Data Protection Act 2018

CHAPTER 12

Explanatory Notes have been produced to assist in the
understanding of this Act and are available separately

An Act to make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner’s functions under certain regulations relating to information; to make provision for a direct marketing code of practice, and for connected purposes. [23rd May 2018]

BE IT ENACTED by the Queen’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:

Quick Access

Key Issues

• Fines / Penalties
• Personal Data
• Privacy by Design
• Privacy Impact Assessment
• Processing
• Records of Processing Activities
• Right of Access
• Right to be Forgotten
• Right to be Informed
• Third Countries
• Consent
• Data Protection Officer
• Email Marketing
• Encryption

Table of Contents

Part 1 Preliminary

• Preliminary

Part 2 General Proessing

• Chapter 1 Scope and Definitions
• Chapter 2 The GDPR Meaning of certain terms used in the GDPR
• Chapter 3 Other General Processing

Part 3 Law Enforcement Processing

• Chapter 1 Scope and Definitions
• Chapter 2 Principles
• Chapter 3 Rights of the Data Subject
• Chapter 4 Controller and Processor
• Chapter 5 Transfers of Personal Data to Third Countries
• Chapter 6 Supplementary

Part 4 Intelligence Services Processing

• Chapter 1 Scope and Definitions
• Chapter 2 Principles
• Chapter 3 Rights of the Data Subject
• Chapter 4 Controller and Processor
• Chapter 5 Transfer of Personal Data outsite the United Kingdom
• Chapter 6 Exemptions

Part 5 The Information Commissioner

• The Commissioner

Part 6 Enforcement

• Information notices

Part 7 Supplementary and Final Provision

• Regulations under this Act

Schedule 1 Special Categories of Personal Data and Criminal Convictions Etc Data

• Part 1 Conditions Relating to Employment, Health and Research Etc
• Part 2 Substantial Public Interest Conditions
• Part 3 Additional Conditions Relating to Criminal Convictions Etc
• Part 4 Appropriate Policy Document and Additional Safeguards

Schedule 2 Exemptions Etc from The GDPR

• Part 1 Adaptations and Restrictions Based on Articles 6(3) and 23(1)
• Part 2 Restrictions Based on Article 23(1): Restrictions of Rules in Articles 13 to 21 and 34
• Part 3 Restriction Based on Article 23(1): Protection of Rights of Others
• Part 4 Restrictions Based on Article 23(1): Restrictions of Rules in Articles 13 to 15
• Part 5 Exemptions Etc Based on Article 85(2) for Reasons of Freedom of Expression and Information
• Part 6 Derogations Etc Based on Article 89 for Research, Statistics and Archiving

Schedule 3 Exemptions Etc from The GDPR: Health, Social work, Education and Child Abuse Data

• Part 1 GDPR Provisions to be Restricted
• Part 2 Health Data
• Part 3 Social Work Data
• Part 4 Education Data
• Part 5 Child Abuse Data

Schedule 4 Exemptions Etc from The GDPR: Disclosure Prohibited or Restricted by an Enactment

• GDPR provisions to be restricted: the listed GDPR provisions

Schedule 5 Accreditation of Certification Providers: Reviews and Appeals

• Introduction

Schedule 6 The Applied GDPR and The Applied Chapter 2

• Part 1 Modifications to the GDPR
• Modifications to Chapter 2 of Part 2

Schedule 7 Competent Authorities

• Competent Authorities

Schedule 8 Conditions for Sensitive Processing under Part 3

• Conditions for Sensitive Processing under Part 3

Schedule 9 Conditions for Processing under Part 4

• Conditions for Processing under Part 4

Schedule 10 Conditions for Sensitive Processing under Part 4

• Conditions for Sensitive Processing under Part 4

Schedule 11 Other Exemptions under Part 4

• Other Exemptions under Part 4

Schedule 12 The Information Commissioner

• The Information Commissioner

Schedule 13 Other General Functions of the Commissoner

• Other General Functions of the Commissioner

Schedule 14 CO-OPERATION and Mutual Assistance

• Part 1 Law Enforcement Directive
• Part 2 Data Protection Convention

Schedule 15 Powers of Entry and Inspection

• Powers of Entry and Inspection

Schedule 16 Penalties

• Penalties

Schedule 17 Review of Processing of Personal Data for the Purposes of Journalism

• Review of Processing of Personal Data for the Purposes of Journalism

Schedule 18 Relevant Records

• Relevant Records

Schedule 19 Minor and Consequential Amendments

• Part 1 Amendments of Primary Legislation
• Part 2 Amendments of other Legislation
• Part 3 Modifications
• Part 4 Supplementary

Schedule 20 Transitional Provision Etc

• Part 1 General
• Part 2 Rights of Data Subjects
• Part 3 The GDPR and Part 2 of this Act
• Part 4 Law Enforcement and Intelligence Services Processing
• Part 5 National Security Certificates
• Part 6 The Information Commissioner
• Part 7 Enforcement Etc under The 1998 Act
• Part 8 Enforcement Etc under this Act
• Part 9 Other Enactments