PrivacyTerrain

Editorial caveat

Structured values summarize official materials for research and planning. They are reviewed by humans before publication and should not be treated as legal advice.

high confidence, Strong coverage base. Needs continued tracking of reform and regulator guidance updates.

Breach

Breach deadline (hours): 72
Breach notification required: Yes

Marketing

Cookie consent rule: PECR generally requires consent for non-essential cookies.

Transfers

Cross-border transfer restricted: Yes
Data localization required: No

Governance

DPO required: Yes
Impact assessment required: Yes
Records of processing required: Yes

Identity

Effective date: 2021-01-01
Effective status: in-force
Last amended: 2024-10-24
Law status: active

Scope

Extraterritorial application: Yes
Private sector coverage: Yes
Public sector coverage: Yes
Territorial scope: Applies in the UK and extraterritorially to certain overseas processing targeting UK individuals.

Legal Basis

Legal bases: consent, contract, legal obligation, vital interests, public task, legitimate interests
Requires legal basis: Yes

Enforcement

Maximum fine: Up to £17.5 million or 4% of worldwide annual turnover.
Private right of action: Yes
Regulator or enforcement authority summary: Information Commissioner's Office

Definitions

Personal data definition: Information relating to an identified or identifiable living individual.
Sensitive data recognized: Yes

Rights

Right of access: Yes
Right to appeal: Yes
Right to deletion: Yes
Right to object: Yes
Right to portability: Yes
Right to erasure or delete summary: Erasure right with exceptions
Right to rectification or correction summary: Rectification right

Official sources

ICO guide to data protectionSecondary official material • en • html
UK legislation textPrimary official law • en • html

Recent change workflow

PECR consent plus stronger refusal UX emphasispending • extractor openclaw