- Latest available (Revised)
- Original (As enacted)
Data Protection Act 2018, PART 1 is up to date with all changes known to be in force on or before 18 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
Whole provisions yet to be inserted into this Act (including any effects on those provisions):
(1)This Act makes provision about the processing of personal data.
(2)Most processing of personal data is subject to the [F1UK GDPR].
(3)Part 2 supplements the [F2UK GDPR].
(4)Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes F3....
(5)Part 4 makes provision about the processing of personal data by the intelligence services.
(6)Part 5 makes provision about the Information Commissioner.
(7)Part 6 makes provision about the enforcement of the data protection legislation.
(8)Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.
Textual Amendments
F1Words in s. 1(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 2(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F2Words in s. 1(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 2(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F3Words in s. 1(4) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 2(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)The [F4UK GDPR] and this Act protect individuals with regard to the processing of personal data, in particular by—
(a)requiring personal data to be processed lawfully and fairly, on the basis of the data subject's consent or another specified basis,
(b)conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and
(c)conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.
(2)When carrying out functions under the [F5UK GDPR] and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others and matters of general public interest.
Textual Amendments
F4Words in s. 2(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 3 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F5Words in s. 2(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 3 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)This section defines some terms used in this Act.
(2)“Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3)“Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to—
(a)an identifier such as a name, an identification number, location data or an online identifier, or
(b)one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4)“Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as—
(a)collection, recording, organisation, structuring or storage,
(b)adaptation or alteration,
(c)retrieval, consultation or use,
(d)disclosure by transmission, dissemination or otherwise making available,
(e)alignment or combination, or
(f)restriction, erasure or destruction,
(subject to subsection (14)(c) and sections 5(7), 29(2) and 82(3), which make provision about references to processing in the different Parts of this Act).
(5)“Data subject” means the identified or identifiable living individual to whom personal data relates.
(6)“Controller” and “processor”, in relation to the processing of personal data to which F6... Part 2, Part 3 or Part 4 applies, have the same meaning as in that F6... Part (see sections 5, 6, 32 and 83 and see also subsection (14)(d)).
(7)“Filing system” means any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.
(8)“The Commissioner” means the Information Commissioner (see section 114).
(9)“The data protection legislation” means—
[F7(a)the UK GDPR,]
F8(b). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(c)this Act,
(d)regulations made under this Act, and
(e)regulations made under section 2(2) of the European Communities Act 1972 which relate to [F9the EU GDPR] or the Law Enforcement Directive.
(10)“[F10The UK GDPR]” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [F11(United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4))].
[F12(10A)“The EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it has effect in EU law.]
F13(11). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(12)“The Law Enforcement Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
(13)“The Data Protection Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28 January 1981, as amended up to the day on which this Act is passed.
(14)In Parts 5 to 7, except where otherwise provided—
[F14(a)references to the UK GDPR are to the UK GDPR read with Part 2;]
F15(b). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(c)references to personal data, and the processing of personal data, are to personal data and processing to which F16... Part 2, Part 3 or Part 4 applies;
(d)references to a controller or processor are to a controller or processor in relation to the processing of personal data to which F17... Part 2, Part 3 or Part 4 applies.
(15)There is an index of defined expressions in section 206.
Textual Amendments
F6Words in s. 3(6) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F7S. 3(9)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F8S. 3(9)(b) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F9Words in s. 3(9)(e) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(3)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F10Words in s. 3(10) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F11Words in s. 3(10) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(4)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F12S. 3(10A) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F13S. 3(11) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F14S. 3(14)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(7)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F15S. 3(14)(b) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(7)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F16Words in s. 3(14)(c) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(7)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F17Words in s. 3(14)(d) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 4(7)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: