The Erasmus+ Programme (Data Processing) Regulations 2026 create the domestic legal basis for handling personal data linked to the United Kingdom's participation in Erasmus+. Made on 28 April 2026, laid before Parliament on 30 April 2026 and due to come into force on 1 June 2026, the instrument applies across England and Wales, Scotland and Northern Ireland. It was signed by Smith of Malvern, Minister of State at the Department for Education. The regulations are made under section 31 of, and paragraph 27 of Schedule 5 to, the European Union (Future Relationship) Act 2020. They follow the 15 April 2026 decision amending Protocol I to the Trade and Cooperation Agreement so that the UK participates in Erasmus+ under Article 1(1a) of that Protocol.
Regulation 2 sets out the administrative structure. The National Authority is the Secretary of State, notified to the European Commission as the person responsible for monitoring and supervising management of the programme in the UK. The National Agency is the body, or bodies, designated to manage implementation. The Independent Audit Body is the body designated to issue an audit opinion on the National Agency's yearly management declaration. The instrument also adopts the Data Protection Act 2018 meanings of 'personal data' and 'processing'. That point is important. The regulations do not replace the wider data protection regime. They create a specific legal route for Erasmus+ activity within that existing framework.
Regulation 3 concerns Erasmus+ Programme Bodies themselves. It allows the National Authority, National Agency and Independent Audit Body to process personal data where this is necessary for carrying out their own functions, or the functions of another Erasmus+ Programme Body, under the programme. The same regulation also permits disclosure to others undertaking Erasmus+ functions. The text expressly names another Erasmus+ Programme Body, the European Commission, the Court of Auditors of the European Union and the European Public Prosecutor's Office. For policy readers, the point is that data sharing is tied to defined programme functions and oversight requirements, not written as a general power to circulate information more widely.
Regulation 4 widens the frame to 'relevant persons'. That group includes the Secretary of State, a devolved authority, the National Agency and the Independent Audit Body. The Secretary of State may process personal data for statistical analysis and research on the impact of UK participation in Erasmus+, for monitoring continuous improvement in the National Agency's performance, and for supporting the National Agency in carrying out specified functions. The same structure is then applied to Scotland, Wales and Northern Ireland. Scottish Ministers, Welsh Ministers and a Northern Ireland department may process personal data for research and statistical analysis relating to participation in or as regards their part of the UK, monitor the National Agency's performance in or as regards that territory, and support the National Agency in dealing with persons there.
The 'specified functions' listed in the regulations are operational tasks rather than broad policy aims. They include communication, information and promotion activity, support with funding applications, customer relationship management, management of enquiries and applications, the award of grants and the management of grants once awarded. In practical terms, the instrument covers the full administrative chain around Erasmus+ funding. Personal data may be used not only when a grant decision is made, but earlier when a potential beneficiary seeks information or support, and later when an award is administered and monitored. Disclosure between relevant persons is also allowed where necessary for those same purposes.
Regulation 5 is short but legally significant. It states that nothing in the instrument affects any separate power to disclose personal data that exists apart from these regulations. The statutory instrument therefore adds an Erasmus+-specific route without disturbing other lawful disclosure powers that may already exist. Regulation 6 then imposes a sunset clause. The regulations cease to have effect on 31 December 2027. That end date is qualified by a saving provision: processing may continue after 31 December 2027 where it is needed for duties connected to activities that began before that date, including work by Erasmus+ Programme Bodies and research or support activity carried out by relevant persons.
That saving provision is one of the more important drafting choices in the instrument. It avoids a cliff edge for projects, grant administration, audit work and evaluation activity already under way when the main regulations expire. In effect, the power ends for new activity after 31 December 2027, but remains available where older Erasmus+ cases still need to be closed properly. According to the explanatory note, no full impact assessment was prepared because no, or no significant, effect on the private, voluntary or public sector was foreseen. The immediate consequence is therefore procedural rather than strategic. For providers, applicants and officials, the regulations set out who may process personal data, who may receive it, the purposes for which that may happen, and the point at which those powers are meant to fall away.