GENERAL DATA PROTECTION REGULATION AND DATA PROTECTION ACT 2018

This table contains extracts and summaries of legislation using among other things the headings of paragraphs in the Schedules to the UK Data Protection Act 2018 ('DPA'). After identifying relevant paragraphs in those Schedules, users of this table should always use the DPA links provided to refer to the full text of those paragraphs, in order to identify their precise scope and to identify the 'listed GDPR provisions'. (See Summary of Data Protection Act 2018 for further explanation.)

This table sets out extracts from the official version of the GDPR and the original version of the DPA. It does not yet set out the amendments made to the GDPR and the DPA, effective within the UK as from the date of Brexit, by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/419. See the Brexit page for further information regarding Brexit.

Item Reference       Article 5 Link
1 5. Article 5 GDPR 5
2 5. Principles relating to processing of personal data GDPR 5
3 5.1 1. Personal data shall be: GDPR 5
4 5.1(a) (a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency'); GDPR 5
5 5.1(b) (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation') GDPR 5
6 5.1(c) (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation'); GDPR 5
7 5.1(d) (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy'); GDPR 5
8 5.1(e) (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation'); GDPR 5
9 5.1(f) (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). GDPR 5
10 5.2 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability'). GDPR 5
Item Reference Articles which affect Article 5 Link
Item Reference       Definitions from published guidance which affect Article 5 Link
14 ICO "When is processing 'necessary'?
Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data.
It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods."
Guidance
Item Reference       Paragraphs in Schedules to Data Protection Act 2018 which affect Article 5 Link
15 2/1/ Adaptations and restrictions based on Articles 6(3) and 23(1) DPA Sch 2
16 2/1/1 GDPR provisions to be adapted or restricted: "the listed GDPR provisions" DPA Sch 2
17 2/1/2 Crime and taxation: general

"(1) The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes-
(a) the prevention or detection of crime,
(b) the apprehension or prosecution of offenders, or
(c) the assessment or collection of a tax or duty or an imposition of a similar nature,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).
(2) Sub-paragraph (3) applies where-
(a) personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and
(b) another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions."
DPA Sch 2
ICO guidance
18 2/1/3 Crime and taxation: risk assessment systems DPA Sch 2
ICO guidance
19 2/1/4 Immigration DPA Sch 2
ICO guidance
20 2/1/5 Information required to be disclosed by law etc or in connection with legal proceedings

"(1) The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.
(2) The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.
(3) The listed GDPR provisions do not apply to personal data where disclosure of the data-
(a) is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
to the extent that the application of those provisions would prevent the controller from making the disclosure."
DPA Sch 2
ICO guidance
21 2/2/ Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 21 and 34 DPA Sch 2
22 2/2/6 GDPR provisions to be restricted: "the listed GDPR provisions" DPA Sch 2
23 2/2/7 Functions designed to protect the public etc    
Description of function design: Condition:
1. The function is designed to protect members of the public against- (a) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate, or (b) financial loss due to the conduct of discharged or undischarged bankrupts. The function is- (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest.
2. The function is designed to protect members of the public against- (a) dishonesty, malpractice or other seriously improper conduct, or (b) unfitness or incompetence. The function is- (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest.
3. The function is designed- (a) to protect charities or community interest companies against misconduct or mismanagement (whether by trustees, directors or other persons) in their administration, (b) to protect the property of charities or community interest companies from loss or misapplication, or (c) to recover the property of charities or community interest companies. The function is- (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest.
4. The function is designed- (a) to secure the health, safety and welfare of persons at work, or (b) to protect persons other than those at work against risk to health or safety arising out of or in connection with the action of persons at work. The function is- (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest.
5. The function is designed to protect members of the public against- (a) maladministration by public bodies, (b) failures in services provided by public bodies, or (c) a failure of a public body to provide a service which it is a function of the body to provide. The function is conferred by any enactment on- (a) the Parliamentary Commissioner for Administration, (b) the Commissioner for Local Administration in England, (c) the Health Service Commissioner for England, (d) the Public Services Ombudsman for Wales, (e) the Northern Ireland Public Services Ombudsman, (f) the Prison Ombudsman for Northern Ireland, or (g) the Scottish Public Services Ombudsman.
6. The function is designed- (a) to protect members of the public against conduct which may adversely affect their interests by persons carrying on a business, (b) to regulate agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or (c) to regulate conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market. The function is conferred on the Competition and Markets Authority by an enactment.
DPA Sch 2
ICO guidance
24 2/2/8 Audit functions DPA Sch 2
ICO guidance
25 2/2/9 Functions of the Bank of England DPA Sch 2
ICO guidance
26 2/2/10 Regulatory functions relating to legal services, the health service and children's services DPA Sch 2
ICO guidance
27 2/2/11 Regulatory functions of certain other persons    
Person on whom function is conferred: How function is conferred:
1. The Commissioner. By or under- (a) the data protection legislation, (b) the Freedom of Information Act 2000, (c) section 244 of the Investigatory Powers Act 2016, (d) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426), (e) the Environmental Information Regulations 2004 (S.I. 2004/3391), (f) the INSPIRE Regulations 2009 (S.I. 2009/3157), (g) Regulation (EU) No 910/ 2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, (h) the Re-use of Public Sector Information Regulations 2015 (S.I. 2015/1415), (i) the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696).
2. The Scottish Information Commissioner. By or under- (a) the Freedom of Information (Scotland) Act 2002 (asp 13), (b) the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520), (c) the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440).
3. The Pensions Ombudsman. By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland.
4. The Board of the Pension Protection Fund. By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.
5. The Ombudsman for the Board of the Pension Protection Fund. By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.
6. The Pensions Regulator. By an enactment.
7. The Financial Conduct Authority. By or under the Financial Services and Markets Act 2000 or by another enactment.
8. The Financial Ombudsman. By or under Part 16 of the Financial Services and Markets Act 2000.
9. The investigator of complaints against the financial regulators. By or under Part 6 of the Financial Services Act 2012.
10. A consumer protection enforcer, other than the Competition and Markets Authority. By or under the CPC Regulation. By or under the Local Government and Housing Act 1989.
11. The monitoring officer of a relevant authority. By or under the Local Government and Housing Act 1989.
12. The monitoring officer of a relevant Welsh authority. By or under the Local Government Act 2000.
13. The Public Services Ombudsman for Wales. By or under the Local Government Act 2000.
14. The Charity Commission. By or under- (a) the Charities Act 1992, (b) the Charities Act 2006, (c) the Charities Act 2011.
DPA Sch 2
ICO guidance
28 2/2/13 Parliamentary privilege DPA Sch 2
ICO guidance
29 2/2/14 Judicial appointments, judicial independence and judicial proceedings DPA Sch 2
ICO guidance
30 2/2/15 Crown honours, dignities and appointments DPA Sch 2
ICO guidance
31 2/3/ Restriction based on Article 23(1): protection of rights of others DPA Sch 2
32 2/3/16 Protection of the rights of others: general

"(1) Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers), and Article 5 of the GDPR so far as its provisions correspond to the rights and obligations provided for in Article 15(1) to (3), do not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information.
(2) Sub-paragraph (1) does not remove the controller’s obligation where-
(a) the other individual has consented to the disclosure of the information to the data subject, or
(b) it is reasonable to disclose the information to the data subject without the consent of the other individual.
(3) In determining whether it is reasonable to disclose the information without consent, the controller must have regard to all the relevant circumstances, including-
(a) the type of information that would be disclosed,
(b) any duty of confidentiality owed to the other individual,
(c) any steps taken by the controller with a view to seeking the consent of the other individual,
(d) whether the other individual is capable of giving consent, and
(e) any express refusal of consent by the other individual.
(4) For the purposes of this paragraph-
(a) "information relating to another individual" includes information identifying the other individual as the source of information,
(b) an individual can be identified from information to be provided to a data subject by a controller if the individual can be identified from-
(i) that information, or
(ii) that information and any other information that the controller reasonably believes the data subject is likely to possess or obtain."
DPA Sch 2
ICO guidance
33 2/3/17 Assumption of reasonableness for health workers, social workers and education workers

"For the purposes of paragraph 16(2)(b), it is to be considered reasonable for a controller to disclose information to a data subject without the consent of the other individual where:...[more]"
DPA Sch 2
ICO guidance
34 2/4/ Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 15 DPA Sch 2
35 2/4/18 GDPR provisions to be restricted: "the listed GDPR provisions" DPA Sch 2
36 2/4/19 Legal professional privilege

"The listed GDPR provisions do not apply to personal data that consists of-
(a) information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications, could be maintained in legal proceedings, or
(b) information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser."
DPA Sch 2
ICO guidance
37 2/4/20 Self incrimination

"(1) A person need not comply with the listed GDPR provisions to the extent that compliance would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.
(2) The reference to an offence in sub-paragraph (1) does not include an offence under-
(a) this Act,
(b) section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),
(c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or
(d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
(3) Information disclosed by any person in compliance with Article 15 of the GDPR is not admissible against the person in proceedings for an offence under this Act."
DPA Sch 2
ICO guidance
38 2/4/21 Corporate finance DPA Sch 2
ICO guidance
39 2/4/22 Management forecasts

"The listed GDPR provisions do not apply to personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that the application of those provisions would be likely to prejudice the conduct of the business or activity concerned."
DPA Sch 2
ICO guidance
40 2/4/23 Negotiations

"The listed GDPR provisions do not apply to personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject to the extent that the application of those provisions would be likely to prejudice those negotiations."
DPA Sch 2
ICO guidance
41 2/4/24 Confidential references

"The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of-
(a) the education, training or employment (or prospective education, training or employment) of the data subject,
(b) the placement (or prospective placement) of the data subject as a volunteer,
(c) the appointment (or prospective appointment) of the data subject to any office, or
(d) the provision (or prospective provision) by the data subject of any service."
DPA Sch 2
ICO guidance
42 2/4/25 Exam scripts and exam marks DPA Sch 2
ICO guidance
43 2/5/ Exemptions etc based on Article 85(2) for reasons of freedom of expression and information DPA Sch 2
44 2/5/26 Journalistic, academic, artistic and literary purposes DPA Sch 2
ICO guidance
45 3// Exemptions etc from the GDPR: health, social work, education and child abuse data DPA Sch 3
46 3/1/ GDPR provisions to be restricted DPA Sch 3
47 3/2/ Health data DPA Sch 3
48 3/2/2 Definitions DPA Sch 3
49 3/2/3 Exemption from the listed GDPR provisions: data processed by a court DPA Sch 3
ICO guidance
50 3/2/4 Exemption from the listed GDPR provisions: data subject's expectations and wishes DPA Sch 3
ICO guidance
51 3/3/ Social work data DPA Sch 3
52 3/3/7 Definitions DPA Sch 3
53 3/3/9 Exemption from the listed GDPR provisions: data processed by a court DPA Sch 3
ICO guidance
54 3/3/10 Exemption from the listed GDPR provisions: data subject's expectations and wishes DPA Sch 3
ICO guidance
55 3/4/ Education data DPA Sch 3
56 3/4/13 Educational records DPA Sch 3
57 3/4/17 Other definitions DPA Sch 3
58 3/4/18 Exemption from the listed GDPR provisions: data processed by a court DPA Sch 3
ICO guidance
59 4// Exemptions etc from the GDPR: disclosure prohibited or restricted by an enactment DPA Sch 4
60 4//1 GDPR provisions to be restricted: "the listed GDPR provisions" DPA Sch 4
61 4//2 Human fertilisation and embryology information DPA Sch 4
ICO guidance
62 4//3 Adoption records and reports DPA Sch 4
ICO guidance
63 4//4 Statements of special educational needs DPA Sch 4
ICO guidance
64 4//5 Parental order records and reports DPA Sch 4
ICO guidance
65 4//6 Information provided by Principal Reporter for children's hearing DPA Sch 4
ICO guidance
Item Reference Sections of the Data Protection Act 2018 which affect Article 5 Link
66 s. 15 Restrictions on data subject's rights DPA s.15
67 s. 15 Exemptions etc
(1) Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the GDPR.
(2) In Schedule 2—
(a) Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 6(3) and Article 23(1) of the GDPR;
(b) Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(c) Part 3 makes provision restricting the application of Article 15 of the GDPR where this is necessary to protect the rights of others, as allowed for by Article 23(1) of the GDPR;
(d) Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(e) Part 5 makes provision containing exemptions or derogations from Chapters II, III, IV, V and VII of the GDPR for reasons relating to freedom of expression, as allowed for by Article 85(2) of the GDPR;
(f) Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the GDPR for scientific or historical research purposes, statistical purposes and archiving purposes, as allowed for by Article 89(2) and (3) of the GDPR.
(3) Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to health, social work, education and child abuse data, as allowed for by Article 23(1) of the GDPR.
(4) Schedule 4 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to information the disclosure of which is prohibited or restricted by an enactment, as allowed for by Article 23(1) of the GDPR.
(5) In connection with the safeguarding of national security and with defence, see Chapter 3 of this Part and the exemption in section 26.
DPA s.15
Item Reference       GDPR Recitals which affect Article 5
68 Recital 28 (28) The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.
69 Recital 39 (39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
Item Reference       Related Guidance which affects Article 5
70 ICO guidance on Principles Guidance
71 ICO guidance on Lawfulness, fairness and transparency Guidance
72 ICO guidance on Purpose limitation Guidance
73 ICO guidance on Data minimisation Guidance
74 ICO guidance on Accuracy Guidance
75 ICO guidance on Storage limitation Guidance
76 ICO guidance on Integrity and confidentiality (security) Guidance
77 ICO guidance on Accountability principle Guidance
78 ICO guidance on Accountability and governance Guidance
79 ICO guidance on Exemptions Guidance
Disclaimer - Copyright - Privacy policy