Version status: Partly in force | Document consolidation status: Updated to reflect all known changes
Published date: 23 May 2018
    Version 1 of 1    

Data Protection Act 2018 (c. 12)

Introductory Text
Part 1 Preliminary (ss. 1-3)
In force
1. Overview
In force
2. Protection of personal data
In force
3. Terms relating to the processing of personal data
Part 2 General processing (ss. 4-28)
Chapter 1 Scope and definitions (ss. 4-5)
In force
4. Processing to which this Part applies
In force
5. Definitions
Chapter 2 The UK GDPR (ss. 6-20)
Meaning of certain terms used in the UK GDPR (ss. 6-7)
In force
6. Meaning of "controller"
In force
7. Meaning of "public authority" and "public body"
Lawfulness of processing (ss. 8-9)
In force
8. Lawfulness of processing: public interest etc
In force
9. Child's consent in relation to information society services
Special categories of personal data (ss. 10-11)
In force
10. Special categories of personal data and criminal convictions etc data
In force
11. Special categories of personal data etc: supplementary
Rights of the data subject (ss. 12-14)
In force
12. Limits on fees that may be charged by controllers
In force
13. Obligations of credit reference agencies
In force
14. Automated decision-making authorised by law: safeguards
Exemptions etc (ss. 15-16)
In force
15. Exemptions etc
In force
16. Power to make further exemptions etc by regulations
Certification (s. 17)
In force
17. Accreditation of certification providers
Transfers of personal data to third countries etc (ss. 17A-18)
In force
17A. Transfers based on adequacy regulations
In force
17B. Transfers based on adequacy regulations: review etc
In force
17C. Standard data protection clauses
In force
18. Transfers of personal data to third countries etc
Specific processing situations (s. 19)
In force
19. Processing for archiving, research and statistical purposes: safeguards
Minor definition (s. 20)
In force
20. Meaning of "court"
Chapter 3 Exemptions for manual unstructured processing and for national security and defence purposes (ss. 21-28)
Definitions (s. 21)
In force
21. Processing to which this Chapter applies
Application of the GDPR (ss. 22-23)
In force
22. Application of the GDPR to processing to which this Chapter applies
In force
23. Power to make provision in consequence of regulations related to the GDPR
Exemptions etc (ss. 24-28)
In force
24. Manual unstructured data held by FOI public authorities
In force
25. Manual unstructured data used in longstanding historical research
In force
26. National security and defence exemption
In force
27. National security: certificate
In force
28. National security and defence: modifications to Articles 9 and 32 of the applied GDPR
Part 3 Law enforcement processing (ss. 29-81)
Chapter 1 Scope and definitions (ss. 29-33)
Scope (s. 29)
In force
29. Processing to which this Part applies
Definitions (ss. 30-33)
In force
30. Meaning of "competent authority"
In force
31. "The law enforcement purposes"
In force
32. Meaning of "controller" and "processor"
In force
33. Other definitions
Chapter 2 Principles (ss. 34-42)
In force
34. Overview and general duty of controller
In force
35. The first data protection principle
In force
36. The second data protection principle
In force
37. The third data protection principle
In force
38. The fourth data protection principle
In force
39. The fifth data protection principle
In force
40. The sixth data protection principle
In force
41. Safeguards: archiving
In force
42. Safeguards: sensitive processing
Chapter 3 Rights of the data subject (ss. 43-54)
Overview and scope (s. 43)
In force
43. Overview and scope
Information: controller's general duties (s. 44)
In force
44. Information: controller's general duties
Data subject's right of access (s. 45)
In force
45. Right of access by the data subject
Data subject's rights to rectification or erasure etc (ss. 46-48)
In force
46. Right to rectification
In force
47. Right to erasure or restriction of processing
In force
48. Rights under section 46 or 47: supplementary
Automated individual decision-making (ss. 49-50)
In force
49. Right not to be subject to automated decision-making
In force
50. Automated decision-making authorised by law: safeguards
Supplementary (ss. 51-54)
In force
51. Exercise of rights through the Commissioner
In force
52. Form of provision of information etc
In force
53. Manifestly unfounded or excessive requests by the data subject
In force
54. Meaning of "applicable time period"
Chapter 4 Controller and processor (ss. 55-71)
In force
55. Overview and scope
General obligations (ss. 56-65)
In force
56. General obligations of the controller
In force
57. Data protection by design and default
In force
58. Joint controllers
In force
59. Processors
In force
60. Processing under the authority of the controller or processor
In force
61. Records of processing activities
In force
62. Logging
In force
63. Co-operation with the Commissioner
In force
64. Data protection impact assessment
In force
65. Prior consultation with the Commissioner
Obligations relating to security (s. 66)
In force
66. Security of processing
Obligations relating to personal data breaches (ss. 67-68)
In force
67. Notification of a personal data breach to the Commissioner
In force
68. Communication of a personal data breach to the data subject
Data protection officers (ss. 69-71)
In force
69. Designation of a data protection officer
In force
70. Position of data protection officer
In force
71. Tasks of data protection officer
Chapter 5 Transfers of personal data to third countries etc (ss. 72-78)
Overview and interpretation (s. 72)
In force
72. Overview and interpretation
General principles for transfers (ss. 73-76)
In force
73. General principles for transfers of personal data
In force
74. Transfers on the basis of an adequacy decision
In force
74A. Transfers based on adequacy regulations
In force
74B. Transfers based on adequacy regulations: review etc
In force
75. Transfers on the basis of appropriate safeguards
In force
76. Transfers on the basis of special circumstances
Transfers to particular recipients (s. 77)
In force
77. Transfers of personal data to persons other than relevant authorities
Subsequent transfers (s. 78)
In force
78. Subsequent transfers
Chapter 6 Supplementary (ss. 79-81)
In force
79. National security: certificate
In force
80. Special processing restrictions
In force
81. Reporting of infringements
Part 4 Intelligence services processing (ss. 82-113)
Chapter 1 Scope and definitions (ss. 82-84)
Scope (s. 82)
In force
82. Processing to which this Part applies
Definitions (ss. 83-84)
In force
83. Meaning of "controller" and "processor"
In force
84. Other definitions
Chapter 2 Principles (ss. 85-91)
Overview (s. 85)
In force
85. Overview
The data protection principles (ss. 86-91)
In force
86. The first data protection principle
In force
87. The second data protection principle
In force
88. The third data protection principle
In force
89. The fourth data protection principle
In force
90. The fifth data protection principle
In force
91. The sixth data protection principle
Chapter 3 Rights of the data subject (ss. 92-100)
Overview (s. 92)
In force
92. Overview
Rights (ss. 93-100)
Not yet in force
93. Right to information
In force
94. Right of access
In force
95. Right of access: supplementary
In force
96. Right not to be subject to automated decision-making
In force
97. Right to intervene in automated decision-making
In force
98. Right to information about decision-making
In force
99. Right to object to processing
In force
100. Rights to rectification and erasure
Chapter 4 Controller and processor (ss. 101-108)
Overview (s. 101)
In force
101. Overview
General obligations (ss. 102-106)
Not yet in force
102. General obligations of the controller
Not yet in force
103. Data protection by design
Not yet in force
104. Joint controllers
Not yet in force
105. Processors
In force
106. Processing under the authority of the controller or processor
Obligations relating to security (s. 107)
In force
107. Security of processing
Obligations relating to personal data breaches (s. 108)
Not yet in force
108. Communication of a personal data breach
Chapter 5 Transfers of personal data outside the united kingdom (s. 109)
In force
109. Transfers of personal data outside the United Kingdom
Chapter 6 Exemptions (ss. 110-113)
In force
110. National security
In force
111. National security: certificate
In force
112. Other exemptions
In force
113. Power to make further exemptions
Part 5 The information commissioner (ss. 114-141)
The Commissioner (s. 114)
In force
114. The Information Commissioner
General functions (ss. 115-117)
In force
115. General functions under the GDPR and safeguards
In force
116. Other general functions
In force
117. Competence in relation to courts etc
International role (ss. 118-120)
In force
118. Co-operation and mutual assistance
In force
119. Inspection of personal data in accordance with international obligations
In force
119A. Standard clauses for transfers to third countries etc
In force
120. Further international role
Codes of practice (ss. 121-128)
In force
121. Data-sharing code
In force
122. Direct marketing code
In force
123. Age-appropriate design code
In force
124. Data protection and journalism code
Partly in force
125. Approval of codes prepared under sections 121 to 124
Partly in force
126. Publication and review of codes issued under section 125(4)
Partly in force
127. Effect of codes issued under section 125(4)
In force
128. Other codes of practice
Consensual audits (s. 129)
In force
129. Consensual audits
Records of national security certificates (s. 130)
In force
130. Records of national security certificates
Information provided to the Commissioner (ss. 131-133)
In force
131. Disclosure of information to the Commissioner
In force
132. Confidentiality of information
In force
133. Guidance about privileged communications
Fees (ss. 134-136)
In force
134. Fees for services
In force
135. Manifestly unfounded or excessive requests by data subjects etc
In force
136. Guidance about fees
Charges (ss. 137-138)
In force
137. Charges payable to the Commissioner by controllers
In force
138. Regulations under section 137: supplementary
Reports etc (ss. 139-141)
In force
139. Reporting to Parliament
In force
140. Publication by the Commissioner
In force
141. Notices from the Commissioner
Part 6 Enforcement (ss. 142-181)
Information notices (ss. 142-145)
In force
142. Information notices
In force
143. Information notices: restrictions
In force
144. False statements made in response to information notices
In force
145. Information orders
Assessment notices (ss. 146-147)
In force
146. Assessment notices
In force
147. Assessment notices: restrictions
Information notices and assessment notices: destruction of documents etc (s. 148)
In force
148. Destroying or falsifying information and documents etc
Enforcement notices (ss. 149-153)
In force
149. Enforcement notices
In force
150. Enforcement notices: supplementary
In force
151. Enforcement notices: rectification and erasure of personal data etc
In force
152. Enforcement notices: restrictions
In force
153. Enforcement notices: cancellation and variation
Powers of entry and inspection (s. 154)
In force
154. Powers of entry and inspection
Penalties (ss. 155-159)
In force
155. Penalty notices
In force
156. Penalty notices: restrictions
In force
157. Maximum amount of penalty
In force
158. Fixed penalties for non-compliance with charges regulations
In force
159. Amount of penalties: supplementary
Guidance (ss. 160-161)
In force
160. Guidance about regulatory action
In force
161. Approval of first guidance about regulatory action
Appeals etc (ss. 162-164)
In force
162. Rights of appeal
In force
163. Determination of appeals
In force
164. Applications in respect of urgent notices
Complaints (ss. 165-166)
In force
165. Complaints by data subjects
In force
166. Orders to progress complaints
Remedies in the court (ss. 167-169)
In force
167. Compliance orders
In force
168. Compensation for contravention of the GDPR
In force
169. Compensation for contravention of other data protection legislation
Offences relating to personal data (ss. 170-173)
In force
170. Unlawful obtaining etc of personal data
In force
171. Re-identification of de-identified personal data
In force
172. Re-identification: effectiveness testing conditions
In force
173. Alteration etc of personal data to prevent disclosure to data subject
The special purposes (ss. 174-179)
In force
174. The special purposes
In force
175. Provision of assistance in special purposes proceedings
In force
176. Staying special purposes proceedings
In force
177. Guidance about how to seek redress against media organisations
In force
178. Review of processing of personal data for the purposes of journalism
In force
179. Effectiveness of the media's dispute resolution procedures
Jurisdiction of courts (s. 180)
In force
180. Jurisdiction
Definitions (s. 181)
In force
181. Interpretation of Part 6
Part 7 Supplementary and final provision (ss. 182-215)
Regulations under this Act (s. 182)
In force
182. Regulations and consultation
Changes to the Data Protection Convention (s. 183)
In force
183. Power to reflect changes to the Data Protection Convention
Rights of the data subject (ss. 184-186)
In force
184. Prohibition of requirement to produce relevant records
In force
185. Avoidance of certain contractual terms relating to health records
In force
186. Data subject's rights and other prohibitions and restrictions
Representation of data subjects (ss. 187-190)
In force
187. Representation of data subjects with their authority
In force
188. Representation of data subjects with their authority: collective proceedings
In force
189. Duty to review provision for representation of data subjects
In force
190. Post-review powers to make provision about representation of data subjects
Framework for Data Processing by Government (ss. 191-194)
In force
191. Framework for Data Processing by Government
In force
192. Approval of the Framework
In force
193. Publication and review of the Framework
In force
194. Effect of the Framework
Data-sharing: HMRC and reserve forces (s. 195)
In force
195. Reserve forces: data-sharing by HMRC
Offences (ss. 196-200)
In force
196. Penalties for offences
In force
197. Prosecution
In force
198. Liability of directors etc
In force
199. Recordable offences
In force
200. Guidance about PACE codes of practice
The Tribunal (ss. 201-203)
In force
201. Disclosure of information to the Tribunal
In force
202. Proceedings in the First-tier Tribunal: contempt
In force
203. Tribunal Procedure Rules
Interpretation (ss. 204-206)
In force
204. Meaning of "health professional" and "social work professional"
In force
205. General interpretation
In force
206. Index of defined expressions
Territorial application (s. 207)
In force
207. Territorial application of this Act
General (ss. 208-211)
In force
208. Children in Scotland
In force
209. Application to the Crown
In force
210. Application to Parliament
In force
211. Minor and consequential provision
Final (ss. 212-215)
In force
212. Commencement
Partly in force
213. Transitional provision
In force
214. Extent
In force
215. Short title
Schedule 1 Special categories of personal data and criminal convictions etc data
In force
Schedule 1, Part 1 Conditions relating to employment, health and research etc (paras. 1-4)
In force
Schedule 1, Part 2 Substantial public interest conditions (paras. 5-28)
In force
Schedule 1, Part 3 Additional conditions relating to criminal convictions etc (paras. 29-37)
In force
Schedule 1, Part 4 Appropriate policy document and additional safeguards (paras. 38-41)
Schedule 2 Exemptions etc from the UK GDPR
In force
Schedule 2, Part 1 Adaptations and restrictions based on Articles 6(3) and 23(1) (paras. 1-5)
In force
Schedule 2, Part 2 Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 21 and 34 (paras. 6-15)
In force
Schedule 2, Part 3 Restriction based on Article 23(1): protection of rights of others(paras. 16-17)
In force
Schedule 2, Part 4 Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 15 (paras. 18-25)
In force
Schedule 2, Part 5 Exemptions etc based on Article 85(2) for reasons of freedom of expression and information (para. 26)
In force
Schedule 2, Part 6 Derogations etc based on Article 89 for research, statistics and archiving (paras. 27-28)
Schedule 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data
In force
Schedule 3, Part 1 GDPR provisions to be restricted (para. 1)
In force
Schedule 3, Part 2 Health data (paras. 2-6)
In force
Schedule 3, Part 3 Social work data (paras. 7-12)
In force
Schedule 3, Part 4 Education data (paras. 13-20)
In force
Schedule 3, Part 5 Child abuse data (para. 21)
In force
Schedule 4 Exemptions etc from the GDPR: disclosure prohibited or restricted by an enactment
In force
Schedule 5 Accreditation of certification providers: reviews and appeals
Schedule 6 The applied GDPR and the applied Chapter 2
Partly in force
Schedule 6, Part 1 Modifications to the GDPR (paras. 1-72)
In force
Schedule 6, Part 2 Modifications to Chapter 2 of Part 2 (paras. 73-75)
In force
Schedule 7 Competent Authorities
In force
Schedule 8 Conditions for sensitive processing under Part 3
In force
Schedule 9 Conditions for processing under Part 4
In force
Schedule 10 Conditions for sensitive processing under Part 4
In force
Schedule 11 Other exemptions under Part 4
In force
Schedule 12 The information Commissioner
In force
Schedule 13 Other general functions of the Commissioner
Schedule 14 Co-operation and mutual assistance
In force
Schedule 14, Part 1 Law Enforcement Directive (paras. 1-5)
In force
Schedule 14, Part 2 Data Protection Convention (paras. 6-10)
In force
Schedule 15 Powers of entry and inspection
In force
Schedule 16 Penalties
In force
Schedule 17 Review of processing of personal data for the purposes of journalism
In force
Schedule 18 Relevant records
Schedule 19 Minor and consequential amendments
Partly in force
Schedule 19, Part 1 Amendments of primary legislation (paras. 1-227)
In force
Schedule 19, Part 2 Amendments of other legislation (paras. 228-429)
In force
Schedule 19, Part 3 Modifications (paras. 430-432)
In force
Schedule 19, Part 4 Supplementary (paras. 433-434)
Schedule 20 Transitional provision etc
In force
Schedule 20, Part 1 General (para. 1)
In force
Schedule 20, Part 2 Rights of data subjects (paras. 2-11)
In force
Schedule 20, Part 3 The GDPR and Part 2 of this Act (paras. 12-13)
In force
Schedule 20, Part 4 Law enforcement and intelligence services processing (paras. 14-16)
In force
Schedule 20, Part 5 National security certificates (paras. 17-18)
In force
Schedule 20, Part 6 The Information Commissioner (paras. 19-28)
In force
Schedule 20, Part 7 Enforcement etc under the 1998 Act (paras. 29-43)
In force
Schedule 20, Part 8 Enforcement etc under this Act (paras. 44-46)
In force
Schedule 20, Part 9 Other enactments (paras. 47-61)
Schedule 21 Further transitional provision etc
In force
Schedule 21, Part 1 Interpretation (para. 1)
In force
Schedule 21, Part 2 Continuation of existing acts etc (paras. 2-3)
In force
Schedule 21, Part 3 Transfers to third countries and international organisations (paras. 4-12)
In force
Schedule 21, Part 4 Repeal of provisions in Chapter 3 of Part 2 (paras. 13-14)
In force
Schedule 21, Part 5 The Information Commissioner (para. 15)
In force
Schedule 21, Part 6 Enforcement (paras. 16-17)