This section has no associated Explanatory Memorandum
102. After Schedule 20 insert—U.K.
Section 213
“SCHEDULE 21U.K.Further transitional provision etc
Part 1U.K.Interpretation
The applied GPDR
1. In this Schedule, “the applied GDPR” means the EU GDPR as applied by Chapter 3 of Part 2 before [IP completion day].
Part 2U.K.Continuation of existing acts etc
Merger of the directly applicable GDPR and the applied GDPR
2.—(1) On and after [IP completion day], references in an enactment to the UK GDPR (including the reference in the definition of “the data protection legislation” in section 3(9)) include—
(a)the EU GDPR as it was directly applicable to the United Kingdom before [IP completion day], read with Chapter 2 of Part 2 of this Act as it had effect before [IP completion day], and
(b)the applied GDPR, read with Chapter 3 of Part 2 of this Act as it had effect before [IP completion day].
(2) On and after [IP completion day], references in an enactment to, or to a provision of, Chapter 2 of Part 2 of this Act (including general references to this Act or to Part 2 of this Act) include that Chapter or that provision as applied by Chapter 3 of Part 2 of this Act as it had effect before [IP completion day].
(3) Sub-paragraphs (1) and (2) have effect—
(a)in relation to references in this Act, except as otherwise provided;
(b)in relation to references in other enactments, unless the context otherwise requires.
3.—(1) Anything done in connection with the EU GDPR as it was directly applicable to the United Kingdom before [IP completion day], the applied GDPR or this Act—
(a)if in force or effective immediately before [IP completion day], continues to be in force or effective on and after [IP completion day], and
(b)if in the process of being done immediately before [IP completion day], continues to be done on and after [IP completion day].
(2) References in this paragraph to anything done include references to anything omitted to be done.
Part 3U.K.Transfers to third countries and international organisations
UK GDPR: adequacy decisions and adequacy regulations
4.—(1) On and after [IP completion day], for the purposes of the UK GDPR and Part 2 of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, paragraph 5 specifies, or specifies a description which includes—
(a)in the case of a third country, the country or a relevant territory or sector within the country, or
(b)in the case of an international organisation, the organisation.
(2) Sub-paragraph (1) has effect subject to provision in paragraph 5 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 5 for the purposes of sub-paragraph (1).
(3) The Secretary of State may by regulations—
(a)repeal sub-paragraphs (1) and (2) and paragraph 5;
(b)amend paragraph 5 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;
(c)amend paragraph 5 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and making provision described in sub-paragraph (2).
(4) Regulations under this paragraph may, among other things——
(a)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;
(b)confer a discretion on a person.
(5) Regulations under this paragraph are subject to the negative resolution procedure.
(6) Sub-paragraphs (1) and (2) have effect in addition to section 17A(2) and (3).
5.—(1) The following are specified for the purposes of paragraph 4(1)—
(a)an EEA state;
(b)Gibraltar;
(c)a Union institution, body, office or agency set up by, or on the basis of, the Treaty on the European Union, the Treaty on the Functioning of the European Union or the Euratom Treaty;
(d)an equivalent institution, body, office or agency set up by, or on the basis of, the Treaties establishing the European Economic Area;
(e)a third country which is the subject of a decision listed in sub-paragraph (2), other than a decision that, immediately before [IP completion day], had been repealed or was suspended;
(f)a third country, territory or sector within a third country or international organisation which is the subject of an adequacy decision made by the European Commission before [IP completion day] on the basis of Article 45(3) of the EU GDPR, other than a decision that, immediately before [IP completion day], had been repealed or was suspended.
(2) The decisions mentioned in sub-paragraph (1)(e) are the following—
(a)Commission Decision 2000/518/EC of 26th July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland;
(b)Commission Decision 2002/2/EC of 20th December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act;
(c)Commission Decision 2003/490/EC of 30th June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina;
(d)Commission Decision 2003/821/EC of 21st November 2003 on the adequate protection of personal data in Guernsey;
(e)Commission Decision 2004/411/EC of 28th April 2004 on the adequate protection of personal data in the Isle of Man;
(f)Commission Decision 2008/393/EC of 8th May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey;
(g)Commission Decision 2010/146/EU of 5th March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data;
(h)Commission Decision 2010/625/EU of 19th October 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Andorra;
(i)Commission Decision 2011/61/EU of 31st January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data;
(j)Commission Implementing Decision 2012/484/EU of 21st August 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data;
(k)Commission Implementing Decision 2013/65/EU of 19th December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand;
(l). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
[(m)Commission Implementing Decision (EU) 2019/419 of 23rd January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information.]
(3) Where a decision described in sub-paragraph (1)(e) or (f) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 4(1).
(4) The references to a decision in sub-paragraphs (1)(e) and (f) and (2) are to the decision as it had effect in EU law immediately before [IP completion day], subject to sub-paragraphs (5) and (6).
(5) For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(e) or (f) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.
(6) For the purposes of this paragraph, where a decision described in sub-paragraph (1)(e) or (f) relates to—
(a)transfers from the European Union (or the European Community) or the European Economic Area, or
(b)transfers to which the EU GDPR applies,
it is to be treated as relating to equivalent transfers to or from the United Kingdom or transfers to which the UK GDPR applies (as appropriate).
6.—(1) In the provisions listed in sub-paragraph (2)—
(a)references to regulations made under section 17A (other than references to making such regulations) include the provision made in paragraph 5;
(b)references to the revocation of such regulations include the repeal of all or part of paragraph 5.
(2) Those provisions are—
(a)Articles 13(1)(f), 14(1)(f), 45(1) and (7), 46(1) and 49(1) of the UK GDPR;
(b)sections 17B(1), (3), (6) and (7) and 18(2) of this Act.
UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses
7.—(1) Subject to paragraph 8, the appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after [IP completion day] as described in this paragraph.
(2) The safeguards may be provided for by any standard data protection clauses included in an arrangement which, if the arrangement had been entered into immediately before [IP completion day], would have provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(2)(c) or (d) or (5) of the EU GDPR.
(3) The safeguards may be provided for by a version of standard data protection clauses described in sub-paragraph (2) incorporating changes where—
(a)all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and
(b)none of the changes alters the effect of the clauses.
(4) The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—
(a)changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;
(b)changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.
(5) In the case of a transfer of personal data made under arrangements entered into before [IP completion day], the safeguards may be provided for on and after [IP completion day] by standard data protection clauses not falling within sub-paragraph (2) which—
(a)formed part of the arrangements immediately before [IP completion day], and
(b)at that time, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(2)(c) or (d) or (5) of the EU GDPR.
(6) The Secretary of State and the Commissioner must keep the operation of this paragraph under review.
(7) In this paragraph, “adequacy decision” means a decision made on the basis of—
(a)Article 45(3) of the EU GDPR, or
(b)Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
(8) This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.
8.—(1) Paragraph 7 does not apply to the extent that it has been disapplied by—
(a)regulations made by the Secretary of State, or
(b)a document issued by the Commissioner.
(2) Regulations under this paragraph are subject to the negative resolution procedure.
(3) Subsections (3) to (8) and (10) to (12) of section 119A apply in relation to a document issued by the Commissioner under this paragraph as they apply to a document issued by the Commissioner under section 119A(2).
UK GDPR: transfers subject to appropriate safeguards provided by binding corporate rules
9.—(1) The appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after [IP completion day] as described sub-paragraphs (2) to (4), subject to sub-paragraph (5).
(2) The safeguards may be provided for by any binding corporate rules authorised by the Commissioner which, immediately before [IP completion day], provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR.
(3) The safeguards may be provided for by a version of binding corporate rules described in sub-paragraph (2) incorporating changes where—
(a)all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and
(b)none of the changes alters the effect of the rules.
(4) The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—
(a)changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;
(b)changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.
(5) Sub-paragraphs (2) to (4) cease to apply in relation to binding corporate rules if, on or after [IP completion day], the Commissioner withdraws the authorisation of the rules (or, where sub-paragraph (3) is relied on, the authorisation of the rules mentioned in sub-paragraph (2)).
[(5A) For the purposes of sub-paragraph (2), binding corporate rules which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR but which were authorised other than by the Commissioner are to be treated as authorised by the Commissioner where—
(a)a valid notification of the rules has been made to the Commissioner,
(b)the Commissioner has approved them, and
(c)that approval has not been withdrawn.
(5B) A notification is valid if it—
(a)is made by a controller or processor established in the United Kingdom,
(b)is made to the Commissioner before the end of the period of 6 months beginning with IP completion day, and
(c)includes—
(i)the name and contact details of the data protection officer or other contact point for the controller or processor, and
(ii)such other information as the Commissioner may reasonably require.
(5C) Where a valid notification is made the Commissioner must, without undue delay—
(a)decide whether or not to approve the rules, and
(b)notify the controller or processor of that decision.]
(6) The Commissioner must keep the operation of this paragraph under review.
(7) In this paragraph—
“adequacy decision” means a decision made on the basis of—
(a)
Article 45(3) of the EU GDPR, or
(b)
Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
“binding corporate rules” has the meaning given in Article 4(20) of the UK GDPR.
(8) This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.
Part 3 (law enforcement processing): adequacy decisions and adequacy regulations
10.—(1) On and after [IP completion day], for the purposes of Part 3 of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, paragraph 11 specifies, or specifies a description which includes—
(a)in the case of a third country, the country or a relevant territory or sector within the country, or
(b)in the case of an international organisation, the organisation.
(2) Sub-paragraph (1) has effect subject to provision in paragraph 11 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 11 for the purposes of sub-paragraph (1).
(3) The Secretary of State may by regulations—
(a)repeal sub-paragraphs (1) and (2) and paragraph 11;
(b)amend paragraph 11 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;
(c)amend paragraph 11 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and by making provision described in sub-paragraph (2).
(4) Regulations under this paragraph may, among other things—
(a)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;
(b)confer a discretion on a person.
(5) Regulations under this paragraph are subject to the negative resolution procedure.
(6) Sub-paragraphs (1) and (2) have effect in addition to section 74A(2) and (3).
11.—(1) The following are specified for the purposes of paragraph 10(1)—
[(a) an EEA state;
(aa)Switzerland;]
(b)Gibraltar;
(c)a third country, a territory or sector within a third country or an international organisation which is the subject of an adequacy decision made by the European Commission before [IP completion day] on the basis of Article 36(3) of the Law Enforcement Directive, other than a decision that, immediately before [IP completion day], had been repealed or was suspended.
(2) Where a decision described in sub-paragraph (1)(c) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 10(1).
(3) The reference to a decision in sub-paragraph (1)(c) is to the decision as it had effect in EU law immediately before [IP completion day], subject to sub-paragraphs (4) and (5).
(4) For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(c) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.
(5) For the purposes of this paragraph, where a decision described in sub-paragraph (1)(c) relates to—
(a)transfers from the European Union (or the European Community) or the European Economic Area, or
(b)transfers to which the Law Enforcement Directive applies,
it is to be treated as relating to equivalent transfers from the United Kingdom or transfers to which Part 3 of this Act applies (as appropriate).
12. In section 74B(1), (3), (6) and (7)—
(a)references to regulations made under section 74A (other than references to making such regulations) include the provision made in paragraph 11;
(b)references to the revocation of such regulations include the repeal of all or part of paragraph 11.
Part 4U.K.Repeal of provisions in Chapter 3 of Part 2
Applied GDPR: power to make provision in consequence of GDPR regulations
13.—(1) Regulations made under section 23 before [IP completion day] continue in force until they are revoked, despite the repeal of that section by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
(2) The provisions listed in section 186(3) include regulations made under section 23 before [IP completion day] (and not revoked).
(3) Sub-paragraphs (1) and (2) do not have effect so far as otherwise provided by the law of England and Wales, Scotland or Northern Ireland.
Applied GDPR: national security certificates
14.—(1) This paragraph applies to a certificate issued under section 27 of this Act which has effect immediately before [IP completion day].
(2) A reference in the certificate to a provision of the applied GDPR has effect, on and after [IP completion day], as it if were a reference to the corresponding provision of the UK GDPR or this Act.
Part 5U.K.The Information Commissioner
Confidentiality of information
15. The repeal of section 132(2)(d) by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 has effect only in relation to a disclosure of information made on or after [IP completion day].
Part 6U.K.Enforcement
GDPR: maximum amount of penalties
16. In relation to an infringement, before [IP completion day], of a provision of the EU GDPR (as it was directly applicable to the United Kingdom) or the applied GDPR—
(a)Article 83(5) and (6) of the UK GDPR and section 157(5)(a) and (b) of this Act have effect as if for “£17,500,000” there were substituted “ 20 million Euros ”;
(b)Article 83(4) of the UK GDPR and section 157(6)(a) and (b) of this Act have effect as if for “£8,700,000” there were substituted “ 10 million Euros ”;
(c)the maximum amount of a penalty in sterling must be determined by applying the spot rate of exchange set by the Bank of England on the day on which the penalty notice is given under section 155 of this Act.
GDPR: right to an effective remedy against the Commissioner
17.—(1) This paragraph applies where—
(a)proceedings are brought against a decision made by the Commissioner before [IP completion day], and
(b)the Commissioner's decision was preceded by an opinion or decision of the European Data Protection Board in accordance with the consistency mechanism referred to in Article 63 of the EU GDPR.
(2) The Commissioner must forward the Board's opinion or decision to the court or tribunal dealing with the proceedings.”.
Textual Amendments
Commencement Information
Marginal Citations