- Latest available (Revised)
- Point in Time (31/12/2023)
- Original (As adopted by EU)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation)(Text with EEA relevance)
When the UK left the EU, legislation.gov.uk published EU legislation that had been published by the EU up to IP completion day (31 December 2020 11.00 p.m.). On legislation.gov.uk, these items of legislation are kept up-to-date with any amendments made by the UK since then.
Legislation.gov.uk publishes the UK version. EUR-Lex publishes the EU version. The EU Exit Web Archive holds a snapshot of EUR-Lex’s version from IP completion day (31 December 2020 11.00 p.m.).
Point in time view as at 31/12/2023.
Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 9 is up to date with all changes known to be in force on or before 25 December 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.
1.Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
2.Paragraph 1 shall not apply if one of the following applies:
(a)the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where [F1domestic law provides] that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b)processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by [F2domestic law] or a collective agreement pursuant [F3to domestic law] providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
(c)processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d)processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e)processing relates to personal data which are manifestly made public by the data subject;
(f)processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g)processing is necessary for reasons of substantial public interest, on the basis of [F4domestic law] which shall be proportionate to the aim pursued F5... and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h)processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of [F6domestic law] or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i)processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of [F7domestic law] which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j)processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) [F8(as supplemented by section 19 of the 2018 Act)] based on [F9domestic law] which shall be proportionate to the aim pursued F10... and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
3.Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under [F11domestic law] or rules established by national competent bodies or by another person also subject to an obligation of secrecy under [F11domestic law] or rules established by national competent bodies.
[F123A.In paragraph 3, ‘national competent bodies’ means competent bodies of the United Kingdom or a part of the United Kingdom.]
F134.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
[F145.In the 2018 Act—
(a)section 10 makes provision about when the requirement in paragraph 2(b), (g), (h), (i) or (j) of this Article for authorisation by, or a basis in, domestic law is met;
(b)section 11(1) makes provision about when the processing of personal data is carried out in circumstances described in paragraph 3 of this Article.]
Textual Amendments
F1Words in Art. 9(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 9(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F2Words in Art. 9(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 9(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F3Words in Art. 9(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 9(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F4Words in Art. 9(2)(g) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 9(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F5Words in Art. 9(2)(g) omitted (31.12.2023 immediately before the end of 2023) by virtue of The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 (S.I. 2023/1417), regs. 1(2), 2(4)
F6Words in Art. 9(2)(h) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 9(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F7Words in Art. 9(2)(i) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 9(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F8Words in Art. 9(2)(j) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 9(7)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F9Words in Art. 9(2)(j) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 9(7)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F10Words in Art. 9(2)(j) omitted (31.12.2023 immediately before the end of 2023) by virtue of The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 (S.I. 2023/1417), regs. 1(2), 2(5)
F11Words in Art. 9(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 9(8) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F12Art. 9(3A) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 9(9) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F13Art. 9(4) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 9(10) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
F14Art. 9(5) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 9(11) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
Point in Time: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: