- Latest available (Revised)
- Point in Time (19/06/2023)
- Original (As enacted)
Version Superseded: 31/12/2023
Point in time view as at 19/06/2023.
Data Protection Act 2018, PART 5 is up to date with all changes known to be in force on or before 01 December 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.
(1)There is to continue to be an Information Commissioner.
(2)Schedule 12 makes provision about the Commissioner.
F2(1). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(2)General functions are conferred on the Commissioner by—
(a)Article 57 of the [F3UK GDPR] (tasks), and
(b)Article 58 of the [F4UK GDPR] (powers),
(and see also the Commissioner's duty under section 2 [F5and section 28(5)]).
(3)The Commissioner's functions in relation to the processing of personal data to which the [F6UK GDPR] applies include—
(a)a duty to advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to the processing of personal data, and
(b)a power to issue, on the Commissioner's own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.
(4)The Commissioner's functions under Article 58 of the [F7UK GDPR] are subject to the safeguards in subsections (5) to (9).
(5)The Commissioner's power under Article 58(1)(a) of the [F8UK GDPR] (power to require a controller or processor to provide information that the Commissioner requires for the performance of the Commissioner's tasks under the [F8UK GDPR]) is exercisable only by giving an information notice under section 142.
(6)The Commissioner's power under Article 58(1)(b) of the [F9UK GDPR] (power to carry out data protection audits) is exercisable only in accordance with section 146.
(7)The Commissioner's powers under Article 58(1)(e) and (f) of the [F10UK GDPR] (power to obtain information from controllers and processors and access to their premises) are exercisable only—
(a)in accordance with Schedule 15 (see section 154), or
(b)to the extent that they are exercised in conjunction with the power under Article 58(1)(b) of the [F10UK GDPR], in accordance with section 146.
(8)The following powers are exercisable only by giving an enforcement notice under section 149—
(a)the Commissioner's powers under Article 58(2)(c) to (g) and (j) of the [F11UK GDPR] (certain corrective powers);
(b)the Commissioner's powers under Article 58(2)(h) to order a certification body to withdraw, or not to issue, a certification under Articles 42 and 43 of the [F12UK GDPR].
(9)The Commissioner's powers under Articles 58(2)(i) and 83 of the [F13UK GDPR] (administrative fines) are exercisable only by giving a penalty notice under section 155.
(10)This section is without prejudice to other functions conferred on the Commissioner, whether by the [F14UK GDPR], this Act or otherwise.
Textual Amendments
F1Words in s. 115 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F2S. 115(1) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F3Words in s. 115(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F4Words in s. 115(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F5Words in s. 115(2) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(4)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F6Words in s. 115(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F7Words in s. 115(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F8Words in s. 115(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F9Words in s. 115(6) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(7) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F10Words in s. 115(7) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(8) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F11Words in s. 115(8)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(9) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F12Words in s. 115(8)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(9) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F13Words in s. 115(9) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(10) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F14Words in s. 115(10) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 47(10) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
[F15(A1)The Commissioner is responsible for monitoring the application of Part 3 of this Act, in order to protect the fundamental rights and freedoms of individuals in relation to processing by a competent authority for any of the law enforcement purposes (as defined in Part 3) and to facilitate the free flow of personal data.]
(1)The Commissioner—
F16(a). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(b)is to continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Data Protection Convention.
(2)Schedule 13 confers general functions on the Commissioner in connection with processing to which the [F17UK GDPR] does not apply (and see also the Commissioner's duty under section 2).
(3)This section and Schedule 13 are without prejudice to other functions conferred on the Commissioner, whether by this Act or otherwise.
Textual Amendments
F15S. 116(A1) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 48(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F16S. 116(1)(a) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 48(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F17Words in s. 116(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 48(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Nothing in this Act [F18or the UK GDPR] permits or requires the Commissioner to exercise functions in relation to the processing of personal data by—
(a)an individual acting in a judicial capacity, or
(b)a court or tribunal acting in its judicial capacity F19...
F19....
Textual Amendments
F18Words in s. 117 inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 49(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F19Words and comma in s. 117 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 49(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F21(1). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F21(2). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F21(3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F21(4). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(5)Part 2 of Schedule 14 makes provision as to the functions to be carried out by the Commissioner for the purposes of Article 13 of the Data Protection Convention (co-operation between parties).
Textual Amendments
F20S. 118 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 50(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F21S. 118(1)-(4) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 50(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)The Commissioner may inspect personal data where the inspection is necessary in order to discharge an international obligation of the United Kingdom, subject to the restriction in subsection (2).
(2)The power under subsection (1) is exercisable only if the personal data—
(a)is processed wholly or partly by automated means, or
(b)is processed otherwise than by automated means and forms part of a filing system or is intended to form part of a filing system.
(3)The power under subsection (1) includes power to inspect, operate and test equipment which is used for the processing of personal data.
(4)Before exercising the power under subsection (1), the Commissioner must by written notice inform the controller and any processor that the Commissioner intends to do so.
(5)Subsection (4) does not apply if the Commissioner considers that the case is urgent.
(6)It is an offence—
(a)intentionally to obstruct a person exercising the power under subsection (1), or
(b)to fail without reasonable excuse to give a person exercising that power any assistance the person may reasonably require.
(7)Paragraphs (c) and (d) of section 3(14) do not apply to references in this section to personal data, the processing of personal data, a controller or a processor.
(1)The Commissioner may issue a document specifying standard data protection clauses which the Commissioner considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR (and see also section 17C).
(2)The Commissioner may issue a document that amends or withdraws a document issued under subsection (1).
(3)A document issued under this section—
(a)must specify when it comes into force,
(b)may make different provision for different purposes, and
(c)may include transitional provision or savings.
(4)Before issuing a document under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—
(a)trade associations;
(b)data subjects;
(c)persons who appear to the Commissioner to represent the interests of data subjects.
(5)After a document is issued under this section—
(a)the Commissioner must send a copy to the Secretary of State, and
(b)the Secretary of State must lay it before Parliament.
(6)If, within the 40-day period, either House of Parliament resolves not to approve the document then, with effect from the end of the day on which the resolution is passed, the document is to be treated as not having been issued under this section (so that the document, and any amendment or withdrawal made by the document, is to be disregarded for the purposes of Article 46(2)(d) of the UK GDPR).
(7)Nothing in subsection (6)—
(a)affects any transfer of personal data previously made in reliance on the document, or
(b)prevents a further document being laid before Parliament.
(8)The Commissioner must publish—
(a)a document issued under this section, and
(b)a notice identifying any document which, under subsection (6), is treated as not having been issued under this section.
(9)The Commissioner must keep under review the clauses specified in a document issued under this section for the time being in force.
(10)In this section, “the 40-day period” means—
(a)if the document is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or
(b)if the document is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.
(11)In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.
(12)In this section, “trade association” includes a body representing controllers or processors.]
Textual Amendments
(1)The Commissioner must, in relation to third countries and international organisations, take appropriate steps to—
(a)develop international co-operation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
(b)provide international mutual assistance in the enforcement of legislation for the protection of personal data, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
(c)engage relevant stakeholders in discussion and activities aimed at furthering international co-operation in the enforcement of legislation for the protection of personal data;
(d)promote the exchange and documentation of legislation and practice for the protection of personal data, including legislation and practice relating to jurisdictional conflicts with third countries.
(2)Subsection (1) applies only in connection with the processing of personal data to which the [F23UK GDPR] does not apply; for the equivalent duty in connection with the processing of personal data to which the [F23UK GDPR] applies, see Article 50 of the [F23UK GDPR] (international co-operation for the protection of personal data).
[F24(2A)The Commissioner may contribute to the activities of international organisations with data protection functions.]
(3)The Commissioner must carry out data protection functions which the Secretary of State directs the Commissioner to carry out for the purpose of enabling Her Majesty's Government in the United Kingdom to give effect to an international obligation of the United Kingdom.
(4)The Commissioner may provide an authority carrying out data protection functions under the law of a British overseas territory with assistance in carrying out those functions.
(5)The Secretary of State may direct that assistance under subsection (4) is to be provided on terms, including terms as to payment, specified or approved by the Secretary of State.
(6)In this section—
“data protection functions” means functions relating to the protection of individuals with respect to the processing of personal data;
“mutual assistance in the enforcement of legislation for the protection of personal data” includes assistance in the form of notification, complaint referral, investigative assistance and information exchange;
“third country” means a country or territory [F25outside the United Kingdom].
(7)Section 3(14)(c) does not apply to references to personal data and the processing of personal data in this section.
Textual Amendments
F23Words in s. 120(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 52(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F24S. 120(2A) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 52(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F25Words in s. 120(6) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 52(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)The Commissioner must prepare a code of practice which contains—
(a)practical guidance in relation to the sharing of personal data in accordance with the requirements of the data protection legislation, and
(b)such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data.
(2)Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.
(3)Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—
(a)trade associations;
(b)data subjects;
(c)persons who appear to the Commissioner to represent the interests of data subjects.
(4)A code under this section may include transitional provision or savings.
(5)In this section—
“good practice in the sharing of personal data” means such practice in the sharing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation;
“the sharing of personal data” means the disclosure of personal data by transmission, dissemination or otherwise making it available;
“trade association” includes a body representing controllers or processors.
(1)The Commissioner must prepare a code of practice which contains—
(a)practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426), and
(b)such other guidance as the Commissioner considers appropriate to promote good practice in direct marketing.
(2)Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.
(3)Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—
(a)trade associations;
(b)data subjects;
(c)persons who appear to the Commissioner to represent the interests of data subjects.
(4)A code under this section may include transitional provision or savings.
(5)In this section—
“direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals;
“good practice in direct marketing” means such practice in direct marketing as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements mentioned in subsection (1)(a);
“trade association” includes a body representing controllers or processors.
(1)The Commissioner must prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children.
(2)Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.
(3)Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such other persons as the Commissioner considers appropriate, including—
(a)children,
(b)parents,
(c)persons who appear to the Commissioner to represent the interests of children,
(d)child development experts, and
(e)trade associations.
(4)In preparing a code or amendments under this section, the Commissioner must have regard—
(a)to the fact that children have different needs at different ages, and
(b)to the United Kingdom's obligations under the United Nations Convention on the Rights of the Child.
(5)A code under this section may include transitional provision or savings.
(6)Any transitional provision included in the first code under this section must cease to have effect before the end of the period of 12 months beginning when the code comes into force.
(7)In this section—
“age-appropriate design” means the design of services so that they are appropriate for use by, and meet the development needs of, children;
“information society services” has the same meaning as in the [F26UK GDPR], but does not include preventive or counselling services;
“relevant information society services” means information society services which involve the processing of personal data to which the [F26UK GDPR] applies;
“standards of age-appropriate design of relevant information society services” means such standards of age-appropriate design of such services as appear to the Commissioner to be desirable having regard to the best interests of children;
“trade association” includes a body representing controllers or processors;
“the United Nations Convention on the Rights of the Child” means the Convention on the Rights of the Child adopted by the General Assembly of the United Nations on 20 November 1989 (including any Protocols to that Convention which are in force in relation to the United Kingdom), subject to any reservations, objections or interpretative declarations by the United Kingdom for the time being in force.
Textual Amendments
F26Words in s. 123(7) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 53 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Commencement Information
I1S. 123 in force at 23.7.2018 by S.I. 2018/625, reg. 3(a)
(1)The Commissioner must prepare a code of practice which contains—
(a)practical guidance in relation to the processing of personal data for the purposes of journalism in accordance with the requirements of the data protection legislation, and
(b)such other guidance as the Commissioner considers appropriate to promote good practice in the processing of personal data for the purposes of journalism.
(2)Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.
(3)Before preparing a code or amendments under this section, the Commissioner must consult such of the following as the Commissioner considers appropriate—
(a)trade associations;
(b)data subjects;
(c)persons who appear to the Commissioner to represent the interests of data subjects.
(4)A code under this section may include transitional provision or savings.
(5)In this section—
“good practice in the processing of personal data for the purposes of journalism” means such practice in the processing of personal data for those purposes as appears to the Commissioner to be desirable having regard to—
the interests of data subjects and others, including compliance with the requirements of the data protection legislation, and
the special importance of the public interest in the freedom of expression and information;
“trade association” includes a body representing controllers or processors.
(1)When a code is prepared under section 121, 122, 123 or 124—
(a)the Commissioner must submit the final version to the Secretary of State, and
(b)the Secretary of State must lay the code before Parliament.
(2)In relation to the first code under section 123—
(a)the Commissioner must prepare the code as soon as reasonably practicable and must submit it to the Secretary of State before the end of the period of 18 months beginning when this Act is passed, and
(b)the Secretary of State must lay it before Parliament as soon as reasonably practicable.
(3)If, within the 40-day period, either House of Parliament resolves not to approve a code prepared under section 121, 122, 123 or 124, the Commissioner must not issue the code.
(4)If no such resolution is made within that period—
(a)the Commissioner must issue the code, and
(b)the code comes into force at the end of the period of 21 days beginning with the day on which it is issued.
(5)If, as a result of subsection (3), there is no code in force under section 121, 122, 123 or 124, the Commissioner must prepare another version of the code.
(6)Nothing in subsection (3) prevents another version of the code being laid before Parliament.
(7)In this section, “the 40-day period” means—
(a)if the code is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or
(b)if the code is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.
(8)In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.
(9)This section, other than subsections (2) and (5), applies in relation to amendments prepared under section 121, 122, 123 or 124 as it applies in relation to codes prepared under those sections.
Commencement Information
I2S. 125 not in force at Royal Assent; s. 125 in force at 23.7.2018 for specified purposes, see s. 212(3)(b)
I3S. 125 in force at 23.7.2018 for specified purposes by S.I. 2018/625, reg. 3(b)
(1)The Commissioner must publish a code issued under section 125(4).
(2)Where an amendment of a code is issued under section 125(4), the Commissioner must publish—
(a)the amendment, or
(b)the code as amended by it.
(3)The Commissioner must keep under review each code issued under section 125(4) for the time being in force.
(4)Where the Commissioner becomes aware that the terms of such a code could result in a breach of an international obligation of the United Kingdom, the Commissioner must exercise the power under section 121(2), 122(2), 123(2) or 124(2) with a view to remedying the situation.
Commencement Information
I4S. 126 not in force at Royal Assent; s. 126 in force at 23.7.2018 for specified purposes, see s. 212(3)(b)
I5S. 126 in force at 23.7.2018 for specified purposes by S.I. 2018/625, reg. 3(c)
(1)A failure by a person to act in accordance with a provision of a code issued under section 125(4) does not of itself make that person liable to legal proceedings in a court or tribunal.
(2)A code issued under section 125(4), including an amendment or replacement code, is admissible in evidence in legal proceedings.
(3)In any proceedings before a court or tribunal, the court or tribunal must take into account a provision of a code issued under section 125(4) in determining a question arising in the proceedings if—
(a)the question relates to a time when the provision was in force, and
(b)the provision appears to the court or tribunal to be relevant to the question.
(4)Where the Commissioner is carrying out a function described in subsection (5), the Commissioner must take into account a provision of a code issued under section 125(4) in determining a question arising in connection with the carrying out of the function if—
(a)the question relates to a time when the provision was in force, and
(b)the provision appears to the Commissioner to be relevant to the question.
(5)Those functions are functions under—
(a)the data protection legislation, or
(b)the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426).
Commencement Information
I6S. 127 not in force at Royal Assent; s. 127 in force at 23.7.2018 for specified purposes, see s. 212(3)(b)
I7S. 127 in force at 23.7.2018 for specified purposes by S.I. 2018/625, reg. 3(d)
(1)The Secretary of State may by regulations require the Commissioner—
(a)to prepare appropriate codes of practice giving guidance as to good practice in the processing of personal data, and
(b)to make them available to such persons as the Commissioner considers appropriate.
(2)Before preparing such codes, the Commissioner must consult such of the following as the Commissioner considers appropriate—
(a)trade associations;
(b)data subjects;
(c)persons who appear to the Commissioner to represent the interests of data subjects.
(3)Regulations under this section—
(a)must describe the personal data or processing to which the code of practice is to relate, and
(b)may describe the persons or classes of person to whom it is to relate.
(4)Regulations under this section are subject to the negative resolution procedure.
(5)In this section—
“good practice in the processing of personal data” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation;
“trade association” includes a body representing controllers or processors.
Commencement Information
I8S. 128 in force at Royal Assent for specified purposes, see s. 212(2)(f)
(1)The Commissioner's functions under Article 58(1) of the [F27UK GDPR] and paragraph 1 of Schedule 13 include power, with the consent of a controller or processor, to carry out an assessment of whether the controller or processor is complying with good practice in the processing of personal data.
(2)The Commissioner must inform the controller or processor of the results of such an assessment.
(3)In this section, “good practice in the processing of personal data” has the same meaning as in section 128.
Textual Amendments
F27Words in s. 129(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 54 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)A Minister of the Crown who issues a certificate under section 27, 79 or 111 must send a copy of the certificate to the Commissioner.
(2)If the Commissioner receives a copy of a certificate under subsection (1), the Commissioner must publish a record of the certificate.
(3)The record must contain—
(a)the name of the Minister who issued the certificate,
(b)the date on which the certificate was issued, and
(c)subject to subsection (4), the text of the certificate.
(4)The Commissioner must not publish the text, or a part of the text, of the certificate if—
(a)the Minister determines that publishing the text or that part of the text—
(i)would be against the interests of national security,
(ii)would be contrary to the public interest, or
(iii)might jeopardise the safety of any person, and
(b)the Minister has notified the Commissioner of that determination.
(5)The Commissioner must keep the record of the certificate available to the public while the certificate is in force.
(6)If a Minister of the Crown revokes a certificate issued under section 27, 79 or 111, the Minister must notify the Commissioner.
(1)No enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the Commissioner with information necessary for the discharge of the Commissioner's functions.
(2)But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
(3)Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.
(1)A person who is or has been the Commissioner, or a member of the Commissioner's staff or an agent of the Commissioner, must not disclose information which—
(a)has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner's functions,
(b)relates to an identified or identifiable individual or business, and
(c)is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,
unless the disclosure is made with lawful authority.
(2)For the purposes of subsection (1), a disclosure is made with lawful authority only if and to the extent that—
(a)the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,
(b)the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),
(c)the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner's functions,
F28(d). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(e)the disclosure was made for the purposes of criminal or civil proceedings, however arising, or
(f)having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.
(3)It is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).
Textual Amendments
F28S. 132(2)(d) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 55 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)The Commissioner must produce and publish guidance about—
(a)how the Commissioner proposes to secure that privileged communications which the Commissioner obtains or has access to in the course of carrying out the Commissioner's functions are used or disclosed only so far as necessary for carrying out those functions, and
(b)how the Commissioner proposes to comply with restrictions and prohibitions on obtaining or having access to privileged communications which are imposed by an enactment.
(2)The Commissioner—
(a)may alter or replace the guidance, and
(b)must publish any altered or replacement guidance.
(3)The Commissioner must consult the Secretary of State before publishing guidance under this section (including altered or replacement guidance).
(4)The Commissioner must arrange for guidance under this section (including altered or replacement guidance) to be laid before Parliament.
(5)In this section, “privileged communications” means—
(a)communications made—
(i)between a professional legal adviser and the adviser's client, and
(ii)in connection with the giving of legal advice to the client with respect to legal obligations, liabilities or rights, and
(b)communications made—
(i)between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
(ii)in connection with or in contemplation of legal proceedings, and
(iii)for the purposes of such proceedings.
(6)In subsection (5)—
(a)references to the client of a professional legal adviser include references to a person acting on behalf of the client, and
(b)references to a communication include—
(i)a copy or other record of the communication, and
(ii)anything enclosed with or referred to in the communication if made as described in subsection (5)(a)(ii) or in subsection (5)(b)(ii) and (iii).
The Commissioner may require a person other than a data subject or a data protection officer to pay a reasonable fee for a service provided to the person, or at the person's request, which the Commissioner is required or authorised to provide under the data protection legislation.
(1)Where a request to the Commissioner from a data subject or a data protection officer is manifestly unfounded or excessive, the Commissioner may—
(a)charge a reasonable fee for dealing with the request, or
(b)refuse to act on the request.
(2)An example of a request that may be excessive is one that merely repeats the substance of previous requests.
(3)In any proceedings where there is an issue as to whether a request described in subsection (1) is manifestly unfounded or excessive, it is for the Commissioner to show that it is.
(4)Subsections (1) and (3) apply only in cases in which the Commissioner does not already have such powers and obligations under Article 57(4) of the [F29UK GDPR].
Textual Amendments
F29Words in s. 135(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 56 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)The Commissioner must produce and publish guidance about the fees the Commissioner proposes to charge in accordance with—
(a)section 134 or 135, or
(b)Article 57(4) of the [F30UK GDPR].
(2)Before publishing the guidance, the Commissioner must consult the Secretary of State.
Textual Amendments
F30Words in s. 136(1)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 57 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner.
(2)Regulations under subsection (1) may require a controller to pay a charge regardless of whether the Commissioner has provided, or proposes to provide, a service to the controller.
(3)Regulations under subsection (1) may—
(a)make provision about the time or times at which, or period or periods within which, a charge must be paid;
(b)make provision for cases in which a discounted charge is payable;
(c)make provision for cases in which no charge is payable;
(d)make provision for cases in which a charge which has been paid is to be refunded.
(4)In making regulations under subsection (1), the Secretary of State must have regard to the desirability of securing that the charges payable to the Commissioner under such regulations are sufficient to offset—
(a)expenses incurred by the Commissioner in discharging the Commissioner's functions—
(i)under the data protection legislation,
(ii)under the Data Protection Act 1998,
(iii)under or by virtue of sections 108 and 109 of the Digital Economy Act 2017, and
(iv)under or by virtue of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426),
(b)any expenses of the Secretary of State in respect of the Commissioner so far as attributable to those functions,
(c)to the extent that the Secretary of State considers appropriate, any deficit previously incurred (whether before or after the passing of this Act) in respect of the expenses mentioned in paragraph (a), and
(d)to the extent that the Secretary of State considers appropriate, expenses incurred by the Secretary of State in respect of the inclusion of any officers or staff of the Commissioner in any scheme under section 1 of the Superannuation Act 1972 or section 1 of the Public Service Pensions Act 2013.
(5)The Secretary of State may from time to time require the Commissioner to provide information about the expenses referred to in subsection (4)(a).
(6)The Secretary of State may by regulations make provision—
(a)requiring a controller to provide information to the Commissioner, or
(b)enabling the Commissioner to require a controller to provide information to the Commissioner,
for either or both of the purposes mentioned in subsection (7).
(7)Those purposes are—
(a)determining whether a charge is payable by the controller under regulations under subsection (1);
(b)determining the amount of a charge payable by the controller.
(8)The provision that may be made under subsection (6)(a) includes provision requiring a controller to notify the Commissioner of a change in the controller's circumstances of a kind specified in the regulations.
Commencement Information
I9S. 137 in force at Royal Assent for specified purposes, see s. 212(2)(f)
(1)Before making regulations under section 137(1) or (6), the Secretary of State must consult such representatives of persons likely to be affected by the regulations as the Secretary of State thinks appropriate (and see also section 182).
(2)The Commissioner—
(a)must keep under review the working of regulations under section 137(1) or (6), and
(b)may from time to time submit proposals to the Secretary of State for amendments to be made to the regulations.
(3)The Secretary of State must review the working of regulations under section 137(1) or (6)—
(a)at the end of the period of 5 years beginning with the making of the first set of regulations under section 108 of the Digital Economy Act 2017, and
(b)at the end of each subsequent 5 year period.
(4)Regulations under section 137(1) are subject to the negative resolution procedure if—
(a)they only make provision increasing a charge for which provision is made by previous regulations under section 137(1) or section 108(1) of the Digital Economy Act 2017, and
(b)they do so to take account of an increase in the retail prices index since the previous regulations were made.
(5)Subject to subsection (4), regulations under section 137(1) or (6) are subject to the affirmative resolution procedure.
(6)In subsection (4), “the retail prices index” means—
(a)the general index of retail prices (for all items) published by the Statistics Board, or
(b)where that index is not published for a month, any substitute index or figures published by the Board.
(7)Regulations under section 137(1) or (6) may not apply to—
(a)Her Majesty in her private capacity,
(b)Her Majesty in right of the Duchy of Lancaster, or
(c)the Duke of Cornwall.
Commencement Information
I10S. 138 in force at Royal Assent for specified purposes, see s. 212(2)(f)
(1)The Commissioner must—
(a)produce a general report on the carrying out of the Commissioner's functions annually,
(b)arrange for it to be laid before Parliament, and
(c)publish it.
(2)The report must include the annual report required under Article 59 of the [F31UK GDPR].
(3)The Commissioner may produce other reports relating to the carrying out of the Commissioner's functions and arrange for them to be laid before Parliament.
Textual Amendments
F31Words in s. 139(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 58 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
A duty under this Act for the Commissioner to publish a document is a duty for the Commissioner to publish it, or to arrange for it to be published, in such form and manner as the Commissioner considers appropriate.
(1)This section applies in relation to a notice authorised or required by this Act to be given to a person by the Commissioner.
(2)The notice may be given to an individual—
(a)by delivering it to the individual,
(b)by sending it to the individual by post addressed to the individual at his or her usual or last-known place of residence or business, or
(c)by leaving it for the individual at that place.
(3)The notice may be given to a body corporate or unincorporate—
(a)by sending it by post to the proper officer of the body at its principal office, or
(b)by addressing it to the proper officer of the body and leaving it at that office.
(4)The notice may be given to a partnership in Scotland—
(a)by sending it by post to the principal office of the partnership, or
(b)by addressing it to that partnership and leaving it at that office.
(5)The notice may be given to the person by other means, including by electronic means, with the person's consent.
(6)In this section—
“principal office”, in relation to a registered company, means its registered office;
“proper officer”, in relation to any body, means the secretary or other executive officer charged with the conduct of its general affairs;
“registered company” means a company registered under the enactments relating to companies for the time being in force in the United Kingdom.
(7)This section is without prejudice to any other lawful method of giving a notice.
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Point in Time: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: