Blog

Relevant DUA Act Provision: Section 71, Schedule 5; amends Articles 5(1)(b) and 6(4) UK GDPR and adds a new Article 8A and Annex 2 to the UK GDPR.

The DUA Act reforms the compatibility principle governing further processing of personal data by introducing statutory compatibility conditions and a new provision (Article 8A) in the UK GDPR. These provisions limit the need for a traditional compatibility assessment where certain legal and policy conditions are met.

Contextual compatibility

Under the GDPR, controllers are required to assess whether the further processing purpose is compatible with the original purpose of collection, using contextual criteria in Article 6(4) and Recital 50, such as the link to the original purpose, the context of collection, the nature of data, and data subject’s expectations.

Statutory compatibility

The DUA Act replaces this framework with a more rules-based framework for further processing, specifying circumstances in which the compatibility assessment under Article 6(4) UK GDPR is not required or is simplified. These statutory conditions are codified in the new Article 8A, which introduces a structured legal framework for compatibility by listing the exempted further processing scenarios. Article 8A(3) then refers to Annex 2, which enumerates specific categories of further processing that are also deemed compatible without a separate compatibility assessment. These exemptions from the compatibility assessment include:  

• Consent-based further use: the data subject gives consent to the further processing and the  new purpose is specific, explicit and legitimate;
• Public interest processing: The further processing is carried out for (i) scientific research or historical research, (ii) archiving in the public interest or (iii) statistical purposes, and is subject to safeguards under Article 89(1) (e.g. minimisation, pseudonymisation);
• Compliance processing: the processing is carried out to ensure that the processing complies with the principles for processing personal data under Article 5(1) UK GDPR
• Annex 2 disclosure route: the controller discloses personal data in response to a request from another person who needs it to carry out processing under Article 6(1)(e) (official authority or public interest task), with a valid legal basis under Article 6(3), and the processing is necessary to safeguard an objective listed in Article 23(1)(c) to (j) UK GDPR. This includes objectives such as public security, the protection of judicial independence, or the enforcement of civil law claims. The disclosing controller must not be a public authority performing its own tasks.

In all cases, the further processing must still comply with the principles of fairness and transparency under Article 5, and appropriate safeguards, particularly under Article 89(1), must be applied where applicable.

Where the controller relied on consent for the original purpose, the further purpose will only be deemed compatible if fresh consent is obtained for the further processing and the processing is either (i) solely to ensure compliance with Article 5(1) data protection principles, or (ii) falls within Annex 2 and the controller cannot reasonably be expected to obtain new consent.

Annex 2 is legally anchored in Article 8A(3), which delegates to it the role of specifying additional forms of further processing deemed inherently compatible with the original purpose.

Annex 2 of Schedule 5 sets out additional statutory examples of further processing that shall be treated as compatible with the original purpose. This is a limited list of processing for the purposes of:

• archiving in the public interest;
• detection, investigation and prevention of crime and apprehension of offenders;
• to protect vital interests of the data subject or another individual;
• safeguarding children and vulnerable individuals
• the assessment or collection of tax
• to comply with a legal obligation under an enactment, rule of law or order of a court or tribunal

The Secretary of State may expand or revise this list by regulation. This mechanism introduces flexibility but also raises rule of law concerns about foreseeability and the scope of ministerial discretion.

This statutory presumption replaces the open-textured compatibility balancing test for listed  purposes, enhancing legal certainty and operational efficiency. However, for commercial or non-exempted secondary uses, the compatibility analysis under Article 6(4) still applies, albeit with less detailed contextual criteria than under the GDPR. The reform thus creates a two-tier model of further processing in the UK.

Notably, the DUA Act does not alter the requirement that the further purpose be specified and transparent to data subjects under Article 5(1)(b). Nor does it diminish the relevance of fairness and accountability under Articles 5(1)(a) and 5(2). Controllers must still justify the further use on the basis of proportionality and necessity when outside the statutory exemptions.

Divergence

The UK model departs from the EU’s nuanced, case-by-case compatibility framework. It introduces a more rules-based system that simplifies assessments for certain further processing purposes, such as those listed in Annex 2 or expressly permitted under Article 8A(2) and (3), which together form the backbone of the UK’s new statutory compatibility regime. This statutory presumption replaces the open-textured compatibility balancing test for those purposes, enhancing legal certainty and operational efficiency. However, for commercial or non-exempted secondary uses, the compatibility analysis under Article 6(4) still applies, albeit with less prescriptive contextual criteria than under the GDPR. The reform thus creates a two-tier model of further processing in the UK. The scope for ministerial discretion over future categories raises regulatory concerns around legal certainty and foreseeability.

Notably, the DUA Act does not alter the requirement that the further purpose be specified and transparent to data subjects under Article 5(1)(b). Nor does it diminish the relevance of fairness and accountability under Articles 5(1)(a) and 5(2). Organisations must still justify the further use on the basis of proportionality and necessity when outside the statutory exemptions.

ICO commentary 

In its updated to the DUA Bill (prior to the Bill receiving parliamentary approval), the ICO stated that amendments, particularly for scientific research, archiving, and statistical purposes are easier to navigate and understand,” provide organisations with greater certainty, and enable responsible reuse of personal data. The ICO emphasises, however, that compliance with safeguards under Article 89(1) remains critical. The ICO intends to publish new updated relevant on Research, Archiving and Statistics with a public consultation planned, in Spring 2026.

Recommendations

• Maintain a register of all further processing activities, noting the route used (statutory vs. contextual).
• For scientific, historical, and statistical processing, document compliance with Article 89(1) safeguards.
• Use Annex 2 disclosures and consent-based tools appropriately.
• Update privacy notices to reflect new statutory presumptions and clarify how secondary purposes align with the original lawful basis.
• Monitor future changes to the statutory list and changes to Annex 2 and Article 8A via secondary legislation.