- Latest available (Revised)
- Point in Time (06/06/2022)
- Original (As adopted by EU)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation)(Text with EEA relevance)
When the UK left the EU, legislation.gov.uk published EU legislation that had been published by the EU up to IP completion day (31 December 2020 11.00 p.m.). On legislation.gov.uk, these items of legislation are kept up-to-date with any amendments made by the UK since then.
Legislation.gov.uk publishes the UK version. EUR-Lex publishes the EU version. The EU Exit Web Archive holds a snapshot of EUR-Lex’s version from IP completion day (31 December 2020 11.00 p.m.).
Point in time view as at 06/06/2022.
Regulation (EU) 2016/679 of the European Parliament and of the Council, CHAPTER I is up to date with all changes known to be in force on or before 03 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.
1.This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2.This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
F13.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F1Art. 1(3) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 3 (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
[F21.This Regulation applies to the automated or structured processing of personal data, including—
(a)processing in the course of an activity which, immediately before IP completion day, fell outside the scope of EU law, and
(b)processing in the course of an activity which, immediately before IP completion day, fell within the scope of Chapter 2 of Title 5 of the Treaty on European Union (common foreign and security policy activities).
1A.This Regulation also applies to the manual unstructured processing of personal data held by an FOI public authority.]
[F32.This Regulation does not apply to—
(a)the processing of personal data by an individual in the course of a purely personal or household activity;
(b)the processing of personal data by a competent authority for any of the law enforcement purposes (see Part 3 of the 2018 Act);
(c)the processing of personal data to which Part 4 of the 2018 Act (intelligence services processing) applies.]
F43.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.This Regulation shall be without prejudice to the application of [F5the Electronic Commerce (EC Directive) Regulations 2002, in particular the provisions about mere conduits, caching and hosting (see regulations 17 to 19 of those Regulations).]
[F65.In this Article—
(a)‘the automated or structured processing of personal data’ means—
(i)the processing of personal data wholly or partly by automated means, and
(ii)the processing otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system;
(b)‘the manual unstructured processing of personal data’ means the processing of personal data which is not the automated or structured processing of personal data;
(c)‘FOI public authority’ has the same meaning as in Chapter 3 of Part 2 of the 2018 Act (see section 21(5) of that Act);
(d)references to personal data ‘held’ by an FOI public authority are to be interpreted in accordance with section 21(6) and (7) of the 2018 Act;
(e)‘competent authority’ and ‘law enforcement purposes’ have the same meaning as in Part 3 of the 2018 Act (see sections 30 and 31 of that Act).]
Textual Amendments
F2Art. 2(1)(1A) substituted for Art. 2(1) (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 4(2) (as amended by S.I. 2020/1586, regs. 1(2), 4(2)) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F3Art. 2(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 4(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F4Art. 2(3) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 4(4) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
F5Words in Art. 2(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 4(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F6Art. 2(5) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 4(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
1.This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in [F7the United Kingdom], regardless of whether the processing takes place in [F7the United Kingdom] or not.
2.This Regulation applies to the [F8relevant] processing of personal data of data subjects who are in [F9the United Kingdom] by a controller or processor not established in [F9the United Kingdom], where the processing activities are related to:
(a)the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in [F9the United Kingdom]; or
(b)the monitoring of their behaviour as far as their behaviour takes place within [F9the United Kingdom].
[F102A.In paragraph 2, “relevant processing of personal data” means processing to which this Regulation applies, other than processing described in Article 2(1)(a) or (b) or (1A).]
3.This Regulation applies to the processing of personal data by a controller not established in [F11the United Kingdom], but in a place where [F12domestic law] applies by virtue of public international law.
Textual Amendments
F7Words in Art. 3(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 5(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F8Word in Art. 3(2) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 5(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F9Words in Art. 3(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 5(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F10Art. 3(2A) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 5(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F11Words in Art. 3(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 5(5)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F12Words in Art. 3(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 5(5)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Modifications etc. (not altering text)
C1Art. 3 modified (31.12.2020) by S.I. 2020/916, art. 4(3)(4) (as amended by The Channel Tunnel (Arrangements with the Kingdom of the Netherlands) Order 2020 (S.I. 2020/916), arts. 1(2)(a), 8(a)(i))
For the purposes of this Regulation:
[F13(A1)‘the 2018 Act’ means the Data Protection Act 2018;
(A2)‘domestic law’ means the law of the United Kingdom or of a part of the United Kingdom;
(A3)‘the Commissioner’ means the Information Commissioner (see section 114 of the 2018 Act);]
(1)‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2)‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(3)‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
(4)‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
(5)‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
(6)‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
(7)‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data [F14(but see section 6 of the 2018 Act)];
(8)‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(9)‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with [F15domestic law] shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
(10)‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
[F16(10A)‘public authority’ and ‘public body’ are to be interpreted in accordance with section 7 of the 2018 Act and provision made under that section;]
(11)‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
(12)‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
(13)‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
(14)‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
(15)‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
F17(16). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(17)‘representative’ means a natural or legal person established in [F18the United Kingdom] who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
(18)‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
(19)‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
(20)‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established [F19in the United Kingdom] for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
F20(21). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
[F21(21A)‘foreign designated authority’ means an authority designated for the purposes of Article 13 of the Data Protection Convention (as defined in section 3 of the 2018 Act) by a party, other than the United Kingdom, which is bound by that Convention;]
F22(22). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F22(23). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F22(24). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(25)‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council(1) [F23as it has effect immediately before IP completion day];
(26)‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
[F24(27)‘third country’ means a country or territory outside the United Kingdom;
(28)references to a fundamental right or fundamental freedom (however expressed) are to a fundamental right or fundamental freedom which continues to form part of domestic law on and after IP completion day by virtue of section 4 of the European Union (Withdrawal) Act 2018, as the right or freedom is amended or otherwise modified by domestic law from time to time on or after IP completion day.]
Textual Amendments
F13Arts. 4(A1)-(A3) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 6(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F14Words in Art. 4(7) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 6(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F15Words in Art. 4(9) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 6(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F16Art. 4(10A) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 6(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F17Art. 4(16) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 6(6) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
F18Words in Art. 4(17) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 6(7) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F19Words in Art. 4(20) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 6(8) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F20Art. 4(21) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 6(9) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
F21Art. 4(21A) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 6(10) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F22Art. 4(22)(23)(24) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 6(11) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
F23Words in Art. 4(25) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 6(12) (with reg. 5) (as amended by S.I. 2020/1586, regs. 1(2), 4(3)(a); 2020 c. 1, Sch. 5 para. 1(1)
F24Art. 4(27)(28) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 6(13) (with reg. 5) (as amended by S.I. 2020/1586, regs. 1(2), 4(3)(b)); 2020 c. 1, Sch. 5 para. 1(1)
Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
Point in Time: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: