GENERAL DATA PROTECTION REGULATION AND DATA PROTECTION ACT 2018

This table contains extracts and summaries of legislation using among other things the headings of paragraphs in the Schedules to the UK Data Protection Act 2018 ('DPA'). After identifying relevant paragraphs in those Schedules, users of this table should always use the DPA links provided to refer to the full text of those paragraphs, in order to identify their precise scope and to identify the 'listed GDPR provisions'. (See Summary of Data Protection Act 2018 for further explanation.)

This table sets out extracts from the official version of the GDPR and the original version of the DPA. It does not yet set out the amendments made to the GDPR and the DPA, effective within the UK as from the date of Brexit, by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/419. See the Brexit page for further information regarding Brexit.

Item Reference       Article 6 Link
1 6. Article 6 GDPR 6
2 6. Lawfulness of processing GDPR 6
3 6.1 1. Processing shall be lawful only if and to the extent that at least one of the following applies: GDPR 6
4 6.1(a) (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; GDPR 6
5 6.1(b) (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; GDPR 6
6 6.1(c) (c) processing is necessary for compliance with a legal obligation to which the controller is subject; GDPR 6
7 6.1(d) (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; GDPR 6
8 6.1(e) (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; GDPR 6
9 6.1(f) (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. GDPR 6
10 6.1 Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. GDPR 6
11 6.2 2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX. GDPR 6
12 6.3 3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by: GDPR 6
13 6.(a) (a) Union law; or GDPR 6
14 6.3(b) (b) Member State law to which the controller is subject. GDPR 6
15 6.3 The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued. GDPR 6
16 6.4 4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: GDPR 6
17 6.4(a) (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing; GDPR 6
18 6.4(b) (b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller; GDPR 6
19 6.4(c) (c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10; GDPR 6
20 6.4(d) (d) the possible consequences of the intended further processing for data subjects; GDPR 6
21 6.4(e) (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation. GDPR 6
Item Reference Articles which affect Article 6 Link
Item Reference       Definitions from published guidance which affect Article 6 Link
44 ICO "When is processing 'necessary'?
Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data.
It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods."
Guidance
Item Reference       Paragraphs in Schedules to Data Protection Act 2018 which affect Article 6 Link
45 2/1/ Adaptations and restrictions based on Articles 6(3) and 23(1) DPA Sch 2
46 2/1/1 GDPR provisions to be adapted or restricted: "the listed GDPR provisions" DPA Sch 2
47 2/1/2 Crime and taxation: general

"(1) The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes-
(a) the prevention or detection of crime,
(b) the apprehension or prosecution of offenders, or
(c) the assessment or collection of a tax or duty or an imposition of a similar nature,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).
(2) Sub-paragraph (3) applies where-
(a) personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and
(b) another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions."
DPA Sch 2
ICO guidance
48 2/1/3 Crime and taxation: risk assessment systems DPA Sch 2
ICO guidance
49 2/1/4 Immigration DPA Sch 2
ICO guidance
50 2/1/5 Information required to be disclosed by law etc or in connection with legal proceedings

"(1) The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.
(2) The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.
(3) The listed GDPR provisions do not apply to personal data where disclosure of the data-
(a) is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
to the extent that the application of those provisions would prevent the controller from making the disclosure."
DPA Sch 2
ICO guidance
51 2/5/ Exemptions etc based on Article 85(2) for reasons of freedom of expression and information DPA Sch 2
52 2/5/26 Journalistic, academic, artistic and literary purposes DPA Sch 2
ICO guidance
Item Reference Sections of the Data Protection Act 2018 which affect Article 6 Link
53 s. 8 Lawfulness of processing DPA s.8
54 s. 8 Lawfulness of processing: public interest etc
In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for—
(a) the administration of justice,
(b) the exercise of a function of either House of Parliament,
(c) the exercise of a function conferred on a person by an enactment or rule of law,
(d) the exercise of a function of the Crown, a Minister of the Crown or a government department, or
(e) an activity that supports or promotes democratic engagement.
DPA s.8
55 s. 15 Restrictions on data subject's rights DPA s.15
56 s. 15 Exemptions etc
(1) Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the GDPR.
(2) In Schedule 2—
(a) Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 6(3) and Article 23(1) of the GDPR;
(b) Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(c) Part 3 makes provision restricting the application of Article 15 of the GDPR where this is necessary to protect the rights of others, as allowed for by Article 23(1) of the GDPR;
(d) Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(e) Part 5 makes provision containing exemptions or derogations from Chapters II, III, IV, V and VII of the GDPR for reasons relating to freedom of expression, as allowed for by Article 85(2) of the GDPR;
(f) Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the GDPR for scientific or historical research purposes, statistical purposes and archiving purposes, as allowed for by Article 89(2) and (3) of the GDPR.
(3) Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to health, social work, education and child abuse data, as allowed for by Article 23(1) of the GDPR.
(4) Schedule 4 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to information the disclosure of which is prohibited or restricted by an enactment, as allowed for by Article 23(1) of the GDPR.
(5) In connection with the safeguarding of national security and with defence, see Chapter 3 of this Part and the exemption in section 26.
DPA s.15
Item Reference       GDPR Recitals which affect Article 6
57 Recital 40 (40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
58 Recital 41 (41) Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.
59 Recital 42 (42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (10) a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
60 Recital 43 (43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
61 Recital 44 (44) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.
62 Recital 45 (45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.
63 Recital 46 (46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
64 Recital 47 (47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
65 Recital 48 (48) Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.
66 Recital 49 (49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
67 Recital 50 (50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.
Item Reference       Related Guidance which affects Article 6
68 ICO guidance on consent under GDPR Guidance
69 Article 29 Working Party Guidelines on consent Guidance
70 ICO guidance on Lawfulness, fairness and transparency Guidance
71 ICO guidance on Purpose limitation Guidance
72 ICO guidance on Contract Guidance
73 ICO guidance on Legal obligation Guidance
74 ICO guidance on Vital interests Guidance
75 ICO guidance on Public task Guidance
76 ICO guidance on Legitimate interests Guidance
Disclaimer - Copyright - Privacy policy