GENERAL DATA PROTECTION REGULATION AND DATA PROTECTION ACT 2018

This table contains extracts and summaries of legislation using among other things the headings of paragraphs in the Schedules to the UK Data Protection Act 2018 ('DPA'). After identifying relevant paragraphs in those Schedules, users of this table should always use the DPA links provided to refer to the full text of those paragraphs, in order to identify their precise scope and to identify the 'listed GDPR provisions'. (See Summary of Data Protection Act 2018 for further explanation.)

This table sets out extracts from the official version of the GDPR and the original version of the DPA. It does not yet set out the amendments made to the GDPR and the DPA, effective within the UK as from the date of Brexit, by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/419. See the Brexit page for further information regarding Brexit.

Item Reference       Article 13 Link
1 13. Article 13 GDPR 13
2 13. Information to be provided where personal data are collected from the data subject GDPR 13
3 13.1 1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: GDPR 13
4 13.1(a) (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; GDPR 13
5 13.1(b) (b) the contact details of the data protection officer, where applicable; GDPR 13
6 13.1(c) (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; GDPR 13
7 13.1(d) (d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; GDPR 13
8 13.1(e) (e) the recipients or categories of recipients of the personal data, if any; GDPR 13
9 13.1(f) (f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available. GDPR 13
10 13.2 2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: GDPR 13
11 13.2(a) (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; GDPR 13
12 13.2(b) (b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability; GDPR 13
13 13.2(c) (c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; GDPR 13
14 13.2(d) (d) the right to lodge a complaint with a supervisory authority; GDPR 13
15 13.2(e) (e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; GDPR 13
16 13.2(f) (f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. GDPR 13
17 13.3 3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2. GDPR 13
18 13.4 4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information. GDPR 13
Item Reference Articles which affect Article 13 Link
Item Reference       Paragraphs in Schedules to Data Protection Act 2018 which affect Article 13 Link
47 2/1/ Adaptations and restrictions based on Articles 6(3) and 23(1) DPA Sch 2
48 2/1/1 GDPR provisions to be adapted or restricted: "the listed GDPR provisions" DPA Sch 2
49 2/1/2 Crime and taxation: general

"(1) The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes-
(a) the prevention or detection of crime,
(b) the apprehension or prosecution of offenders, or
(c) the assessment or collection of a tax or duty or an imposition of a similar nature,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).
(2) Sub-paragraph (3) applies where-
(a) personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and
(b) another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions."
DPA Sch 2
ICO guidance
50 2/1/3 Crime and taxation: risk assessment systems DPA Sch 2
ICO guidance
51 2/1/4 Immigration DPA Sch 2
ICO guidance
52 2/1/5 Information required to be disclosed by law etc or in connection with legal proceedings

"(1) The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.
(2) The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.
(3) The listed GDPR provisions do not apply to personal data where disclosure of the data-
(a) is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
to the extent that the application of those provisions would prevent the controller from making the disclosure."
DPA Sch 2
ICO guidance
53 2/2/ Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 21 and 34 DPA Sch 2
54 2/2/6 GDPR provisions to be restricted: "the listed GDPR provisions" DPA Sch 2
55 2/2/7 Functions designed to protect the public etc    
Description of function design: Condition:
1. The function is designed to protect members of the public against- (a) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate, or (b) financial loss due to the conduct of discharged or undischarged bankrupts. The function is- (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest.
2. The function is designed to protect members of the public against- (a) dishonesty, malpractice or other seriously improper conduct, or (b) unfitness or incompetence. The function is- (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest.
3. The function is designed- (a) to protect charities or community interest companies against misconduct or mismanagement (whether by trustees, directors or other persons) in their administration, (b) to protect the property of charities or community interest companies from loss or misapplication, or (c) to recover the property of charities or community interest companies. The function is- (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest.
4. The function is designed- (a) to secure the health, safety and welfare of persons at work, or (b) to protect persons other than those at work against risk to health or safety arising out of or in connection with the action of persons at work. The function is- (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest.
5. The function is designed to protect members of the public against- (a) maladministration by public bodies, (b) failures in services provided by public bodies, or (c) a failure of a public body to provide a service which it is a function of the body to provide. The function is conferred by any enactment on- (a) the Parliamentary Commissioner for Administration, (b) the Commissioner for Local Administration in England, (c) the Health Service Commissioner for England, (d) the Public Services Ombudsman for Wales, (e) the Northern Ireland Public Services Ombudsman, (f) the Prison Ombudsman for Northern Ireland, or (g) the Scottish Public Services Ombudsman.
6. The function is designed- (a) to protect members of the public against conduct which may adversely affect their interests by persons carrying on a business, (b) to regulate agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or (c) to regulate conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market. The function is conferred on the Competition and Markets Authority by an enactment.
DPA Sch 2
ICO guidance
56 2/2/8 Audit functions DPA Sch 2
ICO guidance
57 2/2/9 Functions of the Bank of England DPA Sch 2
ICO guidance
58 2/2/10 Regulatory functions relating to legal services, the health service and children's services DPA Sch 2
ICO guidance
59 2/2/11 Regulatory functions of certain other persons    
Person on whom function is conferred: How function is conferred:
1. The Commissioner. By or under- (a) the data protection legislation, (b) the Freedom of Information Act 2000, (c) section 244 of the Investigatory Powers Act 2016, (d) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426), (e) the Environmental Information Regulations 2004 (S.I. 2004/3391), (f) the INSPIRE Regulations 2009 (S.I. 2009/3157), (g) Regulation (EU) No 910/ 2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, (h) the Re-use of Public Sector Information Regulations 2015 (S.I. 2015/1415), (i) the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696).
2. The Scottish Information Commissioner. By or under- (a) the Freedom of Information (Scotland) Act 2002 (asp 13), (b) the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520), (c) the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440).
3. The Pensions Ombudsman. By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland.
4. The Board of the Pension Protection Fund. By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.
5. The Ombudsman for the Board of the Pension Protection Fund. By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.
6. The Pensions Regulator. By an enactment.
7. The Financial Conduct Authority. By or under the Financial Services and Markets Act 2000 or by another enactment.
8. The Financial Ombudsman. By or under Part 16 of the Financial Services and Markets Act 2000.
9. The investigator of complaints against the financial regulators. By or under Part 6 of the Financial Services Act 2012.
10. A consumer protection enforcer, other than the Competition and Markets Authority. By or under the CPC Regulation. By or under the Local Government and Housing Act 1989.
11. The monitoring officer of a relevant authority. By or under the Local Government and Housing Act 1989.
12. The monitoring officer of a relevant Welsh authority. By or under the Local Government Act 2000.
13. The Public Services Ombudsman for Wales. By or under the Local Government Act 2000.
14. The Charity Commission. By or under- (a) the Charities Act 1992, (b) the Charities Act 2006, (c) the Charities Act 2011.
DPA Sch 2
ICO guidance
60 2/2/13 Parliamentary privilege DPA Sch 2
ICO guidance
61 2/2/14 Judicial appointments, judicial independence and judicial proceedings DPA Sch 2
ICO guidance
62 2/2/15 Crown honours, dignities and appointments DPA Sch 2
ICO guidance
63 2/4/ Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 15 DPA Sch 2
64 2/4/18 GDPR provisions to be restricted: "the listed GDPR provisions" DPA Sch 2
65 2/4/19 Legal professional privilege

"The listed GDPR provisions do not apply to personal data that consists of-
(a) information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications, could be maintained in legal proceedings, or
(b) information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser."
DPA Sch 2
ICO guidance
66 2/4/20 Self incrimination

"(1) A person need not comply with the listed GDPR provisions to the extent that compliance would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.
(2) The reference to an offence in sub-paragraph (1) does not include an offence under-
(a) this Act,
(b) section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),
(c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or
(d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
(3) Information disclosed by any person in compliance with Article 15 of the GDPR is not admissible against the person in proceedings for an offence under this Act."
DPA Sch 2
ICO guidance
67 2/4/21 Corporate finance DPA Sch 2
ICO guidance
68 2/4/22 Management forecasts

"The listed GDPR provisions do not apply to personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that the application of those provisions would be likely to prejudice the conduct of the business or activity concerned."
DPA Sch 2
ICO guidance
69 2/4/23 Negotiations

"The listed GDPR provisions do not apply to personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject to the extent that the application of those provisions would be likely to prejudice those negotiations."
DPA Sch 2
ICO guidance
70 2/4/24 Confidential references

"The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of-
(a) the education, training or employment (or prospective education, training or employment) of the data subject,
(b) the placement (or prospective placement) of the data subject as a volunteer,
(c) the appointment (or prospective appointment) of the data subject to any office, or
(d) the provision (or prospective provision) by the data subject of any service."
DPA Sch 2
ICO guidance
71 2/4/25 Exam scripts and exam marks DPA Sch 2
ICO guidance
72 2/5/ Exemptions etc based on Article 85(2) for reasons of freedom of expression and information DPA Sch 2
73 2/5/26 Journalistic, academic, artistic and literary purposes DPA Sch 2
ICO guidance
74 2/6/ Derogations etc based on Article 89 for research, statistics and archiving DPA Sch 2
75 3// Exemptions etc from the GDPR: health, social work, education and child abuse data DPA Sch 3
76 3/1/ GDPR provisions to be restricted DPA Sch 3
77 3/2/ Health data DPA Sch 3
78 3/2/2 Definitions DPA Sch 3
79 3/2/3 Exemption from the listed GDPR provisions: data processed by a court DPA Sch 3
ICO guidance
80 3/2/4 Exemption from the listed GDPR provisions: data subject's expectations and wishes DPA Sch 3
ICO guidance
81 3/3/ Social work data DPA Sch 3
82 3/3/7 Definitions DPA Sch 3
83 3/3/9 Exemption from the listed GDPR provisions: data processed by a court DPA Sch 3
ICO guidance
84 3/3/10 Exemption from the listed GDPR provisions: data subject's expectations and wishes DPA Sch 3
ICO guidance
85 3/4/ Education data DPA Sch 3
86 3/4/13 Educational records DPA Sch 3
87 3/4/17 Other definitions DPA Sch 3
88 3/4/18 Exemption from the listed GDPR provisions: data processed by a court DPA Sch 3
ICO guidance
Item Reference Sections of the Data Protection Act 2018 which affect Article 13 Link
89 s. 15 Restrictions on data subject's rights DPA s.15
90 s. 15 Exemptions etc
(1) Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the GDPR.
(2) In Schedule 2—
(a) Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 6(3) and Article 23(1) of the GDPR;
(b) Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(c) Part 3 makes provision restricting the application of Article 15 of the GDPR where this is necessary to protect the rights of others, as allowed for by Article 23(1) of the GDPR;
(d) Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(e) Part 5 makes provision containing exemptions or derogations from Chapters II, III, IV, V and VII of the GDPR for reasons relating to freedom of expression, as allowed for by Article 85(2) of the GDPR;
(f) Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the GDPR for scientific or historical research purposes, statistical purposes and archiving purposes, as allowed for by Article 89(2) and (3) of the GDPR.
(3) Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to health, social work, education and child abuse data, as allowed for by Article 23(1) of the GDPR.
(4) Schedule 4 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to information the disclosure of which is prohibited or restricted by an enactment, as allowed for by Article 23(1) of the GDPR.
(5) In connection with the safeguarding of national security and with defence, see Chapter 3 of this Part and the exemption in section 26.
DPA s.15
Item Reference       GDPR Recitals which affect Article 13
91 Recital 60 (60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.
92 Recital 61 (61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
93 Recital 62 (62) However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.
94 Recital 73 (73) Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Item Reference       Related Guidance which affects Article 13
95 Article 29 Working Party Guidelines on transparency Guidance
96 ICO guidance on Data minimisation Guidance
97 ICO guidance on Storage limitation Guidance
98 ICO guidance on Individual rights Guidance
99 ICO guidance on Right to be informed Guidance
100 ICO guidance on Right to be informed - more detailed Guidance
101 ICO guidance on Exemptions Guidance
Disclaimer - Copyright - Privacy policy