United Kingdom — Scope & Applicability

The UK General Data Protection Regulation (UK GDPR) — Regulation (EU) 2016/679 as retained and amended in UK law following Brexit — applies across three distinct territorial bases set out in Article 3. The Information Commissioner's Office (ICO) is the UK supervisory authority responsible for enforcement.

Article 3(1): Establishment in the United Kingdom

The UK GDPR applies to processing of personal data "in the context of the activities of an establishment of a controller or a processor in the United Kingdom, regardless of whether the processing takes place in the United Kingdom or not." This is the primary basis of jurisdiction and does not require the processing itself to occur on UK soil.

"Establishment" is defined purposefully broadly. Section 207(7) of the Data Protection Act 2018 clarifies that an establishment in the United Kingdom includes: (a) an individual ordinarily resident in the UK; (b) a body incorporated under UK law; (c) a partnership or unincorporated association formed under UK law; and (d) any person not covered by (a)–(c) who "maintains, and carries on activities through, an office, branch or agency or other stable arrangements in the United Kingdom."

The ICO has confirmed that an establishment need not be a registered office nor part of the same legal entity. A branch, subsidiary, or even a single employee or agent stationed in the UK can constitute an establishment if it amounts to a "stable arrangement." An employee temporarily traveling on business does not qualify. The critical question is whether there is a real and effective exercise of activity through stable arrangements in the UK.

Article 3(2): Extraterritorial application — targeting and monitoring

For controllers or processors not established in the UK, the UK GDPR applies to the processing of personal data of data subjects who are in the United Kingdom when the processing takes place, where the processing activities are related to:

(a) Offering goods or services (whether or not for payment) to such data subjects in the United Kingdom; or (b) Monitoring the behaviour of data subjects in the United Kingdom.

The offering limb requires intentional targeting of UK data subjects. The ICO has emphasized that mere accessibility of a website in the UK is insufficient; there must be affirmative evidence of targeting — such as UK-specific pricing, a .co.uk domain, references to UK locations, payment in GBP, or UK-specific marketing. A foreign company incidentally serving a UK customer does not automatically fall within scope.

The monitoring limb applies regardless of intent. The ICO has stated that "you can monitor the behaviour of people in [the UK] unintentionally and still fall within the UK GDPR's scope." In the Clearview AI Inc. v Information Commissioner [2023] tribunal decision, the Upper Tribunal confirmed that Article 3(2)(b) can apply to a US company with no UK presence where its facial-recognition service processes data of UK data subjects and "relates to the monitoring of data subjects' behaviour in the UK as far as their behaviour takes place in the UK." (The ICO's enforcement notice was ultimately set aside on material-scope grounds under Article 2(2)(a), not territorial scope.)

Article 3(3): Public international law

Article 3(3) UK GDPR applies the regulation to processing by a controller not established in the United Kingdom "but in a place where domestic law applies by virtue of public international law" — for example, UK diplomatic missions abroad.

Relationship to the Data Protection Act 2018

Section 207 DPA 2018 establishes the overall territorial application of the Act. Subsection (1A) provides that Part 2 (the UK GDPR) applies to the types of processing to which the UK GDPR applies by virtue of Article 3. Subsection (2) addresses processing to which Part 2 does not apply: it applies where processing is carried out "in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom."

Geographic extent

The UK GDPR extends to England, Wales, Scotland, and Northern Ireland. It does not include Crown Dependencies (Jersey, Guernsey, Isle of Man) or British Overseas Territories (e.g., Gibraltar, Bermuda, Cayman Islands), each of which maintains its own data-protection law. The ICO has confirmed that these jurisdictions are separate for scope purposes.

Post-Brexit divergence from EU GDPR

The UK GDPR mirrors EU GDPR Article 3 in structure, with the key textual change being substitution of "the United Kingdom" for "the Union." The ICO has acknowledged that tribunal and CJEU case law on the EU provision remains persuasive, though the UK is no longer bound by CJEU decisions post-December 31, 2020. The Data (Use and Access) Act 2025 introduced minor amendments to the UK GDPR but did not alter Article 3's core territorial rules.

Source: Regulation (EU) 2016/679 Article 3 (UK GDPR) Source: Data Protection Act 2018, Section 207 (Territorial application) Source: ICO, Territorial scope fundamentals (PDF)

The UK General Data Protection Regulation applies only to processing that falls within its material scope under Article 2. Three categories of processing are explicitly excluded from UK GDPR coverage — household activities, law enforcement processing, and intelligence services processing — and are instead either unregulated or governed by separate regimes under the Data Protection Act 2018. Material-scope exclusions operate as an absolute bar: processing that falls outside Article 2 is not subject to UK GDPR at all, unlike exemptions (which relieve specific obligations while the regulation still applies in principle).

Article 2(2)(a): Purely personal or household activity

The UK GDPR does not apply to "processing of personal data by an individual in the course of a purely personal or household activity." This mirrors the EU GDPR household exception. Section 21(3) of the Data Protection Act 2018 reinforces the carve-out, stating that Chapter 3 of Part 2 (which applies UK GDPR to certain other processing) does not apply to household processing.

The Information Commissioner's Office has confirmed that the exemption covers "writing to friends and family or taking pictures for your own enjoyment" — activities with "no connection to a professional or commercial activity." The ICO has stated that individuals using personal data "only…in private communications with family and friends, or to manage their own home or personal finances, don't need to consider the UK GDPR."

The boundary is narrow. The ICO has clarified in internal guidance that the household exemption does not extend to "the sharing or publication of intimate or sexually explicit images of identifiable individuals" or "revenge porn" uploaded to websites accessible to third parties, because such activities exceed purely personal use. Similarly, CCTV installed by a homeowner that monitors workers in the home falls outside the exemption — the processing relates to employment, not household activity, and UK GDPR applies.

Recital 18 to the UK GDPR (retained from the EU instrument) confirms that the exemption applies only where there is "no connection to a professional or commercial activity." Once processing touches a commercial purpose — even incidentally — the exemption is lost and the full UK GDPR regime applies.

Article 2(2)(b): Law enforcement processing

The UK GDPR does not apply to "processing of personal data by a competent authority for any of the law enforcement purposes." This exclusion is implemented by reference: processing that falls within Part 3 of the Data Protection Act 2018 (which transposes the EU Law Enforcement Directive (EU) 2016/680) is carved out of UK GDPR scope.

"Law enforcement purposes" are defined in section 31 DPA 2018 as processing for "the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security." Section 30 defines "competent authority" as any person specified by statute as processing personal data for a law enforcement purpose — typically police forces, the National Crime Agency, and the Crown Prosecution Service.

Part 3 imposes a tailored data-protection regime on law enforcement processing, with modified principles, narrower data-subject rights, and distinct enforcement mechanisms. The ICO retains supervisory jurisdiction, but the substantive rules diverge from UK GDPR. A controller processing personal data partly for law enforcement purposes and partly for other purposes must apply Part 3 to the law enforcement processing and UK GDPR to the remainder.

Article 2(2)(c): Intelligence services processing

The UK GDPR does not apply to "processing of personal data to which Part 4 of the 2018 Act (intelligence services processing) applies." Part 4 DPA 2018 establishes a standalone regime for processing by the UK's three intelligence services: the Security Service (MI5), the Secret Intelligence Service (MI6), and the Government Communications Headquarters (GCHQ), as defined in section 82 DPA 2018.

Part 4 creates a distinct set of data-protection principles, controller obligations, and oversight mechanisms calibrated to the national-security context. The Investigatory Powers Commissioner — not the Information Commissioner — exercises supervisory authority over intelligence-services processing. Part 4 processing is entirely outside UK GDPR scope from the outset; there is no partial application or exemption mechanism.

Interaction with national-security and defence exemptions

Processing that does fall within UK GDPR material scope may still benefit from exemptions for national security or defence under section 26 DPA 2018. These exemptions are conceptually distinct from the Article 2(2)(c) exclusion. Section 26 permits a controller processing under UK GDPR to claim relief from specific obligations (e.g., data-subject rights, transparency requirements) where "exemption from [those provisions] is required for the purpose of safeguarding national security, or for defence purposes." The ICO has stated that the exemption is not a "blanket" relief and must be justified on a case-by-case basis by showing that compliance "would raise a real possibility of an adverse effect on national security."

Textual alignment with EU GDPR and post-Brexit divergence

Article 2 UK GDPR closely tracks EU GDPR Article 2, with the principal modification being the substitution of references to "the Union" and "Member State law" with "the United Kingdom" and domestic UK law. The household exception (Art. 2(2)(a)) and the law enforcement exclusion (Art. 2(2)(b), redirected to Part 3 DPA 2018) remain substantively identical. The intelligence-services carve-out under Article 2(2)(c) replaces the EU provision's reference to processing by "competent authorities" under the Law Enforcement Directive with a direct reference to Part 4 DPA 2018.

The Data (Use and Access) Act 2025 did not amend Article 2 UK GDPR. Material scope remains as set out in the retained and amended Regulation (EU) 2016/679.

Source: UK GDPR Article 2 (Material scope) Source: Data Protection Act 2018, Section 21 (Definitions — Chapter 3 scope) Source: Data Protection Act 2018, Section 26 (National security and defence exemption) Source: ICO, A guide to the data protection exemptions

The UK General Data Protection Regulation distinguishes between controllers and processors to assign different levels of data protection responsibility. The definitions in Article 4 determine which UK GDPR obligations apply to each entity in a processing relationship — controllers bear the highest compliance burden and processors have more limited, but still direct, statutory duties. The classification is functional and depends on the role each party plays in processing personal data, not on how they label themselves in a contract.

Article 4(7): Controller

A controller is "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data." The critical question is whether the entity decides why personal data is processed (the purpose) and how it is processed (the means).

Article 4(7) UK GDPR includes a cross-reference: "(but see section 6 of the 2018 Act)." Section 6(2) of the Data Protection Act 2018 clarifies that a person who processes personal data solely to comply with a legal obligation imposed by an enactment (statute or regulation) is still a controller, even if they have no discretion over the processing. This statutory overlay captures public authorities and others acting under legal mandate.

The Information Commissioner's Office (ICO) has emphasized that controllership is a question of fact, not label. An organization that decides what personal data to collect, for what purpose, which individuals to collect it about, or how long to retain it is a controller regardless of contractual language. The ICO guidance states that controllers "exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing."

Controllers may act alone or jointly. Article 26(1) UK GDPR defines joint controllers: "Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers." Joint controllers must enter into a transparent arrangement allocating their respective UK GDPR responsibilities, particularly for transparency obligations and data-subject rights, though all joint controllers remain liable under the regulation. Controllers processing the same personal data for different purposes are not joint controllers — they are independent controllers.

Article 4(8): Processor

A processor is "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller." The processor acts under the controller's instructions and does not determine its own purpose for processing the data.

A processor typically has no direct interest in the data itself and processes it solely to provide a service to the controller. The ICO has stated that a processor may "make some decisions about the manner in which personal data is processed" — for example, choosing IT systems, encryption methods, or server locations — but only within the parameters set by the controller. A processor cannot decide what types of personal data to collect, what the data will be used for, or how long to retain it; those decisions remain with the controller.

Employees and agents of a controller are not processors. The ICO guidance confirms that "employees of the controller are not processors" — as long as they act within the scope of their employment, they are part of the controller itself, not a separate party processing on the controller's behalf.

A processor may engage a sub-processor (another processor to carry out part of the processing), but only with the controller's authorization. Article 28 UK GDPR governs the controller-processor relationship and requires a written contract with mandatory data protection clauses. Section 59 of the Data Protection Act 2018 mirrors Article 28 for processing under Part 3 (law enforcement processing).

Obligations flow from classification

Controllers shoulder the highest level of compliance responsibility. The ICO has confirmed that controllers must:

• Comply with, and demonstrate compliance with, the data protection principles under Article 5 UK GDPR;
• Establish a lawful basis for processing under Article 6 (and, for special-category data, a condition under Article 9);
• Provide transparency notices to data subjects (Articles 13–14);
• Respond to data-subject rights requests (Articles 15–22);
• Pay the UK data protection fee to the ICO unless exempt (under the Data Protection (Charges and Information) Regulations 2018);
• Appoint a data protection officer where Article 37 UK GDPR requires it; and
• Ensure that processors they engage provide "sufficient guarantees" to implement appropriate technical and organizational measures (Article 28).

Processors have more limited obligations, but they are directly subject to the UK GDPR. The ICO and individuals may take enforcement action against a processor for breach of processor-specific obligations. Processors do not pay a data protection fee. Processor duties include:

• Processing only on documented instructions from the controller (Article 28(3)(a) UK GDPR);
• Implementing appropriate security measures (Article 32);
• Notifying the controller without undue delay of a personal data breach (Article 33(2));
• Assisting the controller in responding to data-subject rights requests and in conducting data protection impact assessments (Article 28(3)(e) and (f));
• Deleting or returning personal data to the controller at the end of the service provision, unless required by law to retain it (Article 28(3)(g)); and
• Cooperating with the ICO (Article 31).

Determining your classification in practice

The ICO has published a checklist to help organizations determine their role. Indicators you are a controller include:

• You decided to collect or process the personal data;
• You decided what the purpose or outcome of the processing was to be;
• You decided what personal data should be collected and which individuals to collect it about;
• You obtain a commercial gain or other benefit from the processing (except for payment for services from another controller);
• You are processing the personal data as a result of a contract between you and the data subject.

Indicators you are a processor include:

• You are instructed by another organization about what data to process and how;
• You have no direct interest in the data;
• You process the data solely to provide a service to the controller, such as payroll, cloud hosting, IT support, or marketing automation.

The ICO has noted that many organizations act as both controller and processor, depending on the context. A payroll provider processing employee data on behalf of a client is a processor for that activity, but is a controller for its own employee or customer records. The classification must be assessed separately for each processing activity.

Post-Brexit alignment and divergence

The UK GDPR definitions in Article 4(7) and (8) mirror the EU GDPR definitions verbatim, with the exception of the parenthetical cross-reference to section 6 DPA 2018 in the controller definition. The ICO has confirmed that CJEU and supervisory-authority guidance on controllership and processor status under the EU instrument remains persuasive, though UK courts and the ICO are no longer bound by CJEU decisions issued after December 31, 2020. The Data (Use and Access) Act 2025 did not amend the controller or processor definitions.

Source: UK GDPR Article 4 (Definitions) Source: Data Protection Act 2018, Section 6 (Statutory controllers) Source: ICO, What are 'controllers' and 'processors'? Source: ICO, How do you determine whether you are a controller or processor?

The UK General Data Protection Regulation applies only to the processing of personal data. Article 4(1) UK GDPR provides the foundational definition: personal data means "any information relating to an identified or identifiable natural person ('data subject')." The same provision defines a data subject as the natural person to whom the personal data relates. Whether information constitutes personal data is the gateway question for UK GDPR applicability — if the information does not fall within the Article 4(1) definition, the regulation does not apply at all.

Three cumulative elements

The Information Commissioner's Office (ICO) has confirmed that all three elements of the Article 4(1) definition must be satisfied for information to be personal data:

1. The information must be "information" in any form (text, images, audio, video, numerical data, or any other medium that conveys meaning).
2. The information must "relate to" a natural person — it must be about them, linked to them, or used to evaluate, treat, or make decisions about them.
3. The natural person must be "identified or identifiable" — either directly (by name or other unique identifier) or indirectly (by combining the information with other available data).

If any element is absent, the data is not personal data and UK GDPR does not apply.

"Identified or identifiable natural person"

Article 4(1) UK GDPR further provides that "an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

The list of identifiers in Article 4(1) is illustrative, not exhaustive. The ICO has stated that identifiability is not limited to traditional identifiers like name, address, or National Insurance number — it extends to any information that, alone or in combination with other information, permits the singling out or identification of a particular person.

Direct identification occurs when the information itself immediately reveals the person's identity. Examples include a full name, a photograph, a National Insurance number, or a passport number. If the data controller or another party can point to a specific individual from the data without needing additional information, the person is directly identified.

Indirect identification occurs when information that does not itself reveal identity can be combined with other information — whether held by the controller, publicly available, or reasonably likely to be obtained — to identify the individual. The ICO has emphasized that indirect identifiability requires consideration of "all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly," quoting Recital 26 UK GDPR.

The threshold is reasonably likely means, not theoretical possibility. The ICO has confirmed that "the fact that there is a very slight hypothetical possibility that someone might be able to reconstruct the data in such a way that the individual is identified is not necessarily sufficient to make the individual identifiable." Relevant objective factors include the cost of identification, the time required, the technology available at the time of processing, and technological developments during the retention period.

Common examples of indirect identifiers

The ICO has identified the following as examples of information that may permit indirect identification when combined with other data:

• IP addresses — if the network operator or internet service provider holds logs that link the IP address to a subscriber account, the individual is identifiable.
• MAC (Media Access Control) addresses — unique hardware identifiers for devices; if the controller or a third party can link the MAC address to a named individual, the data is personal.
• Vehicle registration numbers — can be linked to DVLA records to identify the registered keeper.
• Employee ID numbers or customer reference numbers — if the controller or another party holds a lookup table linking the number to a name, the individual is identifiable.
• CCTV footage — even if the individual's name is not known, if the controller can single out or track a particular person on the basis of physical characteristics (clothing, gait, time and location), that person is identified and the footage is personal data.
• Job title or role — may not be personal data in isolation, but becomes personal data when only one person holds that role or when combined with other information (e.g., salary linked to job title after a vacancy is filled).

The meaning of "relates to"

The ICO has clarified that information "relates to" an individual if it satisfies one or more of the following tests:

• Content test: the information is obviously about the individual (e.g., a medical record, a CV, a performance appraisal).
• Purpose test: the information is used or likely to be used to evaluate, treat, make a decision about, or influence the status or behaviour of the individual, even if the content is not directly "about" them (e.g., energy meter readings used to bill a household, call logs from a desk phone used to determine when an employee was in the office).
• Result test: the processing of the information may impact the individual or affect their rights (e.g., a list of employee ID numbers used to determine redundancy selections).

The ICO has stated that "context is important" when applying the "relates to" test. Information that does not relate to an individual in one context may become personal data in another. For example, data about a house (e.g., market value) processed solely for statistical purposes to identify trends in a geographic area does not relate to the occupant and is not personal data. The same data becomes personal data when linked to a named owner or used to determine that owner's property tax liability.

Pseudonymisation and anonymisation

Article 4(5) UK GDPR defines pseudonymisation as "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person."

Pseudonymisation is a security measure, not a method of removing data from UK GDPR scope. Recital 26 UK GDPR states explicitly: "Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person." The ICO has confirmed that pseudonymised data remains personal data for UK GDPR purposes, and all obligations continue to apply. Common pseudonymisation techniques include replacing names with ID numbers or masking email addresses — but if the controller or any other party retains the key to re-identify individuals, the data is still personal data.

Anonymisation, by contrast, removes the data from UK GDPR scope entirely. The ICO has stated that "information which is truly anonymous is not covered by the UK GDPR." Data is anonymous only if it is irreversibly stripped of identifiers such that the individual can no longer be identified by any party using any reasonably likely means. Once data is truly anonymised, it is no longer personal data and UK GDPR obligations cease. The ICO has emphasized, however, that effective anonymisation is difficult to achieve and that many techniques purporting to anonymise data in fact leave it pseudonymised and within scope.

Natural persons only — exclusions

The Article 4(1) definition limits personal data to information relating to natural persons (living individuals). The UK GDPR does not apply to:

• Information about deceased persons — the ICO has confirmed that "information about a deceased person does not constitute personal data and therefore is not subject to the UK GDPR." (Note: other UK laws, including the Access to Health Records Act 1990 and common-law duties of confidentiality, may still apply.)
• Information about companies, public authorities, or other legal persons — the ICO has stated that "information about companies or public authorities is not personal data." However, information about individuals acting as sole traders, employees, partners, or company directors may be personal data where the individual is identifiable and the information relates to them as an individual (e.g., a director's name and business email address on a company website is personal data about the director, even though it relates to their professional role).
• Aggregated or statistical data — if information is aggregated to the level of a group or geographic area and no individual can be singled out or identified, it is not personal data.

Inaccurate information and personal data

The ICO has clarified that information does not cease to be personal data simply because it is factually incorrect. If information purports to relate to an individual — even if it is inaccurate or actually describes a different person — it is still personal data about the individual to whom it purports to relate. The controller remains subject to UK GDPR obligations, including the accuracy principle under Article 5(1)(d) and the data subject's right to rectification under Article 16.

Determining whether you are processing personal data — ICO guidance

The ICO has published detailed guidance advising controllers to ask the following questions in sequence:

1. Is it information? Does the data convey meaning in any form?
2. Does it relate to a person? Apply the content, purpose, and result tests.
3. Is the person identified or identifiable?

• Can you or anyone else identify them directly from the information?
• Can you or anyone else identify them indirectly by combining the information with other data reasonably likely to be available?

1. Is the person a natural person (living individual)?

If the answer to all four questions is yes, the information is personal data and UK GDPR applies in full.

Post-Brexit alignment with EU GDPR

The Article 4(1) UK GDPR definition of personal data and data subject is textually identical to the EU GDPR definition. The Data (Use and Access) Act 2025 did not amend Article 4(1). UK courts and the ICO are no longer bound by Court of Justice of the European Union (CJEU) judgments issued after December 31, 2020, but the ICO has stated that EU jurisprudence remains persuasive. Leading EU cases on identifiability — including Patrick Breyer v Bundesrepublik Deutschland (C-582/14, holding that dynamic IP addresses are personal data where the internet service provider can link them to subscribers) — continue to inform the ICO's interpretation of the UK definition.

Source: UK GDPR Article 4(1) (Definitions — personal data and data subject) Source: ICO, What is personal data? Source: ICO, What is the meaning of 'relates to'? Source: ICO, Can we identify an individual indirectly? Source: ICO, What is personal information: a guide

The UK General Data Protection Regulation imposes a heightened protection regime for special-category personal data — types of personal data that, by their nature, create significant risks to fundamental rights and freedoms. Article 9(1) UK GDPR prohibits processing of special-category data outright unless the controller can identify one of ten specific conditions set out in Article 9(2). Controllers processing special-category data must also satisfy a lawful basis under Article 6 UK GDPR and, for five of the ten conditions, meet an additional requirement under Schedule 1 of the Data Protection Act 2018.

Article 9(1): The general prohibition

Article 9(1) UK GDPR states: "Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited."

The Information Commissioner's Office (ICO) has confirmed that these categories merit specific protection because their use "could create significant risks to the individual's fundamental rights and freedoms" — including the risk of discrimination, persecution, or interference with fundamental rights such as privacy, freedom of thought, and freedom of association. The prohibition is absolute unless an Article 9(2) condition applies.

What constitutes special-category data

Article 9(1) identifies nine categories of special-category data. The ICO has stated that "the majority of the special categories are not defined and are fairly self-explanatory," but the UK GDPR provides explicit definitions for genetic data (Article 4(13)), biometric data (Article 4(14)), and data concerning health (Article 4(15)):

• Genetic data means "personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question." Recital 34 UK GDPR clarifies this includes chromosomal, DNA, or RNA analysis.

• Biometric data means "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data [fingerprints]." The ICO has emphasized that biometric data falls within Article 9(1) only when processed for the purpose of uniquely identifying a natural person. Recital 51 UK GDPR states that "the processing of photographs should not systematically be considered to be processing of special categories of personal data" unless processed through facial-recognition systems or similar technical means for unique identification.

• Data concerning health is defined in Article 4(15) as "personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status." The ICO has confirmed this includes medical records, sickness absences, and information about health-care services accessed by the individual.

The categories racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, and sexual orientation are not defined in the UK GDPR. The ICO has stated that these terms should be given their ordinary meaning and has confirmed that the use of the term "racial origin" in Article 9(1) does not imply endorsement of discredited racial theories — it reflects the reality that individuals may be subject to discrimination on the basis of perceived race or ethnicity.

The ten Article 9(2) conditions

Article 9(2) UK GDPR sets out ten conditions that lift the prohibition. The ICO has confirmed that controllers must identify one applicable condition before processing special-category data begins, and must document that condition as part of their accountability obligations under Article 5(2) UK GDPR.

The ten conditions are:

(a) Explicit consent — the data subject has given explicit consent to the processing for one or more specified purposes. The ICO has stated that consent must meet the heightened standard of "explicit" — an affirmative act that is clear, specific, and unambiguous, typically requiring a written statement or electronic confirmation. Consent must be freely given, informed, and specific; it is not valid if the individual has no genuine choice or would suffer detriment by refusing.

(b) Employment, social security and social protection — processing is necessary for the purposes of performing or exercising obligations or rights imposed or conferred by law on the controller or data subject in connection with employment, social security, or social protection. This condition requires authorization by domestic law. Section 10(2) of the Data Protection Act 2018 provides that processing under Article 9(2)(b) meets the UK law requirement only if it satisfies Condition 1 in Part 1 of Schedule 1 DPA 2018. Condition 1 requires that the processing is necessary for the stated purpose and that the controller has an "appropriate policy document" in place when the processing is carried out.

(c) Vital interests — processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent. The ICO has clarified that this condition applies in "life and death" situations and only where the data subject cannot consent (for example, because they are unconscious or a child in an emergency). If the individual is capable of consenting, this condition does not apply.

(d) Not-for-profit bodies — processing is carried out in the course of legitimate activities by a foundation, association, or other not-for-profit body with a political, philosophical, religious, or trade-union aim, provided the processing relates only to members or former members (or persons who have regular contact with the body in connection with its purposes) and the data is not disclosed outside the body without consent. The ICO has stated that this condition does not extend to commercial entities and applies only to activities directly connected to the body's stated aims.

(e) Data manifestly made public by the data subject — processing relates to personal data which the data subject has manifestly made public. The ICO has emphasized that "manifestly made public" requires a deliberate act by the individual to make the data public. It is not sufficient that the data is in the public domain — the individual must have been the one who made it public. The ICO has stated that a security breach causing data to appear publicly is not a deliberate act by the data subject and does not satisfy this condition.

(f) Legal claims or judicial acts — processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity. The ICO has confirmed that "legal claims" is not limited to current litigation and extends to prospective or anticipated claims where processing is necessary to preserve evidence or prepare a defense.

(g) Reasons of substantial public interest — processing is necessary for reasons of substantial public interest, based on domestic law which shall be proportionate to the aim pursued and provide for suitable and specific measures to safeguard fundamental rights and the interests of the data subject. Section 10(3) DPA 2018 provides that processing under Article 9(2)(g) meets the UK law requirement only if it satisfies one of 23 specific conditions in Part 2 of Schedule 1 DPA 2018. These conditions are set out in paragraphs 6 to 28 of Schedule 1 and include statutory and government purposes, administration of justice, equality of opportunity or treatment, preventing or detecting unlawful acts, regulatory requirements, journalism and academic purposes, preventing fraud, safeguarding of children and individuals at risk, insurance, occupational pensions, and others. The ICO has stated that "substantial public interest" means the public interest must be "real and of substance" — a vague or generic public-interest argument is insufficient.

(h) Health or social care — processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services, based on domestic law which provides for suitable safeguards. Article 9(3) UK GDPR requires that the processing be carried out by or under the responsibility of a professional subject to an obligation of professional secrecy under domestic law, or by another person subject to an obligation of secrecy under domestic law. Section 11(1) DPA 2018 clarifies that this includes processing carried out by or under the responsibility of a health professional or social work professional, or by another person who owes a duty of confidentiality under an enactment or rule of law. Section 10(2) DPA 2018 provides that processing under Article 9(2)(h) meets the UK law requirement only if it satisfies Condition 2 in Part 1 of Schedule 1 DPA 2018.

(i) Public health — processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, based on domestic law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. Recital 54 UK GDPR defines "public health" to include "all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, [and] the provision of, and universal access to, health care." Section 10(2) DPA 2018 provides that processing under Article 9(2)(i) meets the UK law requirement only if it satisfies Condition 3 in Part 1 of Schedule 1 DPA 2018.

(j) Archiving, research, and statistics — processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) UK GDPR, based on domestic law which shall be proportionate to the aim pursued and provide for suitable and specific measures to safeguard fundamental rights and the interests of the data subject. Section 10(2) DPA 2018 provides that processing under Article 9(2)(j) meets the UK law requirement only if it satisfies Condition 4 in Part 1 of Schedule 1 DPA 2018. Article 89(1) UK GDPR and section 19 DPA 2018 impose additional safeguards for research and archiving processing.

The UK Schedule 1 overlay

Five of the ten Article 9(2) conditions — (b), (g), (h), (i), and (j) — require the controller to meet an additional condition set out in Schedule 1 of the Data Protection Act 2018. The ICO has confirmed that where Schedule 1 applies, the controller must:

1. Identify and document the specific Schedule 1 condition being relied upon;
2. Ensure the processing meets the detailed requirements of that Schedule 1 condition; and
3. Where required by Schedule 1 paragraph 5, maintain an appropriate policy document ("APD") when the processing is carried out.

An appropriate policy document is a short accountability document that must outline the Schedule 1 condition(s) relied upon, the controller's procedures for complying with the UK GDPR principles, and the controller's retention and deletion policies for the special-category data. Schedule 1 paragraphs 38 to 41 DPA 2018 set out the content and retention requirements for APDs. The ICO has confirmed that one APD can cover multiple processing activities and multiple Schedule 1 conditions.

Dual-lawful-basis requirement

The ICO has emphasized that identifying an Article 9(2) condition is not sufficient on its own. Controllers must also identify a lawful basis for processing under Article 6 UK GDPR — typically Article 6(1)(a) consent, (b) contract, (c) legal obligation, or (e) public task. The two requirements are cumulative and independent: the Article 6 lawful basis and the Article 9 condition do not need to be aligned (for example, a controller may rely on Article 6(1)(e) public task and Article 9(2)(g) substantial public interest, or Article 6(1)(b) contract and Article 9(2)(a) explicit consent).

Automated decision-making restrictions

Article 22(4) UK GDPR imposes a further restriction on the use of special-category data for solely automated decision-making (including profiling) that produces legal effects or similarly significant effects. The ICO has confirmed that such processing is permitted only if the controller has either the data subject's explicit consent (Article 9(2)(a)) or can rely on the substantial public interest condition (Article 9(2)(g)), and the controller puts in place suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests.

Post-Brexit alignment and amendments

Article 9 UK GDPR is textually similar to EU GDPR Article 9, with the principal modifications being the substitution of references to "Union or Member State law" with "domestic law" and the redirection of the additional-conditions requirement to UK Schedule 1 DPA 2018. The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 made minor textual amendments to Article 9(2)(g) and (j) effective December 31, 2023. The Data (Use and Access) Act 2025 made further amendments to Article 9(2)(f), (g), and (j) and to Article 9(3) effective in stages in 2025 and 2026, primarily to clarify the domestic-law basis requirement and the professional-secrecy obligation. The substantive structure of the Article 9(1) prohibition and the ten Article 9(2) conditions remains unchanged.

Source: UK GDPR Article 9 (Processing of special categories of personal data) Source: Data Protection Act 2018, Section 10 (Special categories of personal data) Source: Data Protection Act 2018, Schedule 1 (Special categories of personal data and criminal convictions etc data) Source: ICO, What are the rules on special category data? Source: ICO, What is special category data?

The UK General Data Protection Regulation establishes a distinct heightened-protection regime for personal data relating to criminal convictions and offences or related security measures, commonly called "criminal-offence data." Article 10 UK GDPR prohibits processing of this data unless the controller can satisfy one of two requirements: either the processing is carried out under the control of official authority, or the processing is authorised by domestic law providing appropriate safeguards. For controllers without official authority, the Data Protection Act 2018 supplies that domestic-law authorisation through Schedule 1, which sets out conditions that must be met before processing may lawfully occur. Criminal-offence data is distinct from the special-category personal data governed by Article 9 UK GDPR and requires its own compliance pathway.

Article 10 UK GDPR — text and scope

Article 10(1) UK GDPR provides:

"Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by domestic law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority."

The Information Commissioner's Office (ICO) has confirmed that Article 10 applies to processing based on an Article 6 lawful basis — typically Article 6(1)(a) consent, (b) contract, (c) legal obligation, (e) public task, or (f) legitimate interests. Meeting an Article 6 lawful basis is necessary but not sufficient when processing criminal-offence data; the controller must also satisfy Article 10's additional requirement for official authority or domestic-law authorisation.

Definition of criminal-offence data

Article 10(1) UK GDPR refers to "personal data relating to criminal convictions and offences or related security measures." Section 11(2) of the Data Protection Act 2018 expands this definition for UK purposes:

"In Article 10 of the [UK GDPR] and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to— (a) the alleged commission of offences by the data subject, or (b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing."

The ICO has stated that the Article 10 definition should be interpreted broadly. It covers:

• Formal criminal convictions — sentences imposed by a court following criminal proceedings;
• Allegations and suspicions — data about alleged or suspected criminal activity, even if no charge has been filed;
• Criminal proceedings — data about investigations, arrests, charges, trials, and the disposal of proceedings;
• Related security measures — penalties, conditions, or restrictions placed on an individual as part of the criminal-justice process, such as community orders, restraining orders, or civil measures that may lead to a criminal penalty if breached.

The ICO has clarified that "relating to" should be interpreted broadly. Personal data is criminal-offence data if it is linked to criminal offences or is used to learn about an individual's criminal record or behaviour. For example, the ICO has stated that data processed for the purpose of conducting a Disclosure and Barring Service (DBS) check is criminal-offence data under Article 10, even if the check returns a "nil" result and reveals no convictions.

Whose data is covered

The ICO has confirmed that Article 10 applies only to personal data of offenders or suspected offenders. It does not cover information about victims or witnesses of crime, and controllers processing victim or witness data do not require a Schedule 1 condition under Article 10. The ICO has stated: "Article 10 only applies to the personal data of offenders or suspected offenders. This means that criminal offence data does not cover information about victims or witnesses of crime."

However, the ICO has noted that information about victims or witnesses is likely to be sensitive or high-risk, and controllers should take particular care when processing it. If data about a victim includes information about their injuries or medical care, that data may constitute special-category data under Article 9 (data concerning health), and the controller must satisfy an Article 9(2) condition in addition to an Article 6 lawful basis.

The two-route compliance model — official authority or Schedule 1

Article 10(1) UK GDPR permits processing under two routes:

1. Processing under the control of official authority — The ICO has stated that public bodies or private bodies vested with public-sector tasks may have official authority laid down by law (common law or statute) to process criminal-offence data. Section 10(4) DPA 2018 clarifies that processing that falls within Article 10(1)'s "under the control of official authority" limb does not require a Schedule 1 condition. The ICO has stated that the public body is responsible for identifying the specific law that gives it official authority. Examples given by the ICO include the Driver and Vehicle Licensing Authority (DVLA) maintaining driver records that include motoring convictions, the Disclosure and Barring Service processing DBS-check data, and the courts maintaining conviction registers.

1. Processing authorised by Schedule 1 of the DPA 2018 — Section 10(5) DPA 2018 provides that processing meets the Article 10(1) requirement for authorisation by domestic law only if it meets a condition in Part 1, Part 2, or Part 3 of Schedule 1. Controllers without official authority must identify and document a Schedule 1 condition before processing criminal-offence data.

Schedule 1 Part 3 — specific conditions for criminal-offence data

Part 3 of Schedule 1 DPA 2018 (paragraphs 29–37) sets out seven conditions that apply specifically to criminal-offence data (paragraphs 29–35) and two paragraphs (36–37) that extend Part 2 substantial-public-interest conditions to criminal-offence data. The seven Article-10-specific conditions mirror the structure of some Article 9(2) conditions but are set out in domestic legislation rather than in the UK GDPR itself. The seven Part 3 conditions are:

Paragraph 29: Consent — The data subject has given consent to the processing for one or more specified purposes. The ICO has emphasized that consent must meet the UK GDPR standard under Article 4(11) and Article 7 — it must be freely given, specific, informed, and an unambiguous indication of the data subject's wishes by a statement or clear affirmative action.

Paragraph 30: Protecting the individual's vital interests — The processing is necessary to protect the vital interests of the data subject or another natural person, in a case where the data subject is physically or legally incapable of giving consent. The ICO has stated that this condition applies only in "life and death" situations and where the individual cannot consent.

Paragraph 31: Processing by not-for-profit bodies — The processing is carried out in the course of legitimate activities by a foundation, association, or other not-for-profit body with a political, philosophical, religious, or trade-union aim, and the processing relates only to members, former members, or persons who have regular contact with the body in connection with its purposes. The data must not be disclosed outside the body without consent.

Paragraph 32: Personal data in the public domain — The processing relates to personal data which are manifestly made public by the data subject. The ICO has emphasized that "manifestly made public" requires a deliberate act by the individual to make the data public; it is not sufficient that the data is in the public domain if the individual was not the one who made it public.

Paragraph 33: Legal claims — The processing is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), is necessary for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising, or defending legal rights.

Paragraph 34: Judicial acts — The processing is necessary when a court is acting in its judicial capacity.

Paragraph 35: Administration of accounts used in commission of indecency offences involving children — The processing is necessary for the administration of justice, the exercise of a function of either House of Parliament, or the exercise of a function conferred on a person by an enactment or rule of law, and the processing relates to accounts used in the commission of indecency offences involving children. This is a narrow, bespoke condition introduced for specified public-protection purposes.

Extension of Part 2 substantial-public-interest conditions

Paragraph 36 of Schedule 1 Part 3 extends all 23 of the Part 2 substantial-public-interest conditions (paragraphs 6–28) to criminal-offence data. The ICO has stated that when relying on a Part 2 condition for criminal-offence data, the controller does not need to demonstrate that the processing is "necessary for reasons of substantial public interest" — paragraph 36 removes that requirement for criminal-offence data while retaining the other requirements of each Part 2 condition. The ICO has stated that this difference reflects the policy judgment that the interests of society at large and the need to protect the public from criminal activity mean that controllers can justify the use of criminal-offence data in a wider variety of circumstances than special-category data, despite the potential impact on individual rights.

The most commonly used Part 2 conditions for criminal-offence data, according to ICO guidance, include:

• Paragraph 6: Statutory and government purposes — Processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law, or the exercise of a function of the Crown, a Minister of the Crown, or a government department.
• Paragraph 10: Preventing or detecting unlawful acts — Processing is necessary for the purposes of the prevention or detection of an unlawful act, and must be carried out without the consent of the data subject because seeking consent would prejudice those purposes. The ICO has stated that this is the most commonly relied-upon condition for sharing criminal-offence data with law enforcement authorities. When used solely to disclose data to a competent authority (or to prepare for such disclosure), paragraph 10 does not require an appropriate policy document.
• Paragraph 11: Protecting the public against dishonesty — Processing is necessary for the purposes of protecting the public against dishonesty, malpractice, or other seriously improper conduct, incompetence, or mismanagement.

Paragraph 37 of Schedule 1 Part 3 extends the insurance conditions in paragraphs 20 and 21 of Part 2 to criminal-offence data, subject to the same removal of the "substantial public interest" requirement stated by the ICO.

Comprehensive registers — strict official-authority requirement

The second sentence of Article 10(1) UK GDPR imposes a stricter rule: "Any comprehensive register of criminal convictions shall be kept only under the control of official authority."

The ICO has stated that a comprehensive register is a database of individuals with criminal convictions that is shared between different organisations or made accessible to third parties. The ICO has confirmed that this prohibition applies to industry "blocklists" — databases of employees shared between different employers and used as a recruitment screening tool — to the extent that they relate to criminal convictions. The ICO has stated that organisations are unlikely to have official authority to maintain such a register, and "in most cases, maintaining an industry blocklist based on criminal-offence data will be in contravention of Article 10."

The prohibition does not apply to records held by an organisation about its own employees or customers for its own purposes. A single employer's internal HR file recording an employee's spent conviction is not a comprehensive register and may be processed under a Schedule 1 condition (typically paragraph 1 for employment purposes or paragraph 10 for preventing or detecting unlawful acts).

Appropriate policy documents

Many of the Part 2 conditions extended to criminal-offence data by paragraph 36 require the controller to have an appropriate policy document (APD) in place when the processing is carried out. Schedule 1 paragraph 5 lists the Part 2 conditions that trigger the APD requirement, and paragraph 38 requires that the APD be retained for six months after the processing to which it relates ceases.

Paragraphs 38–41 of Schedule 1 set out the content and retention requirements for APDs. The APD must:

• Explain the controller's procedures for securing compliance with the UK GDPR data-protection principles in respect of the processing;
• Explain the controller's policies as regards the retention and erasure of the criminal-offence data; and
• Specify the Schedule 1 condition(s) being relied upon.

The ICO has confirmed that one APD can cover multiple processing activities and multiple Schedule 1 conditions. The APD is an accountability document; it is not publicly disclosed but must be made available to the ICO on request.

Dual-compliance requirement — Article 6 lawful basis plus Article 10 authorisation

The ICO has emphasized that controllers must satisfy both an Article 6 lawful basis and an Article 10 authorisation (via official authority or Schedule 1). The two requirements are cumulative and independent. Common pairings, according to ICO guidance, include:

• Article 6(1)(c) legal obligation + Paragraph 1 Schedule 1 (employment) — for an employer conducting DBS checks required by employment law;
• Article 6(1)(f) legitimate interests + Paragraph 10 Part 2 Schedule 1 (preventing or detecting unlawful acts) — for a retailer sharing CCTV footage of a suspected shoplifting incident with police;
• Article 6(1)(e) public task + official authority under Article 10 — for a court maintaining a sentencing register.

Relationship to Part 3 law enforcement processing

Criminal-offence data processed by competent authorities for law enforcement purposes as defined in section 31 DPA 2018 — the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties — falls outside UK GDPR scope under Article 2(2)(b) and is instead governed by Part 3 of the Data Protection Act 2018. Part 3 transposes the EU Law Enforcement Directive and establishes a separate, tailored regime for law enforcement processing. Article 10 UK GDPR and Schedule 1 do not apply to Part 3 processing.

When a controller processes the same criminal-offence data partly for law enforcement purposes and partly for other purposes, it must apply Part 3 to the law enforcement processing and the UK GDPR (including Article 10 and Schedule 1) to the remainder. The ICO has stated that controllers should carefully distinguish the two regimes and document which legal framework applies to each processing activity.

Post-Brexit alignment

Article 10 UK GDPR mirrors EU GDPR Article 10 structurally, with the principal textual modification being the substitution of "domestic law" for "Union or Member State law" following the UK's exit from the EU on December 31, 2020. Article 10(2), inserted by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, cross-references sections 10 and 11 of the Data Protection Act 2018 for the meaning of the domestic-law authorisation requirement. The Schedule 1 Part 3 conditions remain as enacted in the Data Protection Act 2018, which received Royal Assent on May 23, 2018.

Source: UK GDPR Article 10 (Processing of personal data relating to criminal convictions and offences) Source: Data Protection Act 2018, Section 10 (Special categories of personal data and criminal convictions etc data) Source: Data Protection Act 2018, Section 11 (Supplementary provision for purposes of Article 9(2)(h) and Article 10) Source: Data Protection Act 2018, Schedule 1 Part 3 (Additional conditions relating to criminal convictions etc) Source: ICO, What are the rules on criminal offence data? Source: ICO, What is criminal offence data?