Schedules
Latest updates - 19 June 2025
19 June 2025 - This page was published
- Schedule 4 – Lawfulness of processing recognised legitimate interests
- Schedule 5 – Purpose limitation: processing to be treated as compatible with original purpose
- Schedule 6 – Automated decision-making: minor and consequential amendments
- Schedule 7 –Transfers of personal data to third countries etc: general processing
- Schedule 8 – Transfers of personal data to third countries etc: law enforcement processing
- Schedule 9 – Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision
- Schedule 10 - Complaints: minor and consequential amendments
- Schedule 11 - Further minor provision about data protection
- Schedule 12 - Storing information in the terminal equipment of a subscriber or user
- Schedule 13 - Privacy and electronic communications: Commissioner’s enforcement powers
- Schedule 14 - The Information Commission
Schedule 4 – Lawfulness of processing recognised legitimate interests
This schedule inserts a new annex into the UK GDPR that sets out the conditions that an organisation needs to meet when relying on the new recognised legitimate interests lawful basis for processing.
These recognised legitimate interests conditions are as follows:
- Disclosures for purposes of processing described in article 6(1)(e):
This allows an organisation to respond to requests for information from public bodies (or bodies carrying out public tasks) without having to decide whether the requesting body needs the requested information to carry out its public task. Instead, the organisation just needs to make sure the requesting body has confirmed that it needs the information to carry out its public task. - National security, public security and defence: This allows an organisation to use personal information when this is necessary for the purposes of:
- safeguarding national security;
- protecting public security; or
- defence.
- Emergencies: This allows an organisation to use personal information where this is necessary for the purposes of responding to an ‘emergency’, as defined by part 2 of the Civil Contingencies Act 2004.
- Crime: This allows an organisation to use personal information where this is necessary for the purposes of:
- detecting, investigating or preventing crime; or
- apprehending or prosecuting offenders.
- Safeguarding vulnerable individuals: This allows an organisation to use personal information where this is necessary for the purposes of “safeguarding a vulnerable individual”.
This schedule also provides definitions for the “safeguarding vulnerable individuals” recognised public interest condition:
- ‘Safeguarding’ a vulnerable individual, means:
- protecting a vulnerable person from neglect or physical, mental or emotional harm; or
- protecting the physical, mental or emotional well-being of a vulnerable person.
- protecting a vulnerable person from neglect or physical, mental or emotional harm; or
- ‘Vulnerable individual’ means a person:
- aged under 18; or
- aged 18 or over and at risk.
- Protection of a person or of the well-being of a person, includes both protecting a particular person and protecting a type of person.
- A person aged 18 or over is ‘at risk’ if the organisation has reasonable cause to suspect that the person:
- has needs for care and support;
- is experiencing, or at risk of, neglect or physical, mental or emotional harm; and
- is unable to protect themselves against the neglect, harm or risk, due to those needs.
Schedule 5 – Purpose limitation: processing to be treated as compatible with original purpose
This schedule inserts a new annex into the UK GDPR. The annex provides a list of reuses of personal information that an organisation can assume to be compatible with the purposes for which it originally collected the information, when applying the purpose limitation principle.
Reuse of consented information may be compatible if it’s necessary for one of the reasons set out in this annex, but only if it’s not reasonable to get consent for that new use.
The list of uses is as follows:
- Disclosures for purposes of processing described in article 6(1)(e): This allows an organisation to respond to requests for information from a public body (or other bodies carrying out public tasks) who have confirmed they need the information for that purpose and to safeguard a public interest objective listed in article 12(1)(c) to (j).
- Disclosure for the purposes of archiving in the public interest: This allows an organisation to make disclosures at the request of an archiving body, provided that:
- it originally collected the information under the lawful basis of consent;
- the use of the information complies with the research, archiving, and statistical processing requirements in the UK GDPR;
- the requesting body confirms that it will only use the information for the purposes of archiving in the public interest; and
- it reasonably believes that the requesting body will only use the information in accordance with generally recognised standards relevant to its archiving in the public interest.
- Public security: This allows an organisation to use personal information to protect public security.
- Emergencies: This allows an organisation to use personal information to respond to an emergency, as defined by Part 2 of the Civil Contingencies Act 2004.
- Crime: This allows an organisation to use personal information to:
- detect, investigate or prevent crime; or
- apprehend or prosecute offenders.
- Protection of vital interests of data subjects and others: This allows an organisation to use personal information to protect the vital interests of the person the personal information is about or another person.
- Safeguarding vulnerable individuals: This allows an organisation to use personal information to safeguard a vulnerable person.
- Taxation: This allows an organisation to use personal information to assess or collect a tax, duty or an imposition of a similar nature.
- Legal obligations: This allows an organisation to use personal information to comply with a legal obligation.
The schedule also provides definitions for the safeguarding vulnerable individuals re-use condition. These are the same definitions as in the new recognised legitimate interests annex inserted by schedule 4 - Lawfulness of processing recognised legitimate interests.
Schedule 6 – Automated decision-making: minor and consequential amendments
This schedule makes minor and consequential amendments to the UK GDPR and the DPA about automated decision-making. These result from the changes to the ADM provisions and include, for example, removing section 14 of the DPA, as this won’t be necessary due to the new safeguards in article 22C.
Schedule 7 –Transfers of personal data to third countries etc: general processing
This schedule amends the rules that apply when an organisation transfers personal information to third countries and international organisations.
It amends the description of the standard of protection that is required for these transfers under both adequacy arrangements (now referred to as “transfers approved by regulations”), and alternative transfer mechanisms (now referred to as “transfers subject to appropriate safeguards”).
The description of the standard has changed from requiring that “the protection of natural persons guaranteed by the UK GDPR is not undermined”, to requiring that the standard of protection provided “is not materially lower” than the standard of the protection provided under the UK GDPR and the DPA 2018. This is now referred to as the data protection test.
The schedule formalises the requirement for an organisation to do a transfer risk assessment for transfers subject to appropriate safeguards. It does this by saying that an organisation must meet the data protection test “reasonably and proportionately”.
The schedule also:
- sets out the factors that the Secretary of State must consider when deciding whether the data protection test is satisfied for transfers approved by regulations;
- amends the review period for transfers approved by regulations from four years to “ongoing monitoring”; and
- introduces a new power for the Secretary of State to recognise new transfer mechanisms.
It also makes some other minor changes and restructures some existing requirements.
Schedule 8 – Transfers of personal data to third countries etc: law enforcement processing
This schedule makes the same changes as schedule 7, but for transfers made by competent authorities that use personal information for law enforcement purposes.
It also clarifies that an organisation can make transfers to processors in third countries and international organisations under part 3 law enforcement rules.
Schedule 9 – Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision
This schedule makes minor and consequential amendments about transfers to third countries and international organisations.
Schedule 10 - Complaints: minor and consequential amendments
This schedule makes minor and consequential amendments to the complaints provisions of the UK GDPR and the DPA.
Schedule 11 - Further minor provision about data protection
This schedule makes further minor amendments to the UK GDPR, the DPA and the Victims and Prisoners Act 2024.
These include:
- inserting a definition of direct marketing into the UK GDPR (to match that already used in the DPA);
- providing that time periods are to be defined in accordance with the Periods of Time Regulations; and
- making minor clarifications to some of the special category conditions and exemptions, such as clarifying that:
- the crime condition and exemption includes the “investigation” of crime;
- the conditions and exemptions for disclosures for the purposes of journalism and fraud can apply to preparations for disclosure as well as the disclosure itself.
Schedule 12 - Storing information in the terminal equipment of a subscriber or user
This schedule inserts a new schedule into PECR that contains the exceptions from the prohibition on an organisation storing or accessing information on people’s devices or terminal equipment (the exemptions to the cookies rules).
The prohibition won’t apply if:
- the organisation has provided the subscriber or user with clear and comprehensive information about the purposes, and gives their consent;
- the storage or access is necessary for the sole purpose of carrying out the transmission of a communication over an electronic communications network;
- the storage or access is “strictly necessary” to provide an information society service. (The schedule provides non-exhaustive examples of strictly necessary purposes, including security, fraud prevention, fault detection and authentication);
- the storage or access is for the sole purpose of enabling a service provider to collect information for statistical purposes about how their online service is used;
- the storage or access is for the sole purpose of enabling a service to adapt its appearance or functions in accordance with someone’s preferences; and
- the storage or access is for the sole purpose of working out the subscriber or user’s geographical location when they request emergency assistance.
Schedule 13 - Privacy and electronic communications: Commissioner’s enforcement powers
This schedule amends the ICO’s enforcement powers under PECR, to align them with its powers under the UK GDPR and the DPA 18. Most significantly, it:
- removes the requirement to establish that a contravention has caused substantial damage and distress;
- allows the ICO to impose monetary penalties up to a maximum of £17.5m for certain failures to comply;
- replaces the ICO’s PECR security audit powers with the power to issue an assessment notice; and
- gives the ICO new powers under PECR, such as the power to compel a witness and the power to commission technical reports.
Schedule 14 - The Information Commission
This schedule:
- makes provisions about the constitution of the Information Commission; and
- includes transitional provisions about the transfer of powers and responsibilities from the Information Commissioner to the Information Commission.