Click here for a brief summary of the Data Protection Act 2018.

Here is an example of how this website can be used:

Suppose you are a lawyer who receives a Subject Access Request from the opposing party in a case. You know that the GDPR sets out grounds on which you can decline to respond. You also know that the Data Protection Act sets out additional grounds on which you can decline to respond. You are aware that those additional grounds are set out somewhere in the Data Protection Act, but you are not sure where those additional grounds are listed.

You could begin by searching for "access". You will then see that Subject Access Requests are dealt with in Article 15 of GDPR. You then click on the "GDPR" link in the right-hand column. You will see, in the following order:

  1. Article 15 itself. This includes one ground for declining to respond in Article 15(4), namely that the right to obtain a copy of the personal data shall not adversely affect the rights and freedoms of others.
  2. The definitions of defined terms which are used in Article 15, including 'personal data', 'data subject', and 'controller'.
  3. Article 12, which sets out the manner in which you must respond, including the requirement to respond (usually) within one month.
  4. A list of headings of paragraphs in Schedule 2 of the Data Protection Act. These refer to "restrictions" from the GDPR, as "listed GDPR provisions". One of the paragraph headings is "Legal professional privilege", which is relevent to your research. Short paragraphs in the Schedules, including this paragraph, are quoted in full.
  5. Sections of the Data Protection Act, including section 15 which provides that exemptions from the GDPR are set out in Schedule 2 of the Act.
  6. A heading row for relevant Recitals from the GDPR. By default the Recitals are not displayed. Click on "Show/hide" to display the relevant Recitals.
  7. A list of guidance from the ICO and the EDPB related to Article 15.

You then click on the "DPA" link in the right-hand column, to refer to the exact language of this restriction, at The page you will then see states at paragraph 18 that in this instance the "listed GDPR provisions" include Articles 15(1) to (3), which contain the requirement to respond to a Subject Access Request.

Search words will only be detected in the legislation if the exact expression is contained in the legislation. For example, the legislation does not use the exact expression "subject access request" - instead try "access". For "journalism", try "journal". For "policy", try "polic" (as this will include policies.

Shortcuts to common searches are provided.

If you want to look at a GDPR Article with highlighting for a particular sector, eg law, choose the sector at the foot of the Search page before clicking on the Article heading.

There are minor differences in the definitions of defined terms used in the Data Protection Act 2018: see section 3 and section 6.

Disclaimer   -   Copyright   -   Privacy policy