United Kingdom General Data Protection Regulation
The UK GDPR is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation or GDPR), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
The GDPR applies in the UK as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (SI 2020/1586).
This version of the UK GDPR does not have the status of law. Rather, it has been prepared by Stephenson Harwood LLP for use as a resource, building on the Keeling Schedule published by the UK Government. The Keeling Schedule is a document showing the GDPR marked up as amended by the Regulations, namely a redline of the GDPR compared to the UK GDPR.
A note about recitals:
The recitals to the GDPR also form part of the domestic laws of the United Kingdom, in the same way that the Articles of the GDPR do.
Unlike the main Articles of the GDPR, the recitals were not amended using the power under section 3 of the European Union (Withdrawal) Act 2018 to make them work in a UK context. Therefore, certain recitals may no longer be relevant or may need to be interpreted differently in light of Brexit.
While we have indicated which recitals we consider relevant to each Article of the UK GDPR, users relying on this resource should therefore check that a recital is relevant in all the circumstances.
The recitals continue to have the same status as they did prior to Brexit: they are not legally binding but they are useful for understanding the meaning of the Articles of the UK GDPR.
If you have any questions regarding this resource, please contact a member of our data protection team.