- Y Diweddaraf sydd Ar Gael (Diwygiedig)
- Pwynt Penodol mewn Amser (30/07/2022)
- Gwreiddiol (Fel y'i Deddfwyd)
Point in time view as at 30/07/2022.
Data Protection Act 2018, SCHEDULE 1 is up to date with all changes known to be in force on or before 14 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.
Section 10
1(1)This condition is met if—U.K.
(a)the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and
(b)when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).
(2)See also the additional safeguards in Part 4 of this Schedule.
(3)In this paragraph—
“social security” includes any of the branches of social security listed in Article 3(1) of Regulation (EC) No. 883/2004 of the European Parliament and of the Council on the co-ordination of social security systems (as amended from time to time);
“social protection” includes an intervention described in Article 2(b) of Regulation (EC) 458/2007 of the European Parliament and of the Council of 25 April 2007 on the European system of integrated social protection statistics (ESSPROS) [F1as it had effect in EU law immediately before [F2IP completion day]].
Textual Amendments
F1Words in Sch. 1 para. 1(3) substituted (31.12.2020) by The UK Statistics (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/489), regs. 1, 3; 2020 c. 1, Sch. 5 para. 1(1)
F2Words in Sch. 1 para. 1(3) substituted (15.12.2021) by The UK Statistics (Amendment etc.) (EU Exit) Regulations 2021 (S.I. 2021/1300), regs. 1, 2
2(1)This condition is met if the processing is necessary for health or social care purposes.U.K.
(2)In this paragraph “health or social care purposes” means the purposes of—
(a)preventive or occupational medicine,
(b)the assessment of the working capacity of an employee,
(c)medical diagnosis,
(d)the provision of health care or treatment,
(e)the provision of social care, or
(f)the management of health care systems or services or social care systems or services.
(3)See also the conditions and safeguards in Article 9(3) of the [F3UK GDPR] (obligations of secrecy) and section 11(1).
Textual Amendments
F3Words in Sch. 1 para. 2(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 91(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
3U.K.This condition is met if the processing—
(a)is necessary for reasons of public interest in the area of public health, and
(b)is carried out—
(i)by or under the responsibility of a health professional, or
(ii)by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
4U.K.This condition is met if the processing—
(a)is necessary for archiving purposes, scientific or historical research purposes or statistical purposes,
(b)is carried out in accordance with Article 89(1) of the [F4UK GDPR] (as supplemented by section 19), and
(c)is in the public interest.
Textual Amendments
F4Words in Sch. 1 para. 4(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 91(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
5(1)Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).U.K.
(2)See also the additional safeguards in Part 4 of this Schedule.
6(1)This condition is met if the processing—U.K.
(a)is necessary for a purpose listed in sub-paragraph (2), and
(b)is necessary for reasons of substantial public interest.
(2)Those purposes are—
(a)the exercise of a function conferred on a person by an enactment or rule of law;
(b)the exercise of a function of the Crown, a Minister of the Crown or a government department.
7U.K.This condition is met if the processing is necessary—
(a)for the administration of justice, or
(b)for the exercise of a function of either House of Parliament.
8(1)This condition is met if the processing—U.K.
(a)is of a specified category of personal data, and
(b)is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained,
subject to the exceptions in sub-paragraphs (3) to (5).
(2)In sub-paragraph (1), “specified” means specified in the following table—
Category of personal data | Groups of people (in relation to a category of personal data) |
---|---|
Personal data revealing racial or ethnic origin | People of different racial or ethnic origins |
Personal data revealing religious or philosophical beliefs | People holding different religious or philosophical beliefs |
Data concerning health | People with different states of physical or mental health |
Personal data concerning an individual's sexual orientation | People of different sexual orientation |
(3)Processing does not meet the condition in sub-paragraph (1) if it is carried out for the purposes of measures or decisions with respect to a particular data subject.
(4)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.
(5)Processing does not meet the condition in sub-paragraph (1) if—
(a)an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),
(b)the notice gave the controller a reasonable period in which to stop processing such data, and
(c)that period has ended.
9(1)This condition is met if the processing—U.K.
(a)is of personal data revealing racial or ethnic origin,
(b)is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally,
(c)is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations, and
(d)can reasonably be carried out without the consent of the data subject,
subject to the exception in sub-paragraph (3).
(2)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b)the controller is not aware of the data subject withholding consent.
(3)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.
(4)For the purposes of this paragraph, an individual holds a senior position in an organisation if the individual—
(a)holds a position listed in sub-paragraph (5), or
(b)does not hold such a position but is a senior manager of the organisation.
(5)Those positions are—
(a)a director, secretary or other similar officer of a body corporate;
(b)a member of a limited liability partnership;
(c)a partner in a partnership within the Partnership Act 1890, a limited partnership registered under the Limited Partnerships Act 1907 or an entity of a similar character formed under the law of a country or territory outside the United Kingdom.
(6)In this paragraph, “senior manager”, in relation to an organisation, means a person who plays a significant role in—
(a)the making of decisions about how the whole or a substantial part of the organisation's activities are to be managed or organised, or
(b)the actual managing or organising of the whole or a substantial part of those activities.
(7)The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
10(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of the prevention or detection of an unlawful act,
(b)must be carried out without the consent of the data subject so as not to prejudice those purposes, and
(c)is necessary for reasons of substantial public interest.
(2)If the processing consists of the disclosure of personal data to a competent authority, or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
(3)In this paragraph—
“act” includes a failure to act;
“competent authority” has the same meaning as in Part 3 of this Act (see section 30).
11(1)This condition is met if the processing—U.K.
(a)is necessary for the exercise of a protective function,
(b)must be carried out without the consent of the data subject so as not to prejudice the exercise of that function, and
(c)is necessary for reasons of substantial public interest.
(2)In this paragraph, “protective function” means a function which is intended to protect members of the public against—
(a)dishonesty, malpractice or other seriously improper conduct,
(b)unfitness or incompetence,
(c)mismanagement in the administration of a body or association, or
(d)failures in services provided by a body or association.
12(1)This condition is met if—U.K.
(a)the processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has—
(i)committed an unlawful act, or
(ii)been involved in dishonesty, malpractice or other seriously improper conduct,
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing, and
(c)the processing is necessary for reasons of substantial public interest.
(2)In this paragraph—
“act” includes a failure to act;
“regulatory requirement” means—
a requirement imposed by legislation or by a person in exercise of a function conferred by legislation, or
a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity.
13(1)This condition is met if—U.K.
(a)the processing consists of the disclosure of personal data for the special purposes,
(b)it is carried out in connection with a matter described in sub-paragraph (2),
(c)it is necessary for reasons of substantial public interest,
(d)it is carried out with a view to the publication of the personal data by any person, and
(e)the controller reasonably believes that publication of the personal data would be in the public interest.
(2)The matters mentioned in sub-paragraph (1)(b) are any of the following (whether alleged or established)—
(a)the commission of an unlawful act by a person;
(b)dishonesty, malpractice or other seriously improper conduct of a person;
(c)unfitness or incompetence of a person;
(d)mismanagement in the administration of a body or association;
(e)a failure in services provided by a body or association.
(3)The condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
(4)In this paragraph—
“act” includes a failure to act;
“the special purposes” means—
the purposes of journalism;
academic purposes;
artistic purposes;
literary purposes.
14(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of preventing fraud or a particular kind of fraud, and
(b)consists of—
(i)the disclosure of personal data by a person as a member of an anti-fraud organisation,
(ii)the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation, or
(iii)the processing of personal data disclosed as described in sub-paragraph (i) or (ii).
(2)In this paragraph, “anti-fraud organisation” has the same meaning as in section 68 of the Serious Crime Act 2007.
15U.K.This condition is met if the processing is necessary for the purposes of making a disclosure in good faith under either of the following—
(a)section 21CA of the Terrorism Act 2000 (disclosures between certain entities within regulated sector in relation to suspicion of commission of terrorist financing offence or for purposes of identifying terrorist property);
(b)section 339ZB of the Proceeds of Crime Act 2002 (disclosures within regulated sector in relation to suspicion of money laundering).
16(1)This condition is met if the processing—U.K.
(a)is carried out by a not-for-profit body which provides support to individuals with a particular disability or medical condition,
(b)is of a type of personal data falling within sub-paragraph (2) which relates to an individual falling within sub-paragraph (3),
(c)is necessary for the purposes of—
(i)raising awareness of the disability or medical condition, or
(ii)providing support to individuals falling within sub-paragraph (3) or enabling such individuals to provide support to each other,
(d)can reasonably be carried out without the consent of the data subject, and
(e)is necessary for reasons of substantial public interest.
(2)The following types of personal data fall within this sub-paragraph—
(a)personal data revealing racial or ethnic origin;
(b)genetic data or biometric data;
(c)data concerning health;
(d)personal data concerning an individual's sex life or sexual orientation.
(3)An individual falls within this sub-paragraph if the individual is or has been a member of the body mentioned in sub-paragraph (1)(a) and—
(a)has the disability or condition mentioned there, has had that disability or condition or has a significant risk of developing that disability or condition, or
(b)is a relative or carer of an individual who satisfies paragraph (a) of this sub-paragraph.
(4)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b)the controller is not aware of the data subject withholding consent.
(5)In this paragraph—
“carer” means an individual who provides or intends to provide care for another individual other than—
under or by virtue of a contract, or
as voluntary work;
“disability” has the same meaning as in the Equality Act 2010 (see section 6 of, and Schedule 1 to, that Act).
(6)The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
17(1)This condition is met if the processing—U.K.
(a)is necessary for the provision of confidential counselling, advice or support or of another similar service provided confidentially,
(b)is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(c)is necessary for reasons of substantial public interest.
(2)The reasons mentioned in sub-paragraph (1)(b) are—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the service mentioned in sub-paragraph (1)(a).
18(1)This condition is met if—U.K.
(a)the processing is necessary for the purposes of—
(i)protecting an individual from neglect or physical, mental or emotional harm, or
(ii)protecting the physical, mental or emotional well-being of an individual,
(b)the individual is—
(i)aged under 18, or
(ii)aged 18 or over and at risk,
(c)the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(d)the processing is necessary for reasons of substantial public interest.
(2)The reasons mentioned in sub-paragraph (1)(c) are—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
(3)For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—
(a)has needs for care and support,
(b)is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
(c)as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.
(4)In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.
19(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of protecting the economic well-being of an individual at economic risk who is aged 18 or over,
(b)is of data concerning health,
(c)is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(d)is necessary for reasons of substantial public interest.
(2)The reasons mentioned in sub-paragraph (1)(c) are—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
(3)In this paragraph, “individual at economic risk” means an individual who is less able to protect his or her economic well-being by reason of physical or mental injury, illness or disability.
20(1)This condition is met if the processing—U.K.
(a)is necessary for an insurance purpose,
(b)is of personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health, and
(c)is necessary for reasons of substantial public interest,
subject to sub-paragraphs (2) and (3).
(2)Sub-paragraph (3) applies where—
(a)the processing is not carried out for the purposes of measures or decisions with respect to the data subject, and
(b)the data subject does not have and is not expected to acquire—
(i)rights against, or obligations in relation to, a person who is an insured person under an insurance contract to which the insurance purpose mentioned in sub-paragraph (1)(a) relates, or
(ii)other rights or obligations in connection with such a contract.
(3)Where this sub-paragraph applies, the processing does not meet the condition in sub-paragraph (1) unless, in addition to meeting the requirements in that sub-paragraph, it can reasonably be carried out without the consent of the data subject.
(4)For the purposes of sub-paragraph (3), processing can reasonably be carried out without the consent of the data subject only where—
(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b)the controller is not aware of the data subject withholding consent.
(5)In this paragraph—
“insurance contract” means a contract of general insurance or long-term insurance;
“insurance purpose” means—
advising on, arranging, underwriting or administering an insurance contract,
administering a claim under an insurance contract, or
exercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law.
(6)The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
(7)Terms used in the definition of “insurance contract” in sub-paragraph (5) and also in an order made under section 22 of the Financial Services and Markets Act 2000 (regulated activities) have the same meaning in that definition as they have in that order.
21(1)This condition is met if the processing—U.K.
(a)is necessary for the purpose of making a determination in connection with eligibility for, or benefits payable under, an occupational pension scheme,
(b)is of data concerning health which relates to a data subject who is the parent, grandparent, great-grandparent or sibling of a member of the scheme,
(c)is not carried out for the purposes of measures or decisions with respect to the data subject, and
(d)can reasonably be carried out without the consent of the data subject.
(2)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b)the controller is not aware of the data subject withholding consent.
(3)In this paragraph—
“occupational pension scheme” has the meaning given in section 1 of the Pension Schemes Act 1993;
“member”, in relation to a scheme, includes an individual who is seeking to become a member of the scheme.
(4)The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
22(1)This condition is met if the processing—U.K.
(a)is of personal data revealing political opinions,
(b)is carried out by a person or organisation included in the register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000, and
(c)is necessary for the purposes of the person's or organisation's political activities,
subject to the exceptions in sub-paragraphs (2) and (3).
(2)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to a person.
(3)Processing does not meet the condition in sub-paragraph (1) if—
(a)an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),
(b)the notice gave the controller a reasonable period in which to stop processing such data, and
(c)that period has ended.
(4)In this paragraph, “political activities” include campaigning, fund-raising, political surveys and case-work.
23(1)This condition is met if—U.K.
(a)the processing is carried out—
(i)by an elected representative or a person acting with the authority of such a representative,
(ii)in connection with the discharge of the elected representative's functions, and
(iii)in response to a request by an individual that the elected representative take action on behalf of the individual, and
(b)the processing is necessary for the purposes of, or in connection with, the action reasonably taken by the elected representative in response to that request,
subject to sub-paragraph (2).
(2)Where the request is made by an individual other than the data subject, the condition in sub-paragraph (1) is met only if the processing must be carried out without the consent of the data subject for one of the following reasons—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)obtaining the consent of the data subject would prejudice the action taken by the elected representative;
(d)the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.
(3)In this paragraph, “elected representative” means—
(a)a member of the House of Commons;
(b)a member of the National Assembly for Wales;
(c)a member of the Scottish Parliament;
(d)a member of the Northern Ireland Assembly;
F5(e). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(f)an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972, namely—
(i)in England, a county council, a district council, a London borough council or a parish council;
(ii)in Wales, a county council, a county borough council or a community council;
(g)an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000;
(h)a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;
(i)the Mayor of London or an elected member of the London Assembly;
(j)an elected member of—
(i)the Common Council of the City of London, or
(ii)the Council of the Isles of Scilly;
(k)an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994;
(l)an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.));
(m)a police and crime commissioner.
(4)For the purposes of sub-paragraph (3), a person who is—
(a)a member of the House of Commons immediately before Parliament is dissolved,
(b)a member of the National Assembly for Wales immediately before that Assembly is dissolved,
(c)a member of the Scottish Parliament immediately before that Parliament is dissolved, or
(d)a member of the Northern Ireland Assembly immediately before that Assembly is dissolved,
is to be treated as if the person were such a member until the end of the fourth day after the day on which the subsequent general election in relation to that Parliament or Assembly is held.
(5)For the purposes of sub-paragraph (3), a person who is an elected member of the Common Council of the City of London and whose term of office comes to an end at the end of the day preceding the annual Wardmotes is to be treated as if he or she were such a member until the end of the fourth day after the day on which those Wardmotes are held.
Textual Amendments
24(1)This condition is met if—U.K.
(a)the processing consists of the disclosure of personal data—
(i)to an elected representative or a person acting with the authority of such a representative, and
(ii)in response to a communication to the controller from that representative or person which was made in response to a request from an individual,
(b)the personal data is relevant to the subject matter of that communication, and
(c)the disclosure is necessary for the purpose of responding to that communication,
subject to sub-paragraph (2).
(2)Where the request to the elected representative came from an individual other than the data subject, the condition in sub-paragraph (1) is met only if the disclosure must be made without the consent of the data subject for one of the following reasons—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)obtaining the consent of the data subject would prejudice the action taken by the elected representative;
(d)the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.
(3)In this paragraph, “elected representative” has the same meaning as in paragraph 23.
25(1)This condition is met if—U.K.
(a)the processing consists of the processing of personal data about a prisoner for the purpose of informing a member of the House of Commons, a member of the National Assembly for Wales or a member of the Scottish Parliament about the prisoner, and
(b)the member is under an obligation not to further disclose the personal data.
(2)The references in sub-paragraph (1) to personal data about, and to informing someone about, a prisoner include personal data about, and informing someone about, arrangements for the prisoner's release.
(3)In this paragraph—
“prison” includes a young offender institution, a remand centre, a secure training centre or a secure college;
“prisoner” means a person detained in a prison.
26U.K.This condition is met if the processing—
(a)consists of the publication of a judgment or other decision of a court or tribunal, or
(b)is necessary for the purposes of publishing such a judgment or decision.
27(1)This condition is met if the processing is necessary—U.K.
(a)for the purposes of measures designed to eliminate doping which are undertaken by or under the responsibility of a body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally, or
(b)for the purposes of providing information about doping, or suspected doping, to such a body or association.
(2)The reference in sub-paragraph (1)(a) to measures designed to eliminate doping includes measures designed to identify or prevent doping.
(3)If the processing consists of the disclosure of personal data to a body or association described in sub-paragraph (1)(a), or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
28(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event,
(b)must be carried out without the consent of the data subject so as not to prejudice those purposes, and
(c)is necessary for reasons of substantial public interest.
(2)In sub-paragraph (1)(a), the reference to measures designed to protect the integrity of a sport or a sporting event is a reference to measures designed to protect a sport or a sporting event against—
(a)dishonesty, malpractice or other seriously improper conduct, or
(b)failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or event.
29U.K.This condition is met if the data subject has given consent to the processing.
30U.K.This condition is met if—
(a)the processing is necessary to protect the vital interests of an individual, and
(b)the data subject is physically or legally incapable of giving consent.
31U.K.This condition is met if the processing is carried out—
(a)in the course of its legitimate activities with appropriate safeguards by a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, and
(b)on condition that—
(i)the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and
(ii)the personal data is not disclosed outside that body without the consent of the data subjects.
32U.K.This condition is met if the processing relates to personal data which is manifestly made public by the data subject.
33U.K.This condition is met if the processing—
(a)is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
(b)is necessary for the purpose of obtaining legal advice, or
(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
34U.K.This condition is met if the processing is necessary when a court or tribunal is acting in its judicial capacity.
35(1)This condition is met if—U.K.
(a)the processing is of personal data about a conviction or caution for an offence listed in sub-paragraph (2),
(b)the processing is necessary for the purpose of administering an account relating to the payment card used in the commission of the offence or cancelling that payment card, and
(c)when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).
(2)Those offences are an offence under—
(a)section 1 of the Protection of Children Act 1978 (indecent photographs of children),
(b)Article 3 of the Protection of Children (Northern Ireland) Order 1978 (S.I. 1978/1047 (N.I. 17)) (indecent photographs of children),
(c)section 52 of the Civic Government (Scotland) Act 1982 (indecent photographs etc of children),
(d)section 160 of the Criminal Justice Act 1988 (possession of indecent photograph of child),
(e)Article 15 of the Criminal Justice (Evidence etc) (Northern Ireland) Order 1988 (S.I. 1988/1847 (N.I. 17)) (possession of indecent photograph of child), or
(f)section 62 of the Coroners and Justice Act 2009 (possession of prohibited images of children),
or incitement to commit an offence under any of those provisions.
(3)See also the additional safeguards in Part 4 of this Schedule.
(4)In this paragraph—
“caution” means a caution given to a person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;
“conviction” has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978 (S.I. 1978/1908 (N.I. 27));
“payment card” includes a credit card, a charge card and a debit card.
36U.K.This condition is met if the processing would meet a condition in Part 2 of this Schedule but for an express requirement for the processing to be necessary for reasons of substantial public interest.
37U.K.This condition is met if the processing—
(a)would meet the condition in paragraph 20 in Part 2 of this Schedule (the “insurance condition”), or
(b)would meet the condition in paragraph 36 by virtue of the insurance condition,
but for the requirement for the processing to be processing of a category of personal data specified in paragraph 20(1)(b).
38U.K.This Part of this Schedule makes provision about the processing of personal data carried out in reliance on a condition in Part 1, 2 or 3 of this Schedule which requires the controller to have an appropriate policy document in place when the processing is carried out.
39U.K.The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on a condition described in paragraph 38 if the controller has produced a document which—
(a)explains the controller's procedures for securing compliance with the principles in Article 5 of the [F6UK GDPR] (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and
(b)explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.
Textual Amendments
F6Words in Sch. 1 para. 39(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 91(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
40(1)Where personal data is processed in reliance on a condition described in paragraph 38, the controller must during the relevant period—U.K.
(a)retain the appropriate policy document,
(b)review and (if appropriate) update it from time to time, and
(c)make it available to the Commissioner, on request, without charge.
(2)“Relevant period”, in relation to the processing of personal data in reliance on a condition described in paragraph 38, means a period which—
(a)begins when the controller starts to carry out processing of personal data in reliance on that condition, and
(b)ends at the end of the period of 6 months beginning when the controller ceases to carry out such processing.
41U.K.A record maintained by the controller, or the controller's representative, under Article 30 of the [F7UK GDPR] in respect of the processing of personal data in reliance on a condition described in paragraph 38 must include the following information—
(a)which condition is relied on,
(b)how the processing satisfies Article 6 of the [F7UK GDPR] (lawfulness of processing), and
(c)whether the personal data is retained and erased in accordance with the policies described in paragraph 39(b) and, if it is not, the reasons for not following those policies.
Textual Amendments
F7Words in Sch. 1 para. 41 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 91(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
Y Ddeddf Gyfan you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Y Ddeddf Gyfan heb Atodlenni you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Y Rhestrau you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Y Diweddaraf sydd Ar Gael (diwygiedig):Y fersiwn ddiweddaraf sydd ar gael o’r ddeddfwriaeth yn cynnwys newidiadau a wnaed gan ddeddfwriaeth ddilynol ac wedi eu gweithredu gan ein tîm golygyddol. Gellir gweld y newidiadau nad ydym wedi eu gweithredu i’r testun eto yn yr ardal ‘Newidiadau i Ddeddfwriaeth’.
Gwreiddiol (Fel y’i Deddfwyd neu y’i Gwnaed): Mae'r wreiddiol fersiwn y ddeddfwriaeth fel ag yr oedd pan gafodd ei deddfu neu eu gwneud. Ni wnaed unrhyw newidiadau i’r testun.
Pwynt Penodol mewn Amser: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.
Rhychwant ddaearyddol: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Dangos Llinell Amser Newidiadau: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Testun a grëwyd gan yr adran o’r llywodraeth oedd yn gyfrifol am destun y Ddeddf i esbonio beth mae’r Ddeddf yn ceisio ei wneud ac i wneud y Ddeddf yn hygyrch i ddarllenwyr nad oes ganddynt gymhwyster cyfreithiol. Cyflwynwyd Nodiadau Esboniadol ym 1999 ac maent yn cyd-fynd â phob Deddf Gyhoeddus ac eithrio Deddfau Adfeddiannu, Cronfa Gyfunol, Cyllid a Chyfnerthiad.
Gallwch wneud defnydd o ddogfennau atodol hanfodol a gwybodaeth ar gyfer yr eitem ddeddfwriaeth o’r tab hwn. Yn ddibynnol ar yr eitem ddeddfwriaeth sydd i’w gweld, gallai hyn gynnwys:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Defnyddiwch y ddewislen hon i agor dogfennau hanfodol sy’n cyd-fynd â’r ddeddfwriaeth a gwybodaeth am yr eitem hon o ddeddfwriaeth. Gan ddibynnu ar yr eitem o ddeddfwriaeth sy’n cael ei gweld gall hyn gynnwys:
liciwch ‘Gweld Mwy’ neu ddewis ‘Rhagor o Adnoddau’ am wybodaeth ychwanegol gan gynnwys