfulness of processing: public interest etc |
Omitted | 9. Child's consent in relation to information society services |
| Special categories of personal data (ss. 10-11) |
In force | 10. Special categories of personal data and criminal convictions etc data |
In force | 11. Special categories of personal data etc: supplementary |
| Rights of the data subject (ss. 12-14) |
In force | 12. Limits on fees that may be charged by controllers |
In force | 13. Obligations of credit reference agencies |
Not yet in force | ⚠ 13A. Meaning of "relevant offence" for purpose of right to erasure |
In force | 14. Automated decision-making authorised by law: safeguards |
| Exemptions etc (ss. 15-16) |
In force | 15. Exemptions etc |
In force | 16. Power to make further exemptions etc by regulations |
| Certification (s. 17) |
In force | 17. Accreditation of certification providers |
| Transfers of personal data to third countries etc (ss. 17A-18) |
In force | 17A. Transfers based on adequacy regulations |
In force | 17B. Transfers based on adequacy regulations: review etc |
In force | 17C. Standard data protection clauses |
In force | 18. Transfers of personal data to third countries etc: public interest |
| Specific processing situations (s. 19) |
In force | 19. Processing for archiving, research and statistical purposes: safeguards |
| Minor definition (s. 20) |
In force | 20. Meaning of "court" |
| Chapter 3 Exemptions for manual unstructured processing and for national security and defence purposes (ss. 21-28) |
| Definitions (s. 21) |
In force | 21. Definitions |
| Application of the GDPR (ss. 22-23) |
Omitted | 22. Application of the GDPR to processing to which this Chapter applies |
Omitted | 23. Power to make provision in consequence of regulations related to the GDPR |
| Exemptions etc (ss. 24-28) |
In force | 24. Manual unstructured data held by FOI public authorities |
In force | 25. Manual unstructured data used in longstanding historical research |
In force | 26. National security and defence exemption |
In force | 27. National security: certificate |
In force | 28. National security and defence: modifications to Articles 9 and 32 of the UK GDPR |
| Part 3 Law enforcement processing (ss. 29-81) |
| Chapter 1 Scope and definitions (ss. 29-33) |
| Scope (s. 29) |
In force | 29. Processing to which this Part applies |
| Definitions (ss. 30-33) |
In force | 30. Meaning of "competent authority" |
In force | 31. "The law enforcement purposes" |
In force | 32. Meaning of "controller" and "processor" |
In force | 33. Other definitions |
| Chapter 2 Principles (ss. 34-42) |
In force | 34. Overview and general duty of controller |
In force | 35. The first data protection principle |
In force | 36. The second data protection principle |
In force | 37. The third data protection principle |
In force | 38. The fourth data protection principle |
In force | 39. The fifth data protection principle |
In force | 40. The sixth data protection principle |
In force | 41. Safeguards: archiving |
In force | 42. Safeguards: sensitive processing |
| Chapter 3 Rights of the data subject (ss. 43-54) |
| Overview and scope (s. 43) |
In force | 43. Overview and scope |
| Information: controller's general duties (s. 44) |
In force | 44. Information: controller's general duties |
| Data subject's right of access (s. 45) |
In force | 45. Right of access by the data subject |
| Data subject's rights to rectification or erasure etc (ss. 46-48) |
In force | 46. Right to rectification |
In force | 47. Right to erasure or restriction of processing |
In force | 48. Rights under section 46 or 47: supplementary |
| Automated individual decision-making (ss. 49-50) |
In force | 49. Right not to be subject to automated decision-making |
In force | 50. Automated decision-making authorised by law: safeguards |
| Supplementary (ss. 51-54) |
In force | 51. Exercise of rights through the Commissioner |
In force | 52. Form of provision of information etc |
In force | 53. Manifestly unfounded or excessive requests by the data subject |
In force | 54. Meaning of "applicable time period" |
| Chapter 4 Controller and processor (ss. 55-71) |
In force | 55. Overview and scope |
| General obligations (ss. 56-63) |
In force | 56. General obligations of the controller |
In force | 57. Data protection by design and default |
In force | 58. Joint controllers |
In force | 59. Processors |
In force | 60. Processing under the authority of the controller or processor |
In force | 61. Records of processing activities |
In force | 62. Logging |
In force | 63. Co-operation with the Commissioner |
In force | 64. Data protection impact assessment |
In force | 65. Prior consultation with the Commissioner |
| Obligations relating to security (s. 66) |
In force | 66. Security of processing |
| Obligations relating to personal data breaches (ss. 67-68) |
In force | 67. Notification of a personal data breach to the Commissioner |
In force | 68. Communication of a personal data breach to the data subject |
| Data protection officers (ss. 69-71) |
In force | 69. Designation of a data protection officer |
In force | 70. Position of data protection officer |
In force | 71. Tasks of data protection officer |
| Chapter 5 Transfers of personal data to third countries etc (ss. 72-78) |
| Overview and interpretation (s. 72) |
In force | 72. Overview and interpretation |
| General principles for transfers (ss. 73-76) |
In force | 73. General principles for transfers of personal data |
Omitted | 74. Transfers on the basis of an adequacy decision |
In force | 74A. Transfers based on adequacy regulations |
In force | 74B. Transfers based on adequacy regulations: review etc |
In force | 75. Transfers on the basis of appropriate safeguards |
In force | 76. Transfers on the basis of special circumstances |
| Transfers to particular recipients (s. 77) |
In force | 77. Transfers of personal data to persons other than relevant authorities |
| Subsequent transfers (s. 78) |
In force | 78. Subsequent transfers |
| Chapter 6 Supplementary (ss. 79-81) |
In force | 79. National security: certificate |
In force | 80. Special processing restrictions |
In force | 81. Reporting of infringements |
| Part 4 Intelligence services processing (ss. 82-113) |
| Chapter 1 Scope and definitions (ss. 82-84) |
| Scope (s. 82) |
In force | 82. Processing to which this Part applies |
| Definitions (ss. 83-84) |
In force | 83. Meaning of "controller" and "processor" |
In force | 84. Other definitions |
| Chapter 2 Principles (ss. 85-91) |
| Overview (s. 85) |
In force | 85. Overview |
| The data protection principles (ss. 86-91) |
In force | 86. The first data protection principle |
In force | 87. The second data protection principle |
In force | 88. The third data protection principle |
In force | 89. The fourth data protection principle |
In force | 90. The fifth data protection principle |
In force | 91. The sixth data protection principle |
| Chapter 3 Rights of the data subject (ss. 92-100) |
| Overview (s. 92) |
In force | 92. Overview |
| Rights (ss. 93-100) |
In force | 93. Right to information |
In force | 94. Right of access |
In force | 95. Right of access: supplementary |
In force | 96. Right not to be subject to automated decision-making |
In force | 97. Right to intervene in automated decision-making |
In force | 98. Right to information about decision-making |
In force | 99. Right to object to processing |
In force | 100. Rights to rectification and erasure |
| Chapter 4 Controller and processor (ss. 101-108) |
| Overview (s. 101) |
In force | 101. Overview |
| General obligations (ss. 102-106) |
In force | 102. General obligations of the controller |
In force | 103. Data protection by design |
In force | 104. Joint controllers |
In force | 105. Processors |
In force | 106. Processing under the authority of the controller or processor |
| Obligations relating to security (s. 107) |
In force | 107. Security of processing |
| Obligations relating to personal data breaches (s. 108) |
In force | 108. Communication of a personal data breach |
| Chapter 5 Transfers of personal data outside the united kingdom (s. 109) |
In force | 109. Transfers of personal data outside the United Kingdom |
| Chapter 6 Exemptions (ss. 110-113) |
In force | 110. National security |
In force | 111. National security: certificate |
In force | 112. Other exemptions |
In force | 113. Power to make further exemptions |
| Part 5 The information commissioner (ss. 114-141) |
| The Commissioner (s. 114) |
In force | 114. The Information Commissioner |
| General functions (ss. 115-117) |
In force | 115. General functions under the UK GDPR and safeguards |
In force | 116. Other general functions |
In force | 117. Competence in relation to courts etc |
| International role (ss. 118-120) |
In force | 118. Co-operation between parties to the Data Protection Convention |
In force | 119. Inspection of personal data in accordance with international obligations |
In force | 119A. Standard clauses for transfers to third countries etc |
In force | 120. Further international role |
| Codes of practice (ss. 121-128) |
In force | 121. Data-sharing code |
In force | 122. Direct marketing code |
In force | 123. Age-appropriate design code |
In force | 124. Data protection and journalism code |
In force | 125. Approval of codes prepared under sections 121 to 124 |
In force | 126. Publication and review of codes issued under section 125(4) |
In force | 127. Effect of codes issued under section 125(4) |
In force | 128. Other codes of practice |
| Consensual audits (s. 129) |
In force | 129. Consensual audits |
| Records of national security certificates (s. 130) |
In force | 130. Records of national security certificates |
| Information provided to the Commissioner (ss. 131-133) |
In force | 131. Disclosure of information to the Commissioner |
In force | 132. Confidentiality of information |
In force | 133. Guidance about privileged communications |
| Fees (ss. 134-136) |
In force | 134. Fees for services |
In force | 135. Manifestly unfounded or excessive requests by data subjects etc |
In force | 136. Guidance about fees |
| Charges (ss. 137-138) |
In force | 137. Charges payable to the Commissioner by controllers |
In force | 138. Regulations under section 137: supplementary |
| Reports etc (ss. 139-141) |
In force | 139. Reporting to Parliament |
In force | 140. Publication by the Commissioner |
In force | 141. Notices from the Commissioner |
| Part 6 Enforcement (ss. 142-181) |
| Information notices (ss. 142-145) |
In force | 142. Information notices |
In force | 143. Information notices: restrictions |
In force | 144. False statements made in response to information notices |
In force | 145. Information orders |
| Assessment notices (ss. 146-147) |
In force | 146. Assessment notices |
In force | 147. Assessment notices: restrictions |
| Information notices and assessment notices: destruction of documents etc (s. 148) |
In force | 148. Destroying or falsifying information and documents etc |
| Enforcement notices (ss. 149-153) |
In force | 149. Enforcement notices |
In force | 150. Enforcement notices: supplementary |
In force | 151. Enforcement notices: rectification and erasure of personal data etc |
In force | 152. Enforcement notices: restrictions |
In force | 153. Enforcement notices: cancellation and variation |
| Powers of entry and inspection (s. 154) |
In force | 154. Powers of entry and inspection |
| Penalties (ss. 155-159) |
In force | 155. Penalty notices |
In force | 156. Penalty notices: restrictions |
In force | 157. Maximum amount of penalty |
In force | 158. Fixed penalties for non-compliance with charges regulations |
In force | 159. Amount of penalties: supplementary |
| Guidance (ss. 160-161) |
In force | 160. Guidance about regulatory action |
In force | 161. Approval of first guidance about regulatory action |
| Appeals etc (ss. 162-164) |
In force | 162. Rights of appeal |
In force | 163. Determination of appeals |
In force | 164. Applications in respect of urgent notices |
| Complaints (ss. 165-166) |
In force | 165. Complaints by data subjects |
In force | 166. Orders to progress complaints |
| Remedies in the court (ss. 167-169) |
In force | 167. Compliance orders |
In force | 168. Compensation for contravention of the UK GDPR |
In force | 169. Compensation for contravention of other data protection legislation |
| Offences relating to personal data (ss. 170-173) |
In force | 170. Unlawful obtaining etc of personal data |
In force | 171. Re-identification of de-identified personal data |
In force | 172. Re-identification: effectiveness testing conditions |
In force | 173. Alteration etc of personal data to prevent disclosure to data subject |
| The special purposes (ss. 174-179) |
In force | 174. The special purposes |
In force | 175. Provision of assistance in special purposes proceedings |
In force | 176. Staying special purposes proceedings |
In force | 177. Guidance about how to seek redress against media organisations |
In force | 178. Review of processing of personal data for the purposes of journalism |
In force | 179. Effectiveness of the media's dispute resolution procedures |
| Jurisdiction of courts (s. 180) |
In force | 180. Jurisdiction |
| Definitions (s. 181) |
In force | 181. Interpretation of Part 6 |
| Part 7 Supplementary and final provision (ss. 182-215) |
| Regulations under this Act (s. 182) |
In force | 182. Regulations and consultation |
| Changes to the Data Protection Convention (s. 183) |
In force | 183. Power to reflect changes to the Data Protection Convention |
| Rights of the data subject (ss. 184-186) |
In force | 184. Prohibition of requirement to produce relevant records |
In force | 185. Avoidance of certain contractual terms relating to health records |
In force | 186. Data subject's rights and other prohibitions and restrictions |
| Representation of data subjects (ss. 187-190) |
In force | 187. Representation of data subjects with their authority |
In force | 188. Representation of data subjects with their authority: collective proceedings |
In force | 189. Duty to review provision for representation of data subjects |
In force | 190. Post-review powers to make provision about representation of data subjects |
| Framework for Data Processing by Government (ss. 191-194) |
In force | 191. Framework for Data Processing by Government |
In force | 192. Approval of the Framework |
In force | 193. Publication and review of the Framework |
In force | 194. Effect of the Framework |
| Data-sharing: HMRC and reserve forces (s. 195) |
In force | 195. Reserve forces: data-sharing by HMRC |
| Offences (ss. 196-200) |
In force | 196. Penalties for offences |
In force | 197. Prosecution |
In force | 198. Liability of directors etc |
In force | 199. Recordable offences |
In force | 200. Guidance about PACE codes of practice |
| The Tribunal (ss. 201-203) |
In force | 201. Disclosure of information to the Tribunal |
In force | 202. Proceedings in the First-tier Tribunal: contempt |
In force | 203. Tribunal Procedure Rules |
| Interpretation (ss. 204-206) |
In force | 204. Meaning of "health professional" and "social work professional" |
In force | 205. General interpretation |
In force | 206. Index of defined expressions |
| Territorial application (s. 207) |
In force | 207. Territorial application of this Act |
| General (ss. 208-211) |
In force | 208. Children in Scotland |
In force | 209. Application to the Crown |
In force | 210. Application to Parliament |
In force | 211. Minor and consequential provision |
| Final (ss. 212-215) |
In force | 212. Commencement |
In force | 213. Transitional provision |
In force | 214. Extent |
In force | 215. Short title |
| Schedule 1 Special categories of personal data and criminal convictions etc data |
In force | Schedule 1, Part 1 Conditions relating to employment, health and research etc (paras. 1-4) |
In force | Schedule 1, Part 2 Substantial public interest conditions (paras. 5-28) |
In force | Schedule 1, Part 3 Additional conditions relating to criminal convictions etc (paras. 29-37) |
In force | Schedule 1, Part 4 Appropriate policy document and additional safeguards (paras. 38-41) |
| Schedule 2 Exemptions etc from the UK GDPR |
In force | Schedule 2, Part 1 Adaptations and restrictions as described in Articles 6(3) and 23(1) (paras. 1-5) |
In force | Schedule 2, Part 2 Restrictions as described in Article 23(1): restrictions of rules in Articles 13 to 21 and 34 (paras. 6-15) |
In force | Schedule 2, Part 3 Restriction for the protection of rights of others (paras. 16-17) |
In force | Schedule 2, Part 4 Restrictions as described in Article 23(1): restrictions of rules in Articles 13 to 15 (paras. 18-25) |
In force | Schedule 2, Part 5 Exemptions etc for reasons of freedom of expression and information (para. 26) |
In force | Schedule 2, Part 6 Derogations etc for research, statistics and archiving (paras. 27-28) |
| Schedule 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data |
In force | Schedule 3, Part 1 UK GDPR provisions to be restricted (para. 1) |
In force | Schedule 3, Part 2 Health data (paras. 2-6) |
In force | Schedule 3, Part 3 Social work data (paras. 7-12) |
In force | Schedule 3, Part 4 Education data (paras. 13-20) |
In force | Schedule 3, Part 5 Child abuse data (para. 21) |
In force | Schedule 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment |
In force | Schedule 5 Accreditation of certification providers: reviews and appeals |
| Schedule 6 The applied GDPR and the applied Chapter 2 |
Omitted | Schedule 6, Part 1 Modifications to the GDPR (paras. 1-72) |
Omitted | Schedule 6, Part 2 Modifications to Chapter 2 of Part 2 (paras. 73-75) |
In force | Schedule 7 Competent Authorities |
In force | Schedule 8 Conditions for sensitive processing under Part 3 |
In force | Schedule 9 Conditions for processing under Part 4 |
In force | Schedule 10 Conditions for sensitive processing under Part 4 |
In force | Schedule 11 Other exemptions under Part 4 |
In force | Schedule 12 The information Commissioner |
In force | Schedule 13 Other general functions of the Commissioner |
| Schedule 14 Co-operation and mutual assistance |
Omitted | Schedule 14, Part 1 Law Enforcement Directive (paras. 1-5) |
In force | Schedule 14, Part 2 Data Protection Convention (paras. 6-10) |
In force | Schedule 15 Powers of entry and inspection |
In force | Schedule 16 Penalties |
In force | Schedule 17 Review of processing of personal data for the purposes of journalism |
In force | Schedule 18 Relevant records |
| Schedule 19 Minor and consequential amendments |
In force | Schedule 19, Part 1 Amendments of primary legislation (paras. 1-227) |
In force | Schedule 19, Part 2 Amendments of other legislation (paras. 228-429) |
In force | Schedule 19, Part 3 Modifications (paras. 430-432) |
In force | Schedule 19, Part 4 Supplementary (paras. 433-434) |
| Schedule 20 Transitional provision etc |
In force | Schedule 20, Part 1 General (para. 1) |
In force | Schedule 20, Part 2 Rights of data subjects (paras. 2-11) |
In force | Schedule 20, Part 3 The UK GDPR and Part 2 of this Act (paras. 12-13) |
In force | Schedule 20, Part 4 Law enforcement and intelligence services processing (paras. 14-16) |
In force | Schedule 20, Part 5 National security certificates (paras. 17-18) |
In force | Schedule 20, Part 6 The Information Commissioner (paras. 19-28) |
In force | Schedule 20, Part 7 Enforcement etc under the 1998 Act (paras. 29-43) |
In force | Schedule 20, Part 8 Enforcement etc under this Act (paras. 44-46) |
In force | Schedule 20, Part 9 Other enactments (paras. 47-61) |
| Schedule 21 Further transitional provision etc |
In force | Schedule 21, Part 1 Interpretation (para. 1) |
In force | Schedule 21, Part 2 Continuation of existing acts etc (paras. 2-3) |
In force | Schedule 21, Part 3 Transfers to third countries and international organisations (paras. 4-12) |
In force | Schedule 21, Part 4 Repeal of provisions in Chapter 3 of Part 2 (paras. 13-14) |
In force | Schedule 21, Part 5 The Information Commissioner (para. 15) |
In force | Schedule 21, Part 6 Enforcement (paras. 16-17) |