Textual Amendments
F1Pt. 2 Ch. 3 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 27 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Modifications etc. (not altering text)
C1Pt. 2 Ch. 3 applied (31.12.2020) by Regulation (EU) No. 625/2017, Art. 143 (as substituted by The Official Controls (Animals, Feed and Food, Plant Health etc.) (Amendment) (EU Exit) Regulations 2020 (S.I. 2020/1481), regs. 1, 27(3) (with reg. 46))
Textual Amendments
F4(1). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F4(2). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F4(3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F4(4). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(5)In this Chapter, “FOI public authority” means—
(a)a public authority as defined in the Freedom of Information Act 2000, or
(b)a Scottish public authority as defined in the Freedom of Information (Scotland) Act 2002 (asp 13).
(6)References in this Chapter to personal data “held” by an FOI public authority are to be interpreted—
(a)in relation to England and Wales and Northern Ireland, in accordance with section 3(2) of the Freedom of Information Act 2000, and
(b)in relation to Scotland, in accordance with section 3(2), (4) and (5) of the Freedom of Information (Scotland) Act 2002 (asp 13),
but such references do not include information held by an intelligence service (as defined in section 82) on behalf of an FOI public authority.
(7)But personal data is not to be treated as “held” by an FOI public authority for the purposes of this Chapter, where—
(a)section 7 of the Freedom of Information Act 2000 prevents Parts 1 to 5 of that Act from applying to the personal data, or
(b)section 7(1) of the Freedom of Information (Scotland) Act 2002 (asp 13) prevents that Act from applying to the personal data.
Textual Amendments
F3S. 21 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 29(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F4S. 21(1)-(4) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 29(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F5S. 22 and cross-heading omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 30 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F6S. 23 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 31 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)The provisions of [F7the UK GDPR] and this Act listed in subsection (2) do not apply to personal data to which [F8the UK GDPR] applies by virtue of [F9Article 2(1A)] (manual unstructured personal data held by FOI public authorities).
(2)Those provisions are—
(a)in Chapter II of [F10the UK GDPR] (principles)—
(i)Article 5(1)(a) to (c), (e) and (f) (principles relating to processing, other than the accuracy principle),
(ii)Article 6 (lawfulness),
(iii)Article 7 (conditions for consent),
(iv)Article 8(1) and (2) (child's consent),
(v)Article 9 (processing of special categories of personal data),
(vi)Article 10 (data relating to criminal convictions etc), and
(vii)Article 11(2) (processing not requiring identification);
(b)in Chapter III of [F11the UK GDPR] (rights of the data subject)—
(i)Article 13(1) to (3) (personal data collected from data subject: information to be provided),
(ii)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),
(iii)Article 20 (right to data portability), and
(iv)Article 21(1) (objections to processing);
(c)in Chapter V of [F12the UK GDPR], Articles 44 to 49 (transfers of personal data to third countries or international organisations);
[F13(ca)in Part 2 of this Act, sections 17A, 17B and 17C (transfers to third countries);
(cb)in Part 5 of this Act, section 119A (standard clauses for transfers to third countries);]
[F14(d)in Part 7 of this Act, sections 170 and 171 (offences relating to personal data).]
(see also paragraph 1(2) of Schedule 18).
(3)In addition, the provisions of [F15the UK GDPR] listed in subsection (4) do not apply to personal data to which [F16the UK GDPR] applies by virtue of [F17Article 2(1A)] where the personal data relates to appointments, removals, pay, discipline, superannuation or other personnel matters in relation to—
(a)service in any of the armed forces of the Crown;
(b)service in any office or employment under the Crown or under any public authority;
(c)service in any office or employment, or under any contract for services, in respect of which power to take action, or to determine or approve the action taken, in such matters is vested in—
(i)Her Majesty,
(ii)a Minister of the Crown,
(iii)the National Assembly for Wales,
(iv)the Welsh Ministers,
(v)a Northern Ireland Minister (within the meaning of the Freedom of Information Act 2000), or
(vi)an FOI public authority.
(4)Those provisions are—
(a)the remaining provisions of Chapters II and III (principles and rights of the data subject);
(b)Chapter IV (controller and processor);
(c)Chapter IX (specific processing situations).
(5)A controller is not obliged to comply with Article 15(1) to (3) of [F18the UK GDPR] (right of access by the data subject) in relation to personal data to which [F19the UK GDPR] applies by virtue of [F20Article 2(1A)] if—
(a)the request under [F21Article 15] does not contain a description of the personal data, or
(b)the controller estimates that the cost of complying with the request so far as relating to the personal data would exceed the appropriate maximum.
(6)Subsection (5)(b) does not remove the controller's obligation to confirm whether or not personal data concerning the data subject is being processed unless the estimated cost of complying with that obligation alone in relation to the personal data would exceed the appropriate maximum.
(7)An estimate for the purposes of this section must be made in accordance with regulations under section 12(5) of the Freedom of Information Act 2000.
(8)In subsections (5) and (6), “the appropriate maximum” means the maximum amount specified by the Secretary of State by regulations.
(9)Regulations under subsection (8) are subject to the negative resolution procedure.
Textual Amendments
F7Words in s. 24(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F8Words in s. 24(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F9Words in s. 24(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(2)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F10Words in s. 24(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F11Words in s. 24(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F12Words in s. 24(2)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F13S. 24(2)(ca)(cb) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F14S. 24(2)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(3)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F15Words in s. 24(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F16Words in s. 24(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(4)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F17Words in s. 24(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(4)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F18Words in s. 24(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(5)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F19Words in s. 24(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(5)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F20Words in s. 24(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(5)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F21Words in s. 24(5)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 32(5)(d) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Commencement Information
I1S. 24 in force at Royal Assent for specified purposes, see s. 212(2)(f)
(1)The provisions of [F22the UK GDPR] listed in subsection (2) do not apply to personal data to which [F23the UK GDPR] applies by virtue of [F24Article 2(1A)] (manual unstructured personal data held by FOI public authorities) at any time when—
(a)the personal data—
(i)is subject to processing which was already underway immediately before 24 October 1998, and
(ii)is processed only for the purposes of historical research, and
(b)the processing is not carried out—
(i)for the purposes of measures or decisions with respect to a particular data subject, or
(ii)in a way that causes, or is likely to cause, substantial damage or substantial distress to a data subject.
(2)Those provisions are—
(a)in Chapter II F25...(principles), Article 5(1)(d) (the accuracy principle), and
(b)in Chapter III F26... (rights of the data subject)—
(i)Article 16 (right to rectification), and
(ii)Article 17(1) and (2) (right to erasure).
(3)The exemptions in this section apply in addition to the exemptions in section 24.
Textual Amendments
F22Words in s. 25(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 33(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F23Words in s. 25(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 33(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F24Words in s. 25(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 33(2)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F25Words in s. 25(2)(a) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 33(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F26Words in s. 25(2)(b) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 33(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)A provision of [F27the UK GDPR] or this Act mentioned in subsection (2) does not apply to personal data to which [F28the UK GDPR] applies if exemption from the provision is required for—
(a)the purpose of safeguarding national security, or
(b)defence purposes.
(2)The provisions are—
(a)Chapter II of [F29the UK GDPR] (principles) except for—
(i)Article 5(1)(a) (lawful, fair and transparent processing), so far as it requires processing of personal data to be lawful;
(ii)Article 6 (lawfulness of processing);
(iii)Article 9 (processing of special categories of personal data);
(b)Chapter III of [F30the UK GDPR] (rights of data subjects);
(c)in Chapter IV of [F31the UK GDPR]—
(i)Article 33 (notification of personal data breach to the Commissioner);
(ii)Article 34 (communication of personal data breach to the data subject);
(d)Chapter V of [F32the UK GDPR] (transfers of personal data to third countries or international organisations);
(e)in Chapter VI of [F33the UK GDPR]—
(i)Article 57(1)(a) and (h) (Commissioner's duties to monitor and enforce [F33the UK GDPR] and to conduct investigations);
(ii)Article 58 (investigative, corrective, authorisation and advisory powers of Commissioner);
(f)Chapter VIII of [F34the UK GDPR] (remedies, liabilities and penalties) except for—
(i)Article 83 (general conditions for imposing administrative fines);
(ii)Article 84 (penalties);
[F35(fa)in Part 2 of this Act, sections 17A, 17B and 17C (transfers to third countries);]
(g)in Part 5 of this Act—
(i)in section 115 (general functions of the Commissioner), subsections (3) and (8);
(ii)in section 115, subsection (9), so far as it relates to Article 58(2)(i) of [F36the UK GDPR];
(iii)section 119 (inspection in accordance with international obligations);
[F37(iv)section 119A (standard clauses for transfers to third countries);]
(h)in Part 6 of this Act—
(i)sections 142 to 154 and Schedule 15 (Commissioner's notices and powers of entry and inspection);
(ii)sections 170 to 173 (offences relating to personal data);
(i)in Part 7 of this Act, section 187 (representation of data subjects).
Textual Amendments
F27Words in s. 26(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F28Words in s. 26(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F29Words in s. 26(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F30Words in s. 26(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F31Words in s. 26(2)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F32Words in s. 26(2)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F33Words in s. 26(2)(e) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F34Words in s. 26(2)(f) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F35S. 26(2)(fa) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(d) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F36Words in s. 26(2)(g)(ii) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 34(3)(e)(i) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)Subject to subsection (3), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions listed in section 26(2) is, or at any time was, required in relation to any personal data for the purpose of safeguarding national security is conclusive evidence of that fact.
(2)A certificate under subsection (1)—
(a)may identify the personal data to which it applies by means of a general description, and
(b)may be expressed to have prospective effect.
(3)Any person directly affected by a certificate under subsection (1) may appeal to the Tribunal against the certificate.
(4)If, on an appeal under subsection (3), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing a certificate, the Tribunal may—
(a)allow the appeal, and
(b)quash the certificate.
(5)Where, in any proceedings under or by virtue of [F38the UK GDPR] or this Act, it is claimed by a controller that a certificate under subsection (1) which identifies the personal data to which it applies by means of a general description applies to any personal data, another party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question.
(6)But, subject to any determination under subsection (7), the certificate is to be conclusively presumed so to apply.
(7)On an appeal under subsection (5), the Tribunal may determine that the certificate does not so apply.
(8)A document purporting to be a certificate under subsection (1) is to be—
(a)received in evidence, and
(b)deemed to be such a certificate unless the contrary is proved.
(9)A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (1) is—
(a)in any legal proceedings, evidence of that certificate;
(b)in any legal proceedings in Scotland, sufficient evidence of that certificate.
(10)The power conferred by subsection (1) on a Minister of the Crown is exercisable only by—
(a)a Minister who is a member of the Cabinet, or
(b)the Attorney General or the Advocate General for Scotland.
Textual Amendments
F38Words in s. 27(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 35 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)Article 9(1) of [F40the UK GDPR] (prohibition on processing of special categories of personal data) does not prohibit the processing of personal data to which [F41the UK GDPR] applies to the extent that the processing is carried out—
(a)for the purpose of safeguarding national security or for defence purposes, and
(b)with appropriate safeguards for the rights and freedoms of data subjects.
(2)Article 32 of [F42the UK GDPR] (security of processing) does not apply to a controller or processor to the extent that the controller or the processor (as the case may be) is processing personal data to which [F43the UK GDPR] applies for—
(a)the purpose of safeguarding national security, or
(b)defence purposes.
(3)Where Article 32 of [F44the UK GDPR] does not apply, the controller or the processor must implement security measures appropriate to the risks arising from the processing of the personal data.
(4)For the purposes of subsection (3), where the processing of personal data is carried out wholly or partly by automated means, the controller or the processor must, following an evaluation of the risks, implement measures designed to—
(a)prevent unauthorised processing or unauthorised interference with the systems used in connection with the processing,
(b)ensure that it is possible to establish the precise details of any processing that takes place,
(c)ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and
(d)ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.
[F45(5)The functions conferred on the Commissioner in relation to the UK GDPR by Articles 57(1)(a), (d), (e), (h) and (u) and 58(1)(d) and (2)(a) to (d) of the UK GDPR (which are subject to safeguards set out in section 115) include functions in relation to subsection (3).]
Textual Amendments
F39Words in s. 28 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F40Words in s. 28(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F41Words in s. 28(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F42Words in s. 28(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F43Words in s. 28(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F44Words in s. 28(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)