SCHEDULES

SCHEDULE 1U.K.Special categories of personal data and criminal convictions etc data

PART 4 U.K.Appropriate policy document and additional safeguards

Application of this Part of this ScheduleU.K.

38U.K.This Part of this Schedule makes provision about the processing of personal data carried out in reliance on a condition in Part 1, 2 or 3 of this Schedule which requires the controller to have an appropriate policy document in place when the processing is carried out.

Requirement to have an appropriate policy document in placeU.K.

39U.K.The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on a condition described in paragraph 38 if the controller has produced a document which—

(a)explains the controller's procedures for securing compliance with the principles in Article 5 of the [F1UK GDPR] (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and

(b)explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.

Additional safeguard: retention of appropriate policy documentU.K.

40(1)Where personal data is processed in reliance on a condition described in paragraph 38, the controller must during the relevant period—U.K.

(a)retain the appropriate policy document,

(b)review and (if appropriate) update it from time to time, and

(c)make it available to the Commissioner, on request, without charge.

(2)Relevant period”, in relation to the processing of personal data in reliance on a condition described in paragraph 38, means a period which—

(a)begins when the controller starts to carry out processing of personal data in reliance on that condition, and

(b)ends at the end of the period of 6 months beginning when the controller ceases to carry out such processing.

Additional safeguard: record of processingU.K.

41U.K.A record maintained by the controller, or the controller's representative, under Article 30 of the [F2UK GDPR] in respect of the processing of personal data in reliance on a condition described in paragraph 38 must include the following information—

(a)which condition is relied on,

(b)how the processing satisfies Article 6 of the [F2UK GDPR] (lawfulness of processing), and

(c)whether the personal data is retained and erased in accordance with the policies described in paragraph 39(b) and, if it is not, the reasons for not following those policies.