xmlns:atom="http://www.w3.org/2005/Atom" xmlns:atom="http://www.w3.org/2005/Atom"

SCHEDULES

Section 10

SCHEDULE 1U.K.Special categories of personal data and criminal convictions etc data

PART 1 U.K.Conditions relating to employment, health and research etc

Employment, social security and social protectionU.K.

1(1)This condition is met if—U.K.

(a)the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and

(b)when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).

(2)See also the additional safeguards in Part 4 of this Schedule.

(3)In this paragraph—

Textual Amendments

F2Words in Sch. 1 para. 1(3) substituted (15.12.2021) by The UK Statistics (Amendment etc.) (EU Exit) Regulations 2021 (S.I. 2021/1300), regs. 1, 2

Health or social care purposesU.K.

2(1)This condition is met if the processing is necessary for health or social care purposes.U.K.

(2)In this paragraph “health or social care purposes” means the purposes of—

(a)preventive or occupational medicine,

(b)the assessment of the working capacity of an employee,

(c)medical diagnosis,

(d)the provision of health care or treatment,

(e)the provision of social care, or

(f)the management of health care systems or services or social care systems or services.

(3)See also the conditions and safeguards in Article 9(3) of the [F3UK GDPR] (obligations of secrecy) and section 11(1).

Public healthU.K.

3U.K.This condition is met if the processing—

(a)is necessary for reasons of public interest in the area of public health, and

(b)is carried out—

(i)by or under the responsibility of a health professional, or

(ii)by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

Research etcU.K.

4U.K.This condition is met if the processing—

(a)is necessary for archiving purposes, scientific or historical research purposes or statistical purposes,

(b)is carried out in accordance with Article 89(1) of the [F4UK GDPR] (as supplemented by section 19), and

(c)is in the public interest.

PART 2 U.K.Substantial public interest conditions

Requirement for an appropriate policy document when relying on conditions in this PartU.K.

5(1)Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).U.K.

(2)See also the additional safeguards in Part 4 of this Schedule.

Statutory etc and government purposesU.K.

6(1)This condition is met if the processing—U.K.

(a)is necessary for a purpose listed in sub-paragraph (2), and

(b)is necessary for reasons of substantial public interest.

(2)Those purposes are—

(a)the exercise of a function conferred on a person by an enactment or rule of law;

(b)the exercise of a function of the Crown, a Minister of the Crown or a government department.

Administration of justice and parliamentary purposesU.K.

7U.K.This condition is met if the processing is necessary—

(a)for the administration of justice, or

(b)for the exercise of a function of either House of Parliament.

Equality of opportunity or treatmentU.K.

8(1)This condition is met if the processing—U.K.

(a)is of a specified category of personal data, and

(b)is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained,

subject to the exceptions in sub-paragraphs (3) to (5).

(2)In sub-paragraph (1), “specified” means specified in the following table—

Category of personal dataGroups of people (in relation to a category of personal data)
Personal data revealing racial or ethnic originPeople of different racial or ethnic origins
Personal data revealing religious or philosophical beliefsPeople holding different religious or philosophical beliefs
Data concerning healthPeople with different states of physical or mental health
Personal data concerning an individual's sexual orientationPeople of different sexual orientation

(3)Processing does not meet the condition in sub-paragraph (1) if it is carried out for the purposes of measures or decisions with respect to a particular data subject.

(4)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.

(5)Processing does not meet the condition in sub-paragraph (1) if—

(a)an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),

(b)the notice gave the controller a reasonable period in which to stop processing such data, and

(c)that period has ended.

Racial and ethnic diversity at senior levels of organisationsU.K.

9(1)This condition is met if the processing—U.K.

(a)is of personal data revealing racial or ethnic origin,

(b)is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally,

(c)is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations, and

(d)can reasonably be carried out without the consent of the data subject,

subject to the exception in sub-paragraph (3).

(2)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—

(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b)the controller is not aware of the data subject withholding consent.

(3)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.

(4)For the purposes of this paragraph, an individual holds a senior position in an organisation if the individual—

(a)holds a position listed in sub-paragraph (5), or

(b)does not hold such a position but is a senior manager of the organisation.

(5)Those positions are—

(a)a director, secretary or other similar officer of a body corporate;

(b)a member of a limited liability partnership;

(c)a partner in a partnership within the Partnership Act 1890, a limited partnership registered under the Limited Partnerships Act 1907 or an entity of a similar character formed under the law of a country or territory outside the United Kingdom.

(6)In this paragraph, “senior manager”, in relation to an organisation, means a person who plays a significant role in—

(a)the making of decisions about how the whole or a substantial part of the organisation's activities are to be managed or organised, or

(b)the actual managing or organising of the whole or a substantial part of those activities.

(7)The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Preventing or detecting unlawful actsU.K.

10(1)This condition is met if the processing—U.K.

(a)is necessary for the purposes of the prevention or detection of an unlawful act,

(b)must be carried out without the consent of the data subject so as not to prejudice those purposes, and

(c)is necessary for reasons of substantial public interest.

(2)If the processing consists of the disclosure of personal data to a competent authority, or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

(3)In this paragraph—

Protecting the public against dishonesty etcU.K.

11(1)This condition is met if the processing—U.K.

(a)is necessary for the exercise of a protective function,

(b)must be carried out without the consent of the data subject so as not to prejudice the exercise of that function, and

(c)is necessary for reasons of substantial public interest.

(2)In this paragraph, “protective function” means a function which is intended to protect members of the public against—

(a)dishonesty, malpractice or other seriously improper conduct,

(b)unfitness or incompetence,

(c)mismanagement in the administration of a body or association, or

(d)failures in services provided by a body or association.

Regulatory requirements relating to unlawful acts and dishonesty etcU.K.

12(1)This condition is met if—U.K.

(a)the processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has—

(i)committed an unlawful act, or

(ii)been involved in dishonesty, malpractice or other seriously improper conduct,

(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing, and

(c)the processing is necessary for reasons of substantial public interest.

(2)In this paragraph—

Journalism etc in connection with unlawful acts and dishonesty etcU.K.

13(1)This condition is met if—U.K.

(a)the processing consists of the disclosure of personal data for the special purposes,

(b)it is carried out in connection with a matter described in sub-paragraph (2),

(c)it is necessary for reasons of substantial public interest,

(d)it is carried out with a view to the publication of the personal data by any person, and

(e)the controller reasonably believes that publication of the personal data would be in the public interest.

(2)The matters mentioned in sub-paragraph (1)(b) are any of the following (whether alleged or established)—

(a)the commission of an unlawful act by a person;

(b)dishonesty, malpractice or other seriously improper conduct of a person;

(c)unfitness or incompetence of a person;

(d)mismanagement in the administration of a body or association;

(e)a failure in services provided by a body or association.

(3)The condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

(4)In this paragraph—

Preventing fraudU.K.

14(1)This condition is met if the processing—U.K.

(a)is necessary for the purposes of preventing fraud or a particular kind of fraud, and

(b)consists of—

(i)the disclosure of personal data by a person as a member of an anti-fraud organisation,

(ii)the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation, or

(iii)the processing of personal data disclosed as described in sub-paragraph (i) or (ii).

(2)In this paragraph, “anti-fraud organisation” has the same meaning as in section 68 of the Serious Crime Act 2007.

Suspicion of terrorist financing or money launderingU.K.

15U.K.This condition is met if the processing is necessary for the purposes of making a disclosure in good faith under either of the following—

(a)section 21CA of the Terrorism Act 2000 (disclosures between certain entities within regulated sector in relation to suspicion of commission of terrorist financing offence or for purposes of identifying terrorist property);

(b)section 339ZB of the Proceeds of Crime Act 2002 (disclosures within regulated sector in relation to suspicion of money laundering).

Support for individuals with a particular disability or medical conditionU.K.

16(1)This condition is met if the processing—U.K.

(a)is carried out by a not-for-profit body which provides support to individuals with a particular disability or medical condition,

(b)is of a type of personal data falling within sub-paragraph (2) which relates to an individual falling within sub-paragraph (3),

(c)is necessary for the purposes of—

(i)raising awareness of the disability or medical condition, or

(ii)providing support to individuals falling within sub-paragraph (3) or enabling such individuals to provide support to each other,

(d)can reasonably be carried out without the consent of the data subject, and

(e)is necessary for reasons of substantial public interest.

(2)The following types of personal data fall within this sub-paragraph—

(a)personal data revealing racial or ethnic origin;

(b)genetic data or biometric data;

(c)data concerning health;

(d)personal data concerning an individual's sex life or sexual orientation.

(3)An individual falls within this sub-paragraph if the individual is or has been a member of the body mentioned in sub-paragraph (1)(a) and—

(a)has the disability or condition mentioned there, has had that disability or condition or has a significant risk of developing that disability or condition, or

(b)is a relative or carer of an individual who satisfies paragraph (a) of this sub-paragraph.

(4)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—

(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b)the controller is not aware of the data subject withholding consent.

(5)In this paragraph—

(6)The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Counselling etcU.K.

17(1)This condition is met if the processing—U.K.

(a)is necessary for the provision of confidential counselling, advice or support or of another similar service provided confidentially,

(b)is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(c)is necessary for reasons of substantial public interest.

(2)The reasons mentioned in sub-paragraph (1)(b) are—

(a)in the circumstances, consent to the processing cannot be given by the data subject;

(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the service mentioned in sub-paragraph (1)(a).

Safeguarding of children and of individuals at riskU.K.

18(1)This condition is met if—U.K.

(a)the processing is necessary for the purposes of—

(i)protecting an individual from neglect or physical, mental or emotional harm, or

(ii)protecting the physical, mental or emotional well-being of an individual,

(b)the individual is—

(i)aged under 18, or

(ii)aged 18 or over and at risk,

(c)the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(d)the processing is necessary for reasons of substantial public interest.

(2)The reasons mentioned in sub-paragraph (1)(c) are—

(a)in the circumstances, consent to the processing cannot be given by the data subject;

(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).

(3)For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—

(a)has needs for care and support,

(b)is experiencing, or at risk of, neglect or physical, mental or emotional harm, and

(c)as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.

(4)In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.

Safeguarding of economic well-being of certain individualsU.K.

19(1)This condition is met if the processing—U.K.

(a)is necessary for the purposes of protecting the economic well-being of an individual at economic risk who is aged 18 or over,

(b)is of data concerning health,

(c)is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(d)is necessary for reasons of substantial public interest.

(2)The reasons mentioned in sub-paragraph (1)(c) are—

(a)in the circumstances, consent to the processing cannot be given by the data subject;

(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).

(3)In this paragraph, “individual at economic risk” means an individual who is less able to protect his or her economic well-being by reason of physical or mental injury, illness or disability.

InsuranceU.K.

20(1)This condition is met if the processing—U.K.

(a)is necessary for an insurance purpose,

(b)is of personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health, and

(c)is necessary for reasons of substantial public interest,

subject to sub-paragraphs (2) and (3).

(2)Sub-paragraph (3) applies where—

(a)the processing is not carried out for the purposes of measures or decisions with respect to the data subject, and

(b)the data subject does not have and is not expected to acquire—

(i)rights against, or obligations in relation to, a person who is an insured person under an insurance contract to which the insurance purpose mentioned in sub-paragraph (1)(a) relates, or

(ii)other rights or obligations in connection with such a contract.

(3)Where this sub-paragraph applies, the processing does not meet the condition in sub-paragraph (1) unless, in addition to meeting the requirements in that sub-paragraph, it can reasonably be carried out without the consent of the data subject.

(4)For the purposes of sub-paragraph (3), processing can reasonably be carried out without the consent of the data subject only where—

(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b)the controller is not aware of the data subject withholding consent.

(5)In this paragraph—

(6)The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

(7)Terms used in the definition of “insurance contract” in sub-paragraph (5) and also in an order made under section 22 of the Financial Services and Markets Act 2000 (regulated activities) have the same meaning in that definition as they have in that order.

Occupational pensionsU.K.

21(1)This condition is met if the processing—U.K.

(a)is necessary for the purpose of making a determination in connection with eligibility for, or benefits payable under, an occupational pension scheme,

(b)is of data concerning health which relates to a data subject who is the parent, grandparent, great-grandparent or sibling of a member of the scheme,

(c)is not carried out for the purposes of measures or decisions with respect to the data subject, and

(d)can reasonably be carried out without the consent of the data subject.

(2)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—

(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b)the controller is not aware of the data subject withholding consent.

(3)In this paragraph—

(4)The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Political partiesU.K.

22(1)This condition is met if the processing—U.K.

(a)is of personal data revealing political opinions,

(b)is carried out by a person or organisation included in the register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000, and

(c)is necessary for the purposes of the person's or organisation's political activities,

subject to the exceptions in sub-paragraphs (2) and (3).

(2)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to a person.

(3)Processing does not meet the condition in sub-paragraph (1) if—

(a)an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),

(b)the notice gave the controller a reasonable period in which to stop processing such data, and

(c)that period has ended.

(4)In this paragraph, “political activities” include campaigning, fund-raising, political surveys and case-work.

Elected representatives responding to requestsU.K.

23(1)This condition is met if—U.K.

(a)the processing is carried out—

(i)by an elected representative or a person acting with the authority of such a representative,

(ii)in connection with the discharge of the elected representative's functions, and

(iii)in response to a request by an individual that the elected representative take action on behalf of the individual, and

(b)the processing is necessary for the purposes of, or in connection with, the action reasonably taken by the elected representative in response to that request,

subject to sub-paragraph (2).

(2)Where the request is made by an individual other than the data subject, the condition in sub-paragraph (1) is met only if the processing must be carried out without the consent of the data subject for one of the following reasons—

(a)in the circumstances, consent to the processing cannot be given by the data subject;

(b)in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)obtaining the consent of the data subject would prejudice the action taken by the elected representative;

(d)the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.

(3)In this paragraph, “elected representative” means—

(a)a member of the House of Commons;

(b)a member of the National Assembly for Wales;

(c)a member of the Scottish Parliament;

(d)a member of the Northern Ireland Assembly;

F5(e). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(f)an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972, namely—

(i)in England, a county council, a district council, a London borough council or a parish council;

(ii)in Wales, a county council, a county borough council or a community council;

(g)an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000;

(h)a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;

[F6(ha)a mayor for the area of a combined county authority established under section 9(1) of the Levelling-up and Regeneration Act 2023;]

(i)the Mayor of London or an elected member of the London Assembly;

(j)an elected member of—

(i)the Common Council of the City of London, or

(ii)the Council of the Isles of Scilly;

(k)an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994;

(l)an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.));

(m)a police and crime commissioner.

(4)For the purposes of sub-paragraph (3), a person who is—

(a)a member of the House of Commons immediately before Parliament is dissolved,

(b)a member of the National Assembly for Wales immediately before that Assembly is dissolved,

(c)a member of the Scottish Parliament immediately before that Parliament is dissolved, or

(d)a member of the Northern Ireland Assembly immediately before that Assembly is dissolved,

is to be treated as if the person were such a member until the end of the fourth day after the day on which the subsequent general election in relation to that Parliament or Assembly is held.

(5)For the purposes of sub-paragraph (3), a person who is an elected member of the Common Council of the City of London and whose term of office comes to an end at the end of the day preceding the annual Wardmotes is to be treated as if he or she were such a member until the end of the fourth day after the day on which those Wardmotes are held.

Disclosure to elected representativesU.K.

24(1)This condition is met if—U.K.

(a)the processing consists of the disclosure of personal data—

(i)to an elected representative or a person acting with the authority of such a representative, and

(ii)in response to a communication to the controller from that representative or person which was made in response to a request from an individual,

(b)the personal data is relevant to the subject matter of that communication, and

(c)the disclosure is necessary for the purpose of responding to that communication,

subject to sub-paragraph (2).

(2)Where the request to the elected representative came from an individual other than the data subject, the condition in sub-paragraph (1) is met only if the disclosure must be made without the consent of the data subject for one of the following reasons—

(a)in the circumstances, consent to the processing cannot be given by the data subject;

(b)in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)obtaining the consent of the data subject would prejudice the action taken by the elected representative;

(d)the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.

(3)In this paragraph, “elected representative” has the same meaning as in paragraph 23.

Informing elected representatives about prisonersU.K.

25(1)This condition is met if—U.K.

(a)the processing consists of the processing of personal data about a prisoner for the purpose of informing a member of the House of Commons, a member of the National Assembly for Wales or a member of the Scottish Parliament about the prisoner, and

(b)the member is under an obligation not to further disclose the personal data.

(2)The references in sub-paragraph (1) to personal data about, and to informing someone about, a prisoner include personal data about, and informing someone about, arrangements for the prisoner's release.

(3)In this paragraph—

Publication of legal judgmentsU.K.

26U.K.This condition is met if the processing—

(a)consists of the publication of a judgment or other decision of a court or tribunal, or

(b)is necessary for the purposes of publishing such a judgment or decision.

Anti-doping in sportU.K.

27(1)This condition is met if the processing is necessary—U.K.

(a)for the purposes of measures designed to eliminate doping which are undertaken by or under the responsibility of a body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally, or

(b)for the purposes of providing information about doping, or suspected doping, to such a body or association.

(2)The reference in sub-paragraph (1)(a) to measures designed to eliminate doping includes measures designed to identify or prevent doping.

(3)If the processing consists of the disclosure of personal data to a body or association described in sub-paragraph (1)(a), or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

Standards of behaviour in sportU.K.

28(1)This condition is met if the processing—U.K.

(a)is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event,

(b)must be carried out without the consent of the data subject so as not to prejudice those purposes, and

(c)is necessary for reasons of substantial public interest.

(2)In sub-paragraph (1)(a), the reference to measures designed to protect the integrity of a sport or a sporting event is a reference to measures designed to protect a sport or a sporting event against—

(a)dishonesty, malpractice or other seriously improper conduct, or

(b)failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or event.

PART 3 U.K.Additional conditions relating to criminal convictions etc

ConsentU.K.

29U.K.This condition is met if the data subject has given consent to the processing.

Protecting individual's vital interestsU.K.

30U.K.This condition is met if—

(a)the processing is necessary to protect the vital interests of an individual, and

(b)the data subject is physically or legally incapable of giving consent.

Processing by not-for-profit bodiesU.K.

31U.K.This condition is met if the processing is carried out—

(a)in the course of its legitimate activities with appropriate safeguards by a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, and

(b)on condition that—

(i)the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and

(ii)the personal data is not disclosed outside that body without the consent of the data subjects.

Personal data in the public domainU.K.

32U.K.This condition is met if the processing relates to personal data which is manifestly made public by the data subject.

Legal claimsU.K.

33U.K.This condition is met if the processing—

(a)is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b)is necessary for the purpose of obtaining legal advice, or

(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

Judicial actsU.K.

34U.K.This condition is met if the processing is necessary when a court or tribunal is acting in its judicial capacity.

Administration of accounts used in commission of indecency offences involving childrenU.K.

35(1)This condition is met if—U.K.

(a)the processing is of personal data about a conviction or caution for an offence listed in sub-paragraph (2),

(b)the processing is necessary for the purpose of administering an account relating to the payment card used in the commission of the offence or cancelling that payment card, and

(c)when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).

(2)Those offences are an offence under—

(a)section 1 of the Protection of Children Act 1978 (indecent photographs of children),

(b)Article 3 of the Protection of Children (Northern Ireland) Order 1978 (S.I. 1978/1047 (N.I. 17)) (indecent photographs of children),

(c)section 52 of the Civic Government (Scotland) Act 1982 (indecent photographs etc of children),

(d)section 160 of the Criminal Justice Act 1988 (possession of indecent photograph of child),

(e)Article 15 of the Criminal Justice (Evidence etc) (Northern Ireland) Order 1988 (S.I. 1988/1847 (N.I. 17)) (possession of indecent photograph of child), or

(f)section 62 of the Coroners and Justice Act 2009 (possession of prohibited images of children),

or incitement to commit an offence under any of those provisions.

(3)See also the additional safeguards in Part 4 of this Schedule.

(4)In this paragraph—

Extension of conditions in Part 2 of this Schedule referring to substantial public interestU.K.

36U.K.This condition is met if the processing would meet a condition in Part 2 of this Schedule but for an express requirement for the processing to be necessary for reasons of substantial public interest.

Extension of insurance conditionsU.K.

37U.K.This condition is met if the processing—

(a)would meet the condition in paragraph 20 in Part 2 of this Schedule (the “insurance condition”), or

(b)would meet the condition in paragraph 36 by virtue of the insurance condition,

but for the requirement for the processing to be processing of a category of personal data specified in paragraph 20(1)(b).

PART 4 U.K.Appropriate policy document and additional safeguards

Application of this Part of this ScheduleU.K.

38U.K.This Part of this Schedule makes provision about the processing of personal data carried out in reliance on a condition in Part 1, 2 or 3 of this Schedule which requires the controller to have an appropriate policy document in place when the processing is carried out.

Requirement to have an appropriate policy document in placeU.K.

39U.K.The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on a condition described in paragraph 38 if the controller has produced a document which—

(a)explains the controller's procedures for securing compliance with the principles in Article 5 of the [F7UK GDPR] (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and

(b)explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.

Additional safeguard: retention of appropriate policy documentU.K.

40(1)Where personal data is processed in reliance on a condition described in paragraph 38, the controller must during the relevant period—U.K.

(a)retain the appropriate policy document,

(b)review and (if appropriate) update it from time to time, and

(c)make it available to the Commissioner, on request, without charge.

(2)Relevant period”, in relation to the processing of personal data in reliance on a condition described in paragraph 38, means a period which—

(a)begins when the controller starts to carry out processing of personal data in reliance on that condition, and

(b)ends at the end of the period of 6 months beginning when the controller ceases to carry out such processing.

Additional safeguard: record of processingU.K.

41U.K.A record maintained by the controller, or the controller's representative, under Article 30 of the [F8UK GDPR] in respect of the processing of personal data in reliance on a condition described in paragraph 38 must include the following information—

(a)which condition is relied on,

(b)how the processing satisfies Article 6 of the [F8UK GDPR] (lawfulness of processing), and

(c)whether the personal data is retained and erased in accordance with the policies described in paragraph 39(b) and, if it is not, the reasons for not following those policies.