GENERAL DATA PROTECTION REGULATION AND DATA PROTECTION ACT 2018

This table contains extracts and summaries of legislation using among other things the headings of paragraphs in the Schedules to the UK Data Protection Act 2018 ('DPA'). After identifying relevant paragraphs in those Schedules, users of this table should always use the DPA links provided to refer to the full text of those paragraphs, in order to identify their precise scope and to identify the 'listed GDPR provisions'. (See Summary of Data Protection Act 2018 for further explanation.)

This table sets out extracts from the official version of the GDPR and the original version of the DPA. It does not yet set out the amendments made to the GDPR and the DPA, effective within the UK as from the date of Brexit, by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/419. See the Brexit page for further information regarding Brexit.

Item Reference       Article 14 Link
1 14. Article 14 GDPR 14
2 14. Information to be provided where personal data have not been obtained from the data subject GDPR 14
3 14.1 1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: GDPR 14
4 14.1(a) (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; GDPR 14
5 14.1(b) (b) the contact details of the data protection officer, where applicable; GDPR 14
6 14.1(c) (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; GDPR 14
7 14.1(d) (d) the categories of personal data concerned; GDPR 14
8 14.1(e) (e) the recipients or categories of recipients of the personal data, if any; GDPR 14
9 14.1(f) (f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available. GDPR 14
10 14.2 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject: GDPR 14
11 14.2(a) (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; GDPR 14
12 14.2(b) (b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; GDPR 14
13 14.2(c) (c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability; GDPR 14
14 14.2(d) (d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; GDPR 14
15 14.2(e) (e) the right to lodge a complaint with a supervisory authority; GDPR 14
16 14.2(f) (f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources; GDPR 14
17 14.2(g) (g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. GDPR 14
18 14.3 3. The controller shall provide the information referred to in paragraphs 1 and 2: GDPR 14
19 14.3(a) (a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed; GDPR 14
20 14.3(b) (b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or GDPR 14
21 14.3(c) (c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed. GDPR 14
22 14.4 4. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2. GDPR 14
23 14.5 5. Paragraphs 1 to 4 shall not apply where and insofar as: GDPR 14
24 14.5(a) (a) the data subject already has the information; GDPR 14
25 14.5(b) (b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available; GDPR 14
26 14.5(c) (c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or GDPR 14
27 14.5(d) (d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy. GDPR 14
Item Reference Articles which affect Article 14 Link
Item Reference       Paragraphs in Schedules to Data Protection Act 2018 which affect Article 14 Link
56 2/1/ Adaptations and restrictions based on Articles 6(3) and 23(1) DPA Sch 2
57 2/1/1 GDPR provisions to be adapted or restricted: "the listed GDPR provisions" DPA Sch 2
58 2/1/2 Crime and taxation: general

"(1) The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes-
(a) the prevention or detection of crime,
(b) the apprehension or prosecution of offenders, or
(c) the assessment or collection of a tax or duty or an imposition of a similar nature,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).
(2) Sub-paragraph (3) applies where-
(a) personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and
(b) another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions."
DPA Sch 2
ICO guidance
59 2/1/3 Crime and taxation: risk assessment systems DPA Sch 2
ICO guidance
60 2/1/4 Immigration DPA Sch 2
ICO guidance
61 2/1/5 Information required to be disclosed by law etc or in connection with legal proceedings

"(1) The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.
(2) The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.
(3) The listed GDPR provisions do not apply to personal data where disclosure of the data-
(a) is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
to the extent that the application of those provisions would prevent the controller from making the disclosure."
DPA Sch 2
ICO guidance
62 2/2/ Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 21 and 34 DPA Sch 2
63 2/2/6 GDPR provisions to be restricted: "the listed GDPR provisions" DPA Sch 2
64 2/2/7 Functions designed to protect the public etc    
Description of function design: Condition:
1. The function is designed to protect members of the public against- (a) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate, or (b) financial loss due to the conduct of discharged or undischarged bankrupts. The function is- (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest.
2. The function is designed to protect members of the public against- (a) dishonesty, malpractice or other seriously improper conduct, or (b) unfitness or incompetence. The function is- (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest.
3. The function is designed- (a) to protect charities or community interest companies against misconduct or mismanagement (whether by trustees, directors or other persons) in their administration, (b) to protect the property of charities or community interest companies from loss or misapplication, or (c) to recover the property of charities or community interest companies. The function is- (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest.
4. The function is designed- (a) to secure the health, safety and welfare of persons at work, or (b) to protect persons other than those at work against risk to health or safety arising out of or in connection with the action of persons at work. The function is- (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest.
5. The function is designed to protect members of the public against- (a) maladministration by public bodies, (b) failures in services provided by public bodies, or (c) a failure of a public body to provide a service which it is a function of the body to provide. The function is conferred by any enactment on- (a) the Parliamentary Commissioner for Administration, (b) the Commissioner for Local Administration in England, (c) the Health Service Commissioner for England, (d) the Public Services Ombudsman for Wales, (e) the Northern Ireland Public Services Ombudsman, (f) the Prison Ombudsman for Northern Ireland, or (g) the Scottish Public Services Ombudsman.
6. The function is designed- (a) to protect members of the public against conduct which may adversely affect their interests by persons carrying on a business, (b) to regulate agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or (c) to regulate conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market. The function is conferred on the Competition and Markets Authority by an enactment.
DPA Sch 2
ICO guidance
65 2/2/8 Audit functions DPA Sch 2
ICO guidance
66 2/2/9 Functions of the Bank of England DPA Sch 2
ICO guidance
67 2/2/10 Regulatory functions relating to legal services, the health service and children's services DPA Sch 2
ICO guidance
68 2/2/11 Regulatory functions of certain other persons    
Person on whom function is conferred: How function is conferred:
1. The Commissioner. By or under- (a) the data protection legislation, (b) the Freedom of Information Act 2000, (c) section 244 of the Investigatory Powers Act 2016, (d) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426), (e) the Environmental Information Regulations 2004 (S.I. 2004/3391), (f) the INSPIRE Regulations 2009 (S.I. 2009/3157), (g) Regulation (EU) No 910/ 2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, (h) the Re-use of Public Sector Information Regulations 2015 (S.I. 2015/1415), (i) the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696).
2. The Scottish Information Commissioner. By or under- (a) the Freedom of Information (Scotland) Act 2002 (asp 13), (b) the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520), (c) the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440).
3. The Pensions Ombudsman. By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland.
4. The Board of the Pension Protection Fund. By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.
5. The Ombudsman for the Board of the Pension Protection Fund. By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.
6. The Pensions Regulator. By an enactment.
7. The Financial Conduct Authority. By or under the Financial Services and Markets Act 2000 or by another enactment.
8. The Financial Ombudsman. By or under Part 16 of the Financial Services and Markets Act 2000.
9. The investigator of complaints against the financial regulators. By or under Part 6 of the Financial Services Act 2012.
10. A consumer protection enforcer, other than the Competition and Markets Authority. By or under the CPC Regulation. By or under the Local Government and Housing Act 1989.
11. The monitoring officer of a relevant authority. By or under the Local Government and Housing Act 1989.
12. The monitoring officer of a relevant Welsh authority. By or under the Local Government Act 2000.
13. The Public Services Ombudsman for Wales. By or under the Local Government Act 2000.
14. The Charity Commission. By or under- (a) the Charities Act 1992, (b) the Charities Act 2006, (c) the Charities Act 2011.
DPA Sch 2
ICO guidance
69 2/2/13 Parliamentary privilege DPA Sch 2
ICO guidance
70 2/2/14 Judicial appointments, judicial independence and judicial proceedings DPA Sch 2
ICO guidance
71 2/2/15 Crown honours, dignities and appointments DPA Sch 2
ICO guidance
72 2/4/ Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 15 DPA Sch 2
73 2/4/18 GDPR provisions to be restricted: "the listed GDPR provisions" DPA Sch 2
74 2/4/19 Legal professional privilege

"The listed GDPR provisions do not apply to personal data that consists of-
(a) information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications, could be maintained in legal proceedings, or
(b) information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser."
DPA Sch 2
ICO guidance
75 2/4/20 Self incrimination

"(1) A person need not comply with the listed GDPR provisions to the extent that compliance would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.
(2) The reference to an offence in sub-paragraph (1) does not include an offence under-
(a) this Act,
(b) section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),
(c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or
(d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
(3) Information disclosed by any person in compliance with Article 15 of the GDPR is not admissible against the person in proceedings for an offence under this Act."
DPA Sch 2
ICO guidance
76 2/4/21 Corporate finance DPA Sch 2
ICO guidance
77 2/4/22 Management forecasts

"The listed GDPR provisions do not apply to personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that the application of those provisions would be likely to prejudice the conduct of the business or activity concerned."
DPA Sch 2
ICO guidance
78 2/4/23 Negotiations

"The listed GDPR provisions do not apply to personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject to the extent that the application of those provisions would be likely to prejudice those negotiations."
DPA Sch 2
ICO guidance
79 2/4/24 Confidential references

"The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of-
(a) the education, training or employment (or prospective education, training or employment) of the data subject,
(b) the placement (or prospective placement) of the data subject as a volunteer,
(c) the appointment (or prospective appointment) of the data subject to any office, or
(d) the provision (or prospective provision) by the data subject of any service."
DPA Sch 2
ICO guidance
80 2/4/25 Exam scripts and exam marks DPA Sch 2
ICO guidance
81 2/5/ Exemptions etc based on Article 85(2) for reasons of freedom of expression and information DPA Sch 2
82 2/5/26 Journalistic, academic, artistic and literary purposes DPA Sch 2
ICO guidance
83 2/6/ Derogations etc based on Article 89 for research, statistics and archiving DPA Sch 2
84 3// Exemptions etc from the GDPR: health, social work, education and child abuse data DPA Sch 3
85 3/1/ GDPR provisions to be restricted DPA Sch 3
86 3/2/ Health data DPA Sch 3
87 3/2/2 Definitions DPA Sch 3
88 3/2/3 Exemption from the listed GDPR provisions: data processed by a court DPA Sch 3
ICO guidance
89 3/2/4 Exemption from the listed GDPR provisions: data subject's expectations and wishes DPA Sch 3
ICO guidance
90 3/3/ Social work data DPA Sch 3
91 3/3/7 Definitions DPA Sch 3
92 3/3/9 Exemption from the listed GDPR provisions: data processed by a court DPA Sch 3
ICO guidance
93 3/3/10 Exemption from the listed GDPR provisions: data subject's expectations and wishes DPA Sch 3
ICO guidance
94 3/4/ Education data DPA Sch 3
95 3/4/13 Educational records DPA Sch 3
96 3/4/17 Other definitions DPA Sch 3
97 3/4/18 Exemption from the listed GDPR provisions: data processed by a court DPA Sch 3
ICO guidance
Item Reference Sections of the Data Protection Act 2018 which affect Article 14 Link
98 s. 15 Restrictions on data subject's rights DPA s.15
99 s. 15 Exemptions etc
(1) Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the GDPR.
(2) In Schedule 2—
(a) Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 6(3) and Article 23(1) of the GDPR;
(b) Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(c) Part 3 makes provision restricting the application of Article 15 of the GDPR where this is necessary to protect the rights of others, as allowed for by Article 23(1) of the GDPR;
(d) Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(e) Part 5 makes provision containing exemptions or derogations from Chapters II, III, IV, V and VII of the GDPR for reasons relating to freedom of expression, as allowed for by Article 85(2) of the GDPR;
(f) Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the GDPR for scientific or historical research purposes, statistical purposes and archiving purposes, as allowed for by Article 89(2) and (3) of the GDPR.
(3) Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to health, social work, education and child abuse data, as allowed for by Article 23(1) of the GDPR.
(4) Schedule 4 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to information the disclosure of which is prohibited or restricted by an enactment, as allowed for by Article 23(1) of the GDPR.
(5) In connection with the safeguarding of national security and with defence, see Chapter 3 of this Part and the exemption in section 26.
DPA s.15
100 s. 19 Processing for archiving, research and statistical purposes: safeguards
(1) This section makes provision about—
(a) processing of personal data that is necessary for archiving purposes in the public interest,
(b) processing of personal data that is necessary for scientific or historical research purposes, and
(c) processing of personal data that is necessary for statistical purposes.
(2) Such processing does not satisfy the requirement in Article 89(1) of the GDPR for the processing to be subject to appropriate safeguards for the rights and freedoms of the data subject if it is likely to cause substantial damage or substantial distress to a data subject.
(3) Such processing does not satisfy that requirement if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research.
DPA s.19
Item Reference       GDPR Recitals which affect Article 14
101 Recital 60 (60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.
102 Recital 61 (61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
103 Recital 62 (62) However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.
104 Recital 73 (73) Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Item Reference       Related Guidance which affects Article 14
105 Article 29 Working Party Guidelines on transparency Guidance
106 ICO guidance on Data minimisation Guidance
107 ICO guidance on Storage limitation Guidance
108 ICO guidance on Individual rights Guidance
109 ICO guidance on Right to be informed Guidance
110 ICO guidance on Right to be informed - more detailed Guidance
111 ICO guidance on Exemptions Guidance
Disclaimer - Copyright - Privacy policy