- Latest available (Revised)
- Point in Time (31/12/2020)
- Original (As enacted)
Data Protection Act 2018
You are here:
What Version
Advanced Features
- Show Geographical Extent(e.g. England, Wales, Scotland and Northern Ireland)
- Show Timeline of Changes
Opening Options
Changes over time for: PART 1
Version Superseded: 31/01/2022
Alternative versions:
- 25/05/2018- Amendment
- 31/12/2020- Amendment
- 31/12/2020
Point in time - 31/01/2022- Amendment
- 08/03/2024- Amendment
Status:
Point in time view as at 31/12/2020.
Changes to legislation:
Data Protection Act 2018, PART 1 is up to date with all changes known to be in force on or before 27 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Changes to Legislation
Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.
PART 1U.K.Adaptations and restrictions [F1as described in] Articles 6(3) and 23(1)
Textual Amendments
F1Words in Sch. 2 Pt. 1 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
[F2UK GDPR] provisions to be adapted or restricted: “the listed GDPR provisions”U.K.
Textual Amendments
F2Words in Sch. 2 para. 1 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
1U.K.In this Part of this Schedule, “the listed GDPR provisions” means—
(a)the following provisions of the [F3UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F3UK GDPR])—
(i)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(ii)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(iii)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(iv)Article 16 (right to rectification);
(v)Article 17(1) and (2) (right to erasure);
(vi)Article 18(1) (restriction of processing);
(vii)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
(viii)Article 20(1) and (2) (right to data portability);
(ix)Article 21(1) (objections to processing);
(x)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (i) to (ix); and
(b)the following provisions of the [F4UK GDPR] (the application of which may be adapted by virtue of Article 6(3) of the [F4UK GDPR])—
(i)Article 5(1)(a) (lawful, fair and transparent processing), other than the lawfulness requirements set out in Article 6;
(ii)Article 5(1)(b) (purpose limitation).
Textual Amendments
F3Words in Sch. 2 para. 1(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(5)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F4Words in Sch. 2 para. 1(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(5)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Crime and taxation: generalU.K.
2(1)The listed GDPR provisions and Article 34(1) and (4) of the [F5UK GDPR] (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes—U.K.
(a)the prevention or detection of crime,
(b)the apprehension or prosecution of offenders, or
(c)the assessment or collection of a tax or duty or an imposition of a similar nature,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).
(2)Sub-paragraph (3) applies where—
(a)personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and
(b)another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions.
(3)Controller 2 is exempt from the obligations in the following provisions of the [F6UK GDPR]—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),
to the same extent that Controller 1 is exempt from those obligations by virtue of sub-paragraph (1).
Textual Amendments
F5Words in Sch. 2 para. 2(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(6)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F6Words in Sch. 2 para. 2(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(6)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Crime and taxation: risk assessment systemsU.K.
3(1)The [F7UK GDPR] provisions listed in sub-paragraph (3) do not apply to personal data which consists of a classification applied to the data subject as part of a risk assessment system falling within sub-paragraph (2) to the extent that the application of those provisions would prevent the system from operating effectively.U.K.
(2)A risk assessment system falls within this sub-paragraph if—
(a)it is operated by a government department, a local authority or another authority administering housing benefit, and
(b)it is operated for the purposes of—
(i)the assessment or collection of a tax or duty or an imposition of a similar nature, or
(ii)the prevention or detection of crime or apprehension or prosecution of offenders, where the offence concerned involves the unlawful use of public money or an unlawful claim for payment out of public money.
(3)The [F8UK GDPR] provisions referred to in sub-paragraph (1) are the following provisions of the [F8UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F8UK GDPR])—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c).
Textual Amendments
F7Words in Sch. 2 para. 3(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(7)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F8Words in Sch. 2 para. 3(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(7)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
ImmigrationU.K.
4(1)The [F9UK GDPR] provisions listed in sub-paragraph (2) do not apply to personal data processed for any of the following purposes—U.K.
(a)the maintenance of effective immigration control, or
(b)the investigation or detection of activities that would undermine the maintenance of effective immigration control,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).
(2)The [F10UK GDPR] provisions referred to in sub-paragraph (1) are the following provisions of the [F10UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F10UK GDPR])—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d)Article 17(1) and (2) (right to erasure);
(e)Article 18(1) (restriction of processing);
(f)Article 21(1) (objections to processing);
(g)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f).
(That is, the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing) and Article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)
(3)Sub-paragraph (4) applies where—
(a)personal data is processed by a person (“Controller 1”), and
(b)another person (“Controller 2”) obtains the data from Controller 1 for any of the purposes mentioned in sub-paragraph (1)(a) and (b) and processes it for any of those purposes.
(4)Controller 1 is exempt from the obligations in the following provisions of the [F11UK GDPR]—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),
to the same extent that Controller 2 is exempt from those obligations by virtue of sub-paragraph (1).
Textual Amendments
F9Words in Sch. 2 para. 4(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(8)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F10Words in Sch. 2 para. 4(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(8)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F11Words in Sch. 2 para. 4(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(8)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Information required to be disclosed by law etc or in connection with legal proceedingsU.K.
5(1)The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.U.K.
(2)The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.
(3)The listed GDPR provisions do not apply to personal data where disclosure of the data—
(a)is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
(b)is necessary for the purpose of obtaining legal advice, or
(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
to the extent that the application of those provisions would prevent the controller from making the disclosure.
Options/Help
Print Options
PrintThe Whole Act
PrintThe Whole Schedule
PrintThis Part only
You have chosen to open The Whole Act
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
You have chosen to open The Whole Act as a PDF
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
You have chosen to open the Whole Act
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
You have chosen to open the Whole Act without Schedules
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
You have chosen to open Schedules only
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Legislation is available in different versions:
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Point in Time: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.
See additional information alongside the content
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Opening Options
Different options to open legislation in order to view more content on screen at once
Explanatory Notes
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
More Resources
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as enacted version that was used for the print copy
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- correction slips
- links to related legislation and further information resources
Timeline of Changes
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
More Resources
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as enacted version that was used for the print copy
- correction slips
Click 'View More' or select 'More Resources' tab for additional information including:
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- links to related legislation and further information resources
All content is available under the Open Government Licence v3.0 except where otherwise stated. This site additionally contains content derived from EUR-Lex, reused under the terms of the Commission Decision 2011/833/EU on the reuse of documents from the EU institutions. For more information see the EUR-Lex public statement on re-use.