- Latest available (Revised)
- Original (As enacted)
Data Protection Act 2018, Section 149 is up to date with all changes known to be in force on or before 06 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
Whole provisions yet to be inserted into this Act (including any effects on those provisions):
(1)Where the Commissioner is satisfied that a person has failed, or is failing, as described in subsection (2), (3), (4) or (5), the Commissioner may give the person a written notice (an “enforcement notice”) which requires the person—
(a)to take steps specified in the notice, or
(b)to refrain from taking steps specified in the notice,
or both (and see also sections 150 and 151).
(2)The first type of failure is where a controller or processor has failed, or is failing, to comply with any of the following—
(a)a provision of Chapter II of the [F1UK GDPR] or Chapter 2 of Part 3 or Chapter 2 of Part 4 of this Act (principles of processing);
(b)a provision of Articles 12 to 22 of the [F2UK GDPR] or Part 3 or 4 of this Act conferring rights on a data subject;
(c)a provision of Articles 25 to 39 of the [F3UK GDPR] or section 64 or 65 of this Act (obligations of controllers and processors);
(d)a requirement to communicate a personal data breach to the Commissioner or a data subject under section 67, 68 or 108 of this Act;
(e)the principles for transfers of personal data to third countries, non-Convention countries and international organisations in Articles 44 to 49 of the [F4UK GDPR] or in sections 73 to 78 or 109 of this Act.
(3)The second type of failure is where a monitoring body has failed, or is failing, to comply with an obligation under Article 41 of the [F5UK GDPR] (monitoring of approved codes of conduct).
(4)The third type of failure is where a person who is a certification provider—
(a)does not meet the requirements for accreditation,
(b)has failed, or is failing, to comply with an obligation under Article 42 or 43 of the [F6UK GDPR] (certification of controllers and processors), or
(c)has failed, or is failing, to comply with any other provision of the [F7UK GDPR] (whether in the person's capacity as a certification provider or otherwise).
(5)The fourth type of failure is where a controller has failed, or is failing, to comply with regulations under section 137.
(6)An enforcement notice given in reliance on subsection (2), (3) or (5) may only impose requirements which the Commissioner considers appropriate for the purpose of remedying the failure.
(7)An enforcement notice given in reliance on subsection (4) may only impose requirements which the Commissioner considers appropriate having regard to the failure (whether or not for the purpose of remedying the failure).
(8)The Secretary of State may by regulations confer power on the Commissioner to give an enforcement notice in respect of other failures to comply with the data protection legislation.
(9)Regulations under this section—
(a)may make provision about the giving of an enforcement notice in respect of the failure, including by amending this section and sections 150 to 152,
(b)may make provision about the giving of an information notice, an assessment notice or a penalty notice, or about powers of entry and inspection, in connection with the failure, including by amending sections 142, 143, 146, 147 and 155 to 157 and Schedules 15 and 16, and
(c)are subject to the affirmative resolution procedure.
Textual Amendments
F1Words in s. 149(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F2Words in s. 149(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F3Words in s. 149(2)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F4Words in s. 149(2)(e) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F5Words in s. 149(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F6Words in s. 149(4)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F7Words in s. 149(4)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 61 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Commencement Information
I1S. 149 in force at Royal Assent for specified purposes, see s. 212(2)(f)
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: