UK GDPR

The UK General Data Protection Regulation

Please note: this resource is in the process of being updated to reflect changes made by regulations taking effect on 5 February 2026

Art. 84C GDPR Appropriate safeguards

.This Article makes provision about when the requirement under Article 84B(2) for processing of personal data to be carried out subject to appropriate safeguards is satisfied.
The requirement is not satisfied if the processing is likely to cause substantial damage or substantial distress to a data subject to whom the personal data relates.
The requirement is not satisfied if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject to whom the personal data relates, except where the purposes for which the processing is carried out include the purposes of approved medical research.
The requirement is only satisfied if the safeguards include technical and organisational measures for the purpose of ensuring respect for the principle of data minimisation (see Article 5(1)(c)), such as, for example, pseudonymisation.
In this Article—
“approved medical research” means medical research carried out by a person who has approval to carry out that research from—
1. a research ethics committee recognised or established by the Health Research Authority under Chapter 2 of Part 3 of the Care Act 2014, or
2. a body appointed by any of the following for the purpose of assessing the ethics of research involving individuals—
  1. the Secretary of State, the Scottish Ministers, the Welsh Ministers or a Northern Ireland department;
  2. a relevant NHS body;
  3. United Kingdom Research and Innovation or a body that is a Research Council for the purposes of the Science and Technology Act 1965;
  4. an institution that is a research institution for the purposes of Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003 (see section 457 of that Act);
“relevant NHS body” means—
1. an NHS trust or NHS foundation trust in England,
2. an NHS trust or Local Health Board in Wales,
3. Health Board or Special Health Board constituted under section 2 of the National Health Service (Scotland) Act 1978,
4. the Common Services Agency for the Scottish Health Service, or
5. any of the health and social care bodies in Northern Ireland falling within paragraphs (b) to (e) of section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)).

Prev. Article

View All

Further Information

This version of the UK GDPR is offered purely as what we hope will be a helpful resource. It does not have the status of law, and should not be relied on as such. Nor do we guarantee it is free from errors. It was originally prepared using a Keeling Schedule made available by the UK Government.

Since then, a consolidated version has also been made available on the legislation.gov.uk pages.

By virtue of section 3 of the European Union (Withdrawal Act) 2018, the GDPR (Regulation (EU) 2016/679) was retained in United Kingdom law as "direct EU legislation". However, the effect of the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019, as amended by the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2020, was, from 1 January 2021, immediately to make changes to the retained GDPR, and to refer to it as the "UK GDPR". These pages reflect those changes.

This resource includes links to the GDPR recitals. The explanatory notes to the European Union (Withdrawal Act) 2018 confirm that where legislation is converted under section 3, it is the text of the legislation itself which will form part of domestic legislation, and this will include the full text of any EU instrument (including its recitals). Accordingly, recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a legal rule. However, it stands to reason that – as the recitals themselves have not been amended – they will in places contain language and references to EU bodies and rules which no longer apply to the UK.

In this resource we link Articles of the UK GDPR to the corresponding recitals. In deciding which recitals correspond to which Articles of UK GDPR, we have drawn on the working document of the EU GDPR which the Information Commissioner had previously published in 2017.

Downloads

Working document of the EU GDPR published 2017 and archived on the National Archives website

Contacts

Adam Rose Partner

Jon Baines Senior Data Protection Specialist (non-lawyer)