
1 

(1) These Regulations may be cited as the Data (Use and Access) Act 2025 (Commencement No. 3 and Transitional and Saving Provisions) Regulations 2025.
(2) In these Regulations—
 “the 2018 Act” means the Data Protection Act 2018;
 “the 2025 Act” means the Data (Use and Access) Act 2025;
 “the Commissioner” has the same meaning as in section 3(8) of the 2018 Act;
 “controller” has the same meaning as in section 3(6) of the 2018 Act;
 “data subject” has the same meaning as in section 3(5) of the 2018 Act;
 “the relevant time” means the time when sections 79 and 88 of the 2025 Act come into force.
2 

(1) The following provisions of the 2025 Act come into force on the day after the day on which these Regulations are made—
(a) section 79 (legal professional privilege exemption);
(b) section 88 (national security exemption).
(2) The following provisions of the 2025 Act, so far as not already in force, come into force on 17th November 2025—
(a) section 89 (joint processing by intelligence services and competent authorities);
(b) section 90 (joint processing: consequential amendments).
3 
Section 79 of the 2025 Act does not affect the application of Chapter 3 (rights of the data subject) of Part 3 (law enforcement processing) of the 2018 Act in a case in which a controller received a request under a section of that Chapter before the relevant time.
4 

(1) Section 88 of the 2025 Act does not affect the application of—
(a) Chapter 3 of Part 3 of the 2018 Act, in a case in which a controller received a request under a section of that Chapter before the relevant time;
(b) section 51 (exercise of rights through the Commissioner) of the 2018 Act, in a case in which the Commissioner received a request under that section before the relevant time;
(c) sections 67 and 68 (obligations relating to personal data breaches) of the 2018 Act, in a case in which a personal data breach (within the meaning given by section 33(2) of the 2018 Act) occurred before the relevant time;
(d) section 119 (inspection of personal data) of the 2018 Act, in a case in which a controller received written notice under that section before the relevant time;
(e) Schedule 13 (other general functions of the Commissioner) to the 2018 Act, in a case in which the Commissioner—
(i) commenced enforcement action pursuant to paragraph 1(1)(a) of that Schedule, before the relevant time; or
(ii) received information under paragraph 1(1)(g) of that Schedule, before the relevant time;
(f) sections 142 to 154 (enforcement) of, and Schedule 15 (powers of entry and inspection) to, the 2018 Act, in relation to any of the following which is received by a controller before the relevant time—
(i) an information notice;
(ii) an assessment notice;
(iii) an enforcement notice;
(g) section 173 (alteration of personal data to prevent disclosure) of the 2018 Act, in a case in which a controller received a request pursuant to that section before the relevant time;
(h) section 187 (representation of data subjects) of the 2018 Act, in a case in which, before the relevant time, a body or other organisation authorised to act on behalf of a data subject in accordance with that section—
(i) made a complaint to the Commissioner under section 165 (complaints by data subjects);
(ii) made an application to the Tribunal under section 166 (orders to progress complaints);
(iii) made an application to the court under section 167 (compliance orders); or
(iv) brought judicial review proceedings.
(2) Section 88 of the 2025 Act does not affect the application of section 79(2) to (13) of the 2018 Act to a certificate issued under section 79(1) before the relevant time.
Hanson
Minister of State
Home Office
4th September 2025