- Latest available (Revised)
- Point in Time (23/05/2018)
- Original (As enacted)
Point in time view as at 23/05/2018. This version of this schedule contains provisions that are not valid for this point in time.
Data Protection Act 2018, SCHEDULE 19 is up to date with all changes known to be in force on or before 18 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.
Section 211
Valid from 25/05/2018
1(1)Section 19AC of the Registration Service Act 1953 (codes of practice) is amended as follows.U.K.
(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
(3)In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
Valid from 25/05/2018
2(1)Section 1A of the Veterinary Surgeons Act 1966 (functions of the Royal College of Veterinary Surgeons as competent authority) is amended as follows.U.K.
(2)In subsection (8)—
(a)omit “personal data protection legislation in the United Kingdom that implements”,
(b)for paragraph (a) substitute—
“(a)the GDPR; and”, and
(c)in paragraph (b), at the beginning insert “ legislation in the United Kingdom that implements ”.
(3)In subsection (9), after “section” insert “—
“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
Valid from 25/05/2018
3U.K.In section 11AA(1) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner to Information Commissioner)—
(a)in paragraph (a), for sub-paragraph (i) substitute—
“(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),”, and
(b)for paragraph (b) substitute—
“(b)the commission of an offence under—
(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or
(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
Valid from 25/05/2018
4U.K.The Local Government Act 1974 is amended as follows.
5U.K.In section 33A(1) (disclosure of information by Local Commissioner to Information Commissioner)—
(a)in paragraph (a), for sub-paragraph (i) substitute—
“(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),”, and
(b)for paragraph (b) substitute—
“(b)the commission of an offence under—
(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or
(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
6U.K.In section 34O(1) (disclosure of information by Local Commissioner to Information Commissioner)—
(a)in paragraph (a), for sub-paragraph (i) substitute—
“(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),”, and
(b)for paragraph (b) substitute—
“(b)the commission of an offence under—
(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or
(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
Valid from 25/05/2018
7U.K.The Consumer Credit Act 1974 is amended as follows.
8U.K.In section 157(2A) (duty to disclose name etc of agency)—
(a)in paragraph (a), for “the Data Protection Act 1998” substitute “ the GDPR ”, and
(b)in paragraph (b), after “any” insert “ other ”.
9U.K.In section 159(1)(a) (correction of wrong information) for “section 7 of the Data Protection Act 1998” substitute “ Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) ”.
10U.K.In section 189(1) (definitions), at the appropriate place insert—
““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);”.
Valid from 25/05/2018
11U.K.The Pharmacy (Northern Ireland) Order 1976 is amended as follows.
12U.K.In article 2(2) (interpretation), omit the definition of “Directive 95/46/EC”.
13U.K.In article 8D (European professional card), after paragraph (3) insert—
“(4)In Schedule 2C, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
14U.K.In article 22A(6) (Directive 2005/36/EC: functions of competent authority etc.), before sub-paragraph (a) insert—
“(za)“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
15(1)Schedule 2C (Directive 2005/36/EC: European professional card) is amended as follows.U.K.
(2)In paragraph 8(1) (access to data), for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).
16(1)The table in Schedule 2D (functions of the Society under Directive 2005/36/EC) is amended as follows.U.K.
(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
17(1)Paragraph 2 of Schedule 3 (fitness to practice: disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (2)(a), after “provision” insert “ or the GDPR ”.
(3)For sub-paragraph (3) substitute—
“(3)In determining for the purposes of sub-paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”
(4)After sub-paragraph (4) insert—
“(5)In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
Valid from 25/05/2018
18(1)Schedule 2 to the Representation of the People Act 1983 (provisions which may be contained in regulations as to registration etc) is amended as follows.U.K.
(2)In paragraph 1A(5), for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
(3)In paragraph 8C(2), for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
(4)In paragraph 11A—
(a)in sub-paragraph (1) for “who are data users to supply data, or documents containing information extracted from data and” substitute “ to supply information ”, and
(b)omit sub-paragraph (2).
Valid from 25/05/2018
19U.K.The Medical Act 1983 is amended as follows.
20(1)Section 29E (evidence) is amended as follows.U.K.
(2)In subsection (5), after “enactment” insert “ or the GDPR ”.
(3)For subsection (7) substitute—
“(7)In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4)In subsection (9), at the end insert—
““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
21(1)Section 35A (General Medical Council's power to require disclosure of information) is amended as follows.U.K.
(2)In subsection (4), after “enactment” insert “ or the GDPR ”.
(3)For subsection (5A) substitute—
“(5A)In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4)In subsection (7), at the end insert—
““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
22U.K.In section 49B(7) (Directive 2005/36: designation of competent authority etc.), after “Schedule 4A” insert “—
“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
23U.K.In section 55(1) (interpretation), omit the definition of “Directive 95/46/EC”.
24(1)Paragraph 9B of Schedule 1 (incidental powers of the General Medical Council) is amended as follows.U.K.
(2)In sub-paragraph (2)(a), after “enactment” insert “ or the GPDR ”.
(3)After sub-paragraph (3) insert—
“(4)In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
25(1)Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows.U.K.
(2)In sub-paragraph (8), after “enactment” insert “ or the GDPR ”.
(3)For sub-paragraph (8A) substitute—
“(8A)In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”
(4)After sub-paragraph (13) insert—
“(14)In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
26(1)The table in Schedule 4A (functions of the General Medical Council as competent authority under Directive 2005/36) is amended as follows.U.K.
(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
Valid from 25/05/2018
27U.K.The Dentists Act 1984 is amended as follows.
28(1)Section 33B (the General Dental Council's power to require disclosure of information: the dental profession) is amended as follows.U.K.
(2)In subsection (3), after “enactment” insert “ or relevant provision of the GDPR ”.
(3)For subsection (4) substitute—
“(4)For the purposes of subsection (3)—
“relevant enactment” means any enactment other than—
this Act, or
the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2018 (exemptions to Part 4 : disclosures required by law);
“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2018 (GDPR provisions to be adapted or restricted: disclosures required by law).”
(4)After subsection (10) insert—
“(11)In this section, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
29U.K.In section 36ZA(6) (Directive 2005/36: designation of competent authority etc), after “Schedule 4ZA—” insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
30(1)Section 36Y (the General Dental Council's power to require disclosure of information: professions complementary to dentistry) is amended as follows.U.K.
(2)In subsection (3), after “enactment” insert “ or relevant provision of the GDPR ”.
(3)For subsection (4) substitute—
“(4)For the purposes of subsection (3)—
“relevant enactment” means any enactment other than—
this Act, or
the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2018 (exemptions to Part 4 : disclosures required by law);
“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2018 (GDPR provisions to be adapted or restricted: disclosures required by law).”
(4)After subsection (10) insert—
“(11)In this section, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
31U.K.In section 53(1) (interpretation), omit the definition of “Directive 95/46/EC”.
32(1)The table in Schedule 4ZA (Directive 2005/36: functions of the General Dental Council under section 36ZA(3)) is amended as follows.U.K.
(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
Valid from 25/05/2018
33U.K.In section 449(11) of the Companies Act 1985 (provision for security of information obtained), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
Valid from 25/05/2018
34U.K.In section 2(1) of the Access to Medical Reports Act 1988 (interpretation), for the definition of “health professional” substitute—
““health professional” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act);”.
Valid from 25/05/2018
35(1)Section 13B of the Opticians Act 1989 (the Council's power to require disclosure of information) is amended as follows.U.K.
(2)In subsection (3), after “enactment” insert “ or the GDPR ”.
(3)For subsection (4) substitute—
“(4)In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4)After subsection (9) insert—
“(10)In this section, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
Valid from 25/05/2018
36U.K.The Access to Health Records Act 1990 is amended as follows.
37U.K.For section 2 substitute—
In this Act, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act).”
38(1)Section 3 (right of access to health records) is amended as follows.U.K.
(2)In subsection (2), omit “Subject to subsection (4) below,”.
(3)In subsection (4), omit from “other than the following” to the end.
Valid from 25/05/2018
39(1)Section 33D of the Human Fertilisation and Embryology Act 1990 (disclosure for the purposes of medical or other research) is amended as follows.U.K.
(2)In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (9), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
40(1)Section 251B of the Trade Union and Labour Relations (Consolidation) Act 1992 (prohibition on disclosure of information) is amended as follows.U.K.
(2)In subsection (3), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (6) insert—
“(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
41U.K.In the table in Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals to which the Act applies), in the second column, in paragraph 14(a), for “section 6 of the Data Protection Act 1998” substitute “ section 114 of the Data Protection Act 2018 ”.
Valid from 25/05/2018
42(1)Article 90B of the Industrial Relations (Northern Ireland) Order 1992 (prohibition on disclosure of information held by the Labour Relations Agency) is amended as follows.U.K.
(2)In paragraph (3), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After paragraph (6) insert—
“(7)In this Article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
43U.K.In section 18A(1) of the Health Service Commissioners Act 1993 (power to disclose information)—
(a)in paragraph (a), for sub-paragraph (i) substitute—
“(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),”, and
(b)for paragraph (b) substitute—
“(b)the commission of an offence under—
(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or
(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
Valid from 25/05/2018
44U.K.The Data Protection Act 1998 is repealed, with the exception of section 62 and paragraphs 13, 15, 16, 18 and 19 of Schedule 15 (which amend other enactments).
Valid from 25/05/2018
45U.K.In section 17A(4) of the Crime and Disorder Act 1998 (sharing of information), for “(within the meaning of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.
Valid from 25/05/2018
46(1)Section 19 of the Food Standards Act 1999 (publication etc by the Food Standards Agency of advice and information) is amended as follows.U.K.
(2)In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (8), after “section” insert “—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
47(1)Section 13 of the Immigration and Asylum Act 1999 (proof of identity of persons to be removed or deported) is amended as follows.U.K.
(2)For subsection (4) substitute—
“(4)For the purposes of Article 49(1)(d) of the GDPR, the provision under this section of identification data is a transfer of personal data which is necessary for important reasons of public interest.”
(3)After subsection (4) insert—
“(4A)“The GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
Valid from 25/05/2018
48U.K.The Financial Services and Markets Act 2000 is amended as follows.
49U.K.In section 86(9) (exempt offers to the public), for “the Data Protection Act 1998 or any directly applicable EU legislation relating to data protection” substitute “—
(a)the data protection legislation, or
(b)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection”.
50U.K.In section 391A(6)(b) (publication: special provisions relating to the capital requirements directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
51U.K.In section 391C(7)(a) (publication: special provisions relating to the UCITS directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
52U.K.In section 391D(9)(a) (publication: special provisions relating to the markets in financial instruments directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
53U.K.In section 417 (definitions), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
54U.K.In section 21F(2)(d) of the Terrorism Act 2000 (other permitted disclosures between institutions etc) for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.
Valid from 25/05/2018
55U.K.The Freedom of Information Act 2000 is amended as follows.
Valid from 25/05/2018
56U.K.In section 2(3) (absolute exemptions), for paragraph (f) substitute—
“(f)section 40(1),
(fa)section 40(2) so far as relating to cases where the first condition referred to in that subsection is satisfied,”.
Valid from 25/05/2018
57U.K.In section 18 (the Information Commissioner), omit subsection (1).
Valid from 25/05/2018
58(1)Section 40 (personal information) is amended as follows.U.K.
(2)In subsection (2)—
(a)in paragraph (a), for “do” substitute “ does ”, and
(b)in paragraph (b), for “either the first or the second” substitute “ the first, second or third ”.
(3)For subsection (3) substitute—
“(3A)The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(3B)The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”
(4)For subsection (4) substitute—
“(4A)The third condition is that—
(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”
(5)For subsection (5) substitute—
“(5A)The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1).
(5B)The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies—
(a)giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)—
(i)would (apart from this Act) contravene any of the data protection principles, or
(ii)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded;
(b)giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene Article 21 of the GDPR (general processing: right to object to processing);
(c)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in subsection (4A)(a);
(d)on a request under section 45(1)(a) of the Data Protection Act 2018 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”
(6)Omit subsection (6).
(7)For subsection (7) substitute—
“(7)In this section—
“the data protection principles” means the principles set out in—
Article 5(1) of the GDPR, and
section 34(1) of the Data Protection Act 2018;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“the GDPR”, “personal data”, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4), (10), (11) and (14) of that Act).
(8)In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
Valid from 25/05/2018
59U.K.Omit section 49 (reports to be laid before Parliament).
60U.K.For section 61 (appeal proceedings) substitute—
(1)Tribunal Procedure Rules may make provision for regulating the exercise of rights of appeal conferred by sections 57(1) and (2) and 60(1) and (4).
(2)In relation to appeals under those provisions, Tribunal Procedure Rules may make provision about—
(a)securing the production of material used for the processing of personal data, and
(b)the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.
(3)Subsection (4) applies where—
(a)a person does something, or fails to do something, in relation to proceedings before the First-tier Tribunal on an appeal under those provisions, and
(b)if those proceedings were proceedings before a court having power to commit for contempt, the act or omission would constitute contempt of court.
(4)The First-tier Tribunal may certify the offence to the Upper Tribunal.
(5)Where an offence is certified under subsection (4), the Upper Tribunal may—
(a)inquire into the matter, and
(b)deal with the person charged with the offence in any manner in which it could deal with the person if the offence had been committed in relation to the Upper Tribunal.
(6)Before exercising the power under subsection (5)(b), the Upper Tribunal must—
(a)hear any witness who may be produced against or on behalf of the person charged with the offence, and
(b)hear any statement that may be offered in defence.
(7)In this section, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).”
Commencement Information
I1Sch. 19 para. 60 in force at Royal Assent for specified purposes, see s. 212(2)(f)
Valid from 25/05/2018
61U.K.In section 76(1) (disclosure of information between Commissioner and ombudsmen), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
Valid from 25/05/2018
62U.K.After section 76A insert—
(1)No enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the First-tier Tribunal or the Upper Tribunal with information necessary for the discharge of their functions in connection with appeals under section 60 of this Act.
(2)But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
(3)Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.”
Valid from 25/05/2018
63U.K.In section 77(1)(b) (offence of altering etc records with intent to prevent disclosure), omit “or section 7 of the Data Protection Act 1998,”.
Valid from 25/05/2018
64U.K.In section 84 (interpretation), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
65(1)Paragraph 28 of Schedule 19C to the Political Parties, Elections and Referendums Act 2000 (civil sanctions: disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (4)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After sub-paragraph (5) insert—
“(6)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
66U.K.The Public Finance and Accountability (Scotland) Act 2000 is amended as follows.
67U.K.In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
68U.K.In section 26C(3)(a) (power to require disclosure of data), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
69U.K.In section 29(1) (interpretation), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
70U.K.The Criminal Justice and Police Act 2001 is amended as follows.
71U.K.In section 57(1) (retention of seized items)—
(a)omit paragraph (m), and
(b)after paragraph (s) insert—
“(t)paragraph 10 of Schedule 15 to the Data Protection Act 2018;”.
72U.K.In section 65(7) (meaning of “legal privilege”)—
(a)for “paragraph 1 of Schedule 9 to the Data Protection Act 1998 (c. 29)” substitute “ paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2018 ”, and
(b)for “paragraph 9” substitute “ paragraph 11 (matters exempt from inspection and seizure: privileged communications) ”.
73U.K.In Schedule 1 (powers of seizure)—
(a)omit paragraph 65, and
(b)after paragraph 73R insert—
73SThe power of seizure conferred by paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2018 (powers of entry and inspection).”
Valid from 25/05/2018
74U.K.The Anti-terrorism, Crime and Security Act 2001 is amended as follows.
75(1)Section 19 (disclosure of information held by revenue departments) is amended as follows.U.K.
(2)In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)In subsection (9), after “section” insert “—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Prospective
F176U.K.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
Valid from 25/05/2018
77(1)Section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 (power to obtain information etc) is amended as follows.U.K.
(2)In subsection (3), after “provision” insert “ or the GDPR ”.
(3)For subsection (5) substitute—
“(5)In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4)After subsection (7) insert—
“(8)In this section, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
Valid from 25/05/2018
78(1)Section 5A of the Justice (Northern Ireland) Act 2002 (disclosure of information to the Commission) is amended as follows.U.K.
(2)In subsection (3)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (9) insert—
“(10)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
79U.K.The Proceeds of Crime Act 2002 is amended as follows.
80U.K.In section 333C(2)(d) (other permitted disclosures between institutions etc), for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.
81U.K.In section 436(3)(a) (disclosure of information to certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
82U.K.In section 438(8)(a) (disclosure of information by certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
83U.K.In section 439(3)(a) (disclosure of information to Lord Advocate and to Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
84U.K.In section 441(7)(a) (disclosure of information by Lord Advocate and Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
85U.K.After section 442 insert—
In this Part, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
86(1)Section 237 of the Enterprise Act 2002 (general restriction on disclosure) is amended as follows.U.K.
(2)In subsection (4), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (6) insert—
“(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
87(1)In Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (disclosure of information by the Ombudsman), the entry for the Information Commissioner is amended as follows.U.K.
(2)In paragraph 1, for sub-paragraph (a) substitute—
“(a)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),”.
(3)For paragraph 2 substitute—
“2The commission of an offence under—
(a)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or
(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
Valid from 25/05/2018
88U.K.The Freedom of Information (Scotland) Act 2002 is amended as follows.
89U.K.In section 2(2)(e)(ii) (absolute exemptions), omit “by virtue of subsection (2)(a)(i) or (b) of that section”.
90(1)Section 38 (personal information) is amended as follows.U.K.
(2)In subsection (1), for paragraph (b) substitute—
“(b)personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));”.
(3)For subsection (2) substitute—
“(2A)The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(2B)The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”
(4)For subsection (3) substitute—
“(3A)The third condition is that—
(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”
(5)Omit subsection (4).
(6)In subsection (5), for the definitions of “the data protection principles” and of “data subject” and “personal data” substitute—
““the data protection principles” means the principles set out in—
(a)Article 5(1) of the GDPR, and
(b)section 34(1) of the Data Protection Act 2018;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“the GDPR”, “personal data”, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4), (10), (11) and (14) of that Act);”.
(7)After that subsection insert—
“(5A)In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
Valid from 25/05/2018
91U.K.Schedule 5 to the Courts Act 2003 (collection of fines) is amended as follows.
92(1)Paragraph 9C (disclosure of information in connection with making of attachment of earnings orders or applications for benefit deductions: supplementary) is amended as follows.U.K.
(2)In sub-paragraph (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After sub-paragraph (5) insert—
“(6)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
93(1)Paragraph 10A (attachment of earnings orders (Justice Act (Northern Ireland) 2016): disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In sub-paragraph (8), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
94(1)Section 94 of the Sexual Offences Act 2003 (Part 2: supply of information to the Secretary of State etc for verification) is amended as follows.U.K.
(2)In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)In subsection (8), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
95U.K.The Criminal Justice Act 2003 is amended as follows.
96U.K.In section 327A(9) (disclosure of information about convictions etc of child sex offenders to members of the public), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
97U.K.In section 327B (disclosure of information about convictions etc of child sex offenders to members of the public: interpretation), after subsection (4) insert—
“(4A)“The data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
98(1)Section 279 of the Mental Health (Care and Treatment) (Scotland) Act 2003 (information for research) is amended as follows.U.K.
(2)In subsection (2), for “research purposes within the meaning given by section 33 of the Data Protection Act 1998 (c. 29) (research, history and statistics)” substitute “ purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics) ”.
(3)After subsection (9) insert—
“(10)In this section, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Valid from 25/05/2018
99(1)Section 64C of the Public Audit (Wales) Act 2004 (voluntary provision of data) is amended as follows.U.K.
(2)In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)In subsection (5), at the beginning insert “In this section—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
100U.K.The Companies (Audit, Investigations and Community Enterprise) Act 2004 is amended as follows.
101(1)Section 15A (disclosure of information by tax authorities) is amended as follows.U.K.
(2)In subsection (2)—
(a)omit “within the meaning of the Data Protection Act 1998”, and
(b)for “that Act” substitute “ the data protection legislation ”.
(3)After subsection (7) insert—
“(8)In this section—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
102(1)Section 15D (permitted disclosure of information obtained under compulsory powers) is amended as follows.U.K.
(2)In subsection (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (7) insert—
“(8)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
103(1)Section 54 of the Domestic Violence, Crime and Victims Act 2004 (disclosure of information) is amended as follows.U.K.
(2)In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (8) insert—
“(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
104U.K.The Children Act 2004 is amended as follows.
105(1)Section 12 (information databases) is amended as follows.U.K.
(2)In subsection (13)(e) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (13) insert—
“(14)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
106(1)Section 29 (information databases: Wales) is amended as follows.U.K.
(2)In subsection (14)(e) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (14) insert—
“(15)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
107(1)Section 107 of the Constitutional Reform Act 2005 (disclosure of information to the Commission) is amended as follows.U.K.
(2)In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (9) insert—
“(10)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
108U.K.In section 64 of the Mental Capacity Act 2005 (interpretation), for the definition of “health record” substitute—
““health record” has the same meaning as in the Data Protection Act 2018 (see section 205 of that Act);”.
Valid from 25/05/2018
109(1)Section 34X of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information) is amended as follows.U.K.
(2)In subsection (4), for paragraph (a) substitute—
“(a)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement);”.
(3)For subsection (5) substitute—
“(5)The offences are those under—
(a)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc);
(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
Valid from 25/05/2018
110(1)Section 22 of the Commissioners for Revenue and Customs Act 2005 (data protection, etc) is amended as follows.U.K.
(2)The existing text becomes subsection (1).
(3)In that subsection, in paragraph (a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(4)After that subsection insert—
“(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
111(1)Section 352 of the Gambling Act 2005 (data protection) is amended as follows.U.K.
(2)The existing text becomes subsection (1).
(3)In that subsection, for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(4)After that subsection insert—
“(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
112(1)Section 18 of the Commissioner for Older People (Wales) Act 2006 (power to disclose information) is amended as follows.U.K.
(2)In subsection (7), for paragraph (a) substitute—
“(a)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement);”.
(3)For subsection (8) substitute—
“(8)The offences are those under—
(a)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or
(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
Valid from 25/05/2018
113U.K.The National Health Service Act 2006 is amended as follows.
114(1)Section 251 (control of patient information) is amended as follows.U.K.
(2)In subsection (7), for “made by or under the Data Protection Act 1998 (c 29)” substitute “ of the data protection legislation ”.
(3)In subsection (13), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
115(1)Section 264C (provision and disclosure of information about health service products: supplementary) is amended as follows.U.K.
(2)In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (3) insert—
“(4)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
116U.K.In paragraph 7B(3) of Schedule 1 (further provision about the Secretary of State and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “ has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
Valid from 25/05/2018
117U.K.The National Health Service (Wales) Act 2006 is amended as follows.
118(1)Section 201C (provision of information about medical supplies: supplementary) is amended as follows.U.K.
(2)In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (3) insert—
“(4)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
119U.K.In paragraph 7B(3) of Schedule 1 (further provision about the Welsh Ministers and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “ has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
Valid from 25/05/2018
120U.K.The Companies Act 2006 is amended as follows.
121U.K.In section 458(2) (disclosure of information by tax authorities)—
(a)for “within the meaning of the Data Protection Act 1998 (c. 29)” substitute “ within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act) ”, and
(b)for “that Act” substitute “ the data protection legislation ”.
122U.K.In section 461(7) (permitted disclosure of information obtained under compulsory powers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
123U.K.In section 948(9) (restrictions on disclosure) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
124U.K.In section 1173(1) (minor definitions: general), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
125U.K.In section 1224A(7) (restrictions on disclosure), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
126U.K.In section 1253D(3) (restriction on transfer of audit working papers to third countries), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
127U.K.In section 1261(1) (minor definitions: Part 42), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
128U.K.In section 1262 (index of defined expressions: Part 42), at the appropriate place insert—
“the data protection legislation | section 1261(1)”. |
129U.K.In Schedule 8 (index of defined expressions: general), at the appropriate place insert—
“the data protection legislation | section 1173(1)”. |
Valid from 25/05/2018
130U.K.The Tribunals, Courts and Enforcement Act 2007 is amended as follows.
131U.K.In section 11(5)(b) (right to appeal to Upper Tribunal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “ section 27(3) or (5), 79(5) or (7) or 111(3) or (5) of the Data Protection Act 2018 ”.
132U.K.In section 13(8)(a) (right to appeal to the Court of Appeal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “ section 27(3) or (5), 79(5) or (7) or 111(3) or (5) of the Data Protection Act 2018 ”.
Valid from 25/05/2018
133U.K.The Statistics and Registration Service Act 2007 is amended as follows.
134(1)Section 45 (information held by HMRC) is amended as follows.U.K.
(2)In subsection (4A), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
(3)In subsection (4B), for “the Data Protection Act 1998” substitute “ the Data Protection Act 2018 ”.
135(1)Section 45A (information held by other public authorities) is amended as follows.U.K.
(2)In subsection (8), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
(3)In subsection (9), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(4)In subsection (12)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(5)In subsection 12(c), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.
136(1)Section 45B(3) (access to information held by Crown bodies etc) is amended as follows.U.K.
(2)In paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In paragraph (c), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.
137(1)Section 45C(13) (power to require disclosures by other public authorities) is amended as follows.U.K.
(2)In paragraph (b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In paragraph (d), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.
138U.K.In section 45D(9)(b) (power to require disclosure by undertakings), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
139(1)Section 45E (further provision about powers in sections 45B, 45C and 45D) is amended as follows.U.K.
(2)In subsection (6), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
(3)In subsection (16), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
(4)In subsection (17), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
140(1)Section 53A (disclosure by the Statistics Board to devolved administrations) is amended as follows.U.K.
(2)In subsection (9), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
(3)In subsection (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(4)In subsection (12)(b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
141(1)Section 54 (Data Protection Act 1998 and Human Rights Act 1998) is amended as follows.U.K.
(2)In the heading, omit “Data Protection Act 1998 and”.
(3)Omit paragraph (a) (together with the final “or”).
142U.K.In section 67 (general interpretation: Part 1), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
143U.K.The Serious Crime Act 2007 is amended as follows.
144(1)Section 5A (verification and disclosure of information) is amended as follows.U.K.
(2)In subsection (6)—
(a)for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
(b)for “are” substitute “ is ”.
(3)After subsection (6) insert—
“(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
145(1)Section 68 (disclosure of information to prevent fraud) is amended as follows.U.K.
(2)In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)In subsection (8), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
146(1)Section 85 (disclosure of information by Revenue and Customs) is amended as follows.U.K.
(2)In subsection (8)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)In subsection (9), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
147(1)Section 169 of the Legal Services Act 2007 (disclosure of information to the Legal Services Board) is amended as follows.U.K.
(2)In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (8) insert—
“(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
148U.K.In section 74 of the Adoption and Children (Scotland) Act 2007 (disclosure of medical information about parents), for subsection (5) substitute—
“(5)In subsection (4)(e), “processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act).”
Valid from 25/05/2018
149U.K.The Criminal Justice and Immigration Act 2008 is amended as follows.
150U.K.Omit—
(a)section 77 (power to alter penalty for unlawfully obtaining etc personal data), and
(b)section 78 (new defence for obtaining etc for journalism and other special purposes).
151(1)Section 114 (supply of information to Secretary of State etc) is amended as follows.U.K.
(2)In subsection (5), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (6) insert—
“(6A)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
152(1)Section 70 of the Regulatory Enforcement and Sanctions Act 2008 (disclosure of information) is amended as follows.U.K.
(2)In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (5) insert—
“(6)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
153U.K.In section 20A(5) of the Health and Social Care Act 2008 (functions relating to processing of information by registered persons), in the definition of “processing”, for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act); ”.
Valid from 25/05/2018
154(1)Section 20 of the Counter-Terrorism Act 2008 (disclosure and the intelligence services: supplementary provisions) is amended as follows.U.K.
(2)In subsection (2)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (4) insert—
“(5)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
155(1)Section 117 of the Public Health etc. (Scotland) Act 2008 (disclosure of information) is amended as follows.U.K.
(2)In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (7) insert—
“(7A)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
156(1)Section 83ZY of the Banking Act 2009 (special resolution regime: publication of notices etc) is amended as follows.U.K.
(2)In subsection (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (11), after “section” insert “—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
157(1)Section 19 of the Borders, Citizenship and Immigration Act 2009 (use and disclosure of customs information: application of statutory provisions) is amended as follows.U.K.
(2)In subsection (1)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (4) insert—
“(5)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
158U.K.The Marine and Coastal Access Act 2009 is amended as follows.
159(1)Paragraph 13 of Schedule 7 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After sub-paragraph (6) insert—
“(7)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
160(1)Paragraph 9 of Schedule 10 (further provision about fixed monetary penalties: disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After sub-paragraph (6) insert—
“(7)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
161U.K.In Schedule 21 to the Coroners and Justice Act 2009 (minor and consequential amendments), omit paragraph 29(3).
Valid from 25/05/2018
162(1)Section 38 of the Broads Authority Act 2009 (provision of information) is amended as follows.U.K.
(2)In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)In subsection (6), after “section” insert “—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
163(1)Section 13 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (functions of the Regional Agency) is amended as follows.U.K.
(2)In subsection (8), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (8) insert—
“(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
164(1)Section 25 of the Terrorist Asset-Freezing etc. Act 2010 (application of provisions) is amended as follows.U.K.
(2)In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (6), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
165(1)Paragraph 12 of Schedule 2 to the Marine (Scotland) Act 2010 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After sub-paragraph (6) insert—
“(7)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
166(1)Section 59 of the Charities Act 2011 (disclosure: supplementary) is amended as follows.U.K.
(2)The existing text becomes subsection (1).
(3)In that subsection, in paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(4)After that subsection insert—
“(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
167U.K.The Welsh Language (Wales) Measure 2011 is amended as follows.
168(1)Section 22 (power to disclose information) is amended as follows.U.K.
(2)In subsection (4)—
(a)in the English language text, for paragraph (a) substitute—
“(a)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement);”, and
(b)in the Welsh language text, for paragraph (a) substitute—
“(a)adrannau 142 i 154, 160 i 164, neu 174 i 176 o Ddeddf Diogelu Data 2018 neu Atodlen 15 i'r Ddeddf honno (darpariaethau penodol yn ymwneud â gorfodi);”.
(3)For subsection (5)—
(a)in the English language text substitute—
“(5)The offences referred to under subsection (3)(b) are those under—
(a)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of exercise of warrant etc); or
(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”, and
(b)in the Welsh language text substitute—
“(5)Y tramgwyddau y cyfeirir atynt yn is-adran (3)(b) yw'r rhai—
(a)o dan ddarpariaeth yn Neddf Diogelu Data 2018 ac eithrio paragraff 15 o Atodlen 15 (rhwystro gweithredu gwarant etc); neu
(b)o dan adran 77 o Ddeddf Rhyddid Gwybodaeth 2000 (trosedd o altro etc cofnodion gyda'r bwriad o atal datgelu).”
(4)In subsection (8)—
(a)in the English language text, for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
(b)in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso'r ddeddfwriaeth diogelu data”.
(5)In subsection (9)—
(a)at the appropriate place in the English language text insert—
““the data protection legislation” (“y ddeddfwriaeth diogelu data”) has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and
(b)at the appropriate place in the Welsh language text insert—
““mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o'r Ddeddf honno);”.
169(1)Paragraph 8 of Schedule 2 (inquiries by the Commissioner: reports) is amended as follows.U.K.
(2)In sub-paragraph (7)—
(a)in the English language text, for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
(b)in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso'r ddeddfwriaeth diogelu data”.
(3)In sub-paragraph (8)—
(a)in the English language text, after “this paragraph” insert “—
“the data protection legislation” (“y ddeddfwriaeth diogelu data”) has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and
(b)in the Welsh language text, after “hwn” insert—
““mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o'r Ddeddf honno);”.
Valid from 25/05/2018
170(1)Section 10 of the Safeguarding Board Act (Northern Ireland) 2011 (duty to co-operate) is amended as follows.U.K.
(2)In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (3) insert—
“(4)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
171U.K.The Health and Social Care Act 2012 is amended as follows.
172U.K.In section 250(7) (power to publish information standards), for the definition of “processing” substitute—
““processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);”.
173(1)Section 251A (consistent identifiers) is amended as follows.U.K.
(2)In subsection (7)(a), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.
(3)After subsection (8) insert—
“(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
174(1)Section 251B (duty to share information) is amended as follows.U.K.
(2)In subsection (5)(a), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.
(3)After subsection (6) insert—
“(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
175U.K.The Protection of Freedoms Act 2012 is amended as follows.
176(1)Section 27 (exceptions and further provision about consent and notification) is amended as follows.U.K.
(2)In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (5) insert—
“(6)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
177U.K.In section 28(1) (interpretation: Chapter 2), for the definition of “processing” substitute—
““processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);”.
178U.K.In section 29(7) (code of practice for surveillance camera systems), for the definition of “processing” substitute—
““processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);”.
Valid from 25/05/2018
179(1)Section 14A of the HGV Road User Levy Act 2013 (disclosure of information by Revenue and Customs) is amended as follows.U.K.
(2)In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (5) insert—
“(6)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
180U.K.The Crime and Courts Act 2013 is amended as follows.
181(1)Section 42 (other interpretive provisions) is amended as follows.U.K.
(2)In subsection (5)(a), for “section 13 of the Data Protection Act 1998 (damage or distress suffered as a result of a contravention of a requirement of that Act)” substitute “ Article 82 of the GDPR or section 168 or 169 of the Data Protection Act 2018 (compensation for contravention of the data protection legislation) ”.
(3)After subsection (5) insert—
“(5A)In subsection (5)(a), “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
182(1)Paragraph 1 of Schedule 7 (statutory restrictions on disclosure) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)In that sub-paragraph, in paragraph (a)—
(a)for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
(b)for “are” substitute “ is ”.
(4)After that sub-paragraph, insert—
“(2)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
183(1)Paragraph 8 of Schedule 2 to the Marine Act (Northern Ireland) 2013 (further provision about fixed monetary penalties under section 35: disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (5)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After sub-paragraph (6) insert—
“(7)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
184(1)Paragraph 3 of Schedule 9 to the Local Audit and Accountability Act 2014 (data matching: voluntary provision of data) is amended as follows.U.K.
(2)In sub-paragraph (3)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After sub-paragraph (3) insert—
“(3A)“The data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
(4)In sub-paragraph (4), for “comprise or include” substitute “ comprises or includes ”.
Valid from 25/05/2018
185(1)Paragraph 7 of Schedule 4 to the Anti-social Behaviour, Crime and Policing Act 2014 (anti-social behaviour case reviews: information) is amended as follows.U.K.
(2)In sub-paragraph (4)—
(a)for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
(b)for “are” substitute “ is ”.
(3)After sub-paragraph (5) insert—
“(6)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
186(1)Paragraph 6 of Schedule 6 to the Immigration Act 2014 (information: limitation on powers) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)In that sub-paragraph, in paragraph (a)—
(a)for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
(b)for “are” substitute “ is ”.
(4)After that sub-paragraph insert—
“(2)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
187U.K.In section 67(9) of the Care Act 2014 (involvement in assessment, plans etc), for paragraph (a) substitute—
“(a)a health record (within the meaning given in section 205 of the Data Protection Act 2018),”.
Valid from 25/05/2018
188U.K.In section 18(10)(b) of the Social Services and Well-being (Wales) Act 2014 (registers of sight-impaired, hearing-impaired and other disabled people)—
(a)in the English language text, for “(within the meaning of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”, and
(b)in the Welsh language text, for “(o fewn ystyr “personal data” yn Neddf Diogelu Data 1998)” substitute “(o fewn ystyr “ personal data ” yn Rhan 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o'r Ddeddf honno))”.
Valid from 25/05/2018
189(1)Section 38 of the Counter-Terrorism and Security Act 2015 (support etc for people vulnerable to being drawn into terrorism: co-operation) is amended as follows.U.K.
(2)In subsection (4)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (4) insert—
“(4A)“The data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
190(1)Section 6 of the Small Business, Enterprise and Employment Act 2015 (application of listed provisions to designated credit reference agencies) is amended as follows.U.K.
(2)In subsection (7)—
(a)for paragraph (b) substitute—
“(b)Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers);”, and
(b)omit paragraph (c).
(3)After subsection (7) insert—
“(7A)In subsection (7) “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
Valid from 25/05/2018
191(1)Section 54A of the Modern Slavery Act 2015 (Gangmasters and Labour Abuse Authority: information gateways) is amended as follows.U.K.
(2)In subsection (5)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (9), after “section” insert “—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
192U.K.The Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 is amended as follows.
193U.K.In section 13(5) (duty to notify National Crime Agency about suspected victims of certain offences) for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
194U.K.In section 25(1) (interpretation of this Act), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
195U.K.In paragraph 18(5) of Schedule 3 (supply of information to relevant Northern Ireland departments, Secretary of State, etc) for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
Valid from 25/05/2018
196(1)Section 72 of the Justice Act (Northern Ireland) 2015 (supply of information to relevant Northern Ireland departments or Secretary of State) is amended as follows.U.K.
(2)In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (7), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
197(1)Section 7 of the Immigration Act 2016 (information gateways: supplementary) is amended as follows.U.K.
(2)In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (11), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Valid from 25/05/2018
198U.K.The Investigatory Powers Act 2016 is amended as follows.
199U.K.In section 1(5)(b), for sub-paragraph (ii) substitute—
“(ii)in section 170 of the Data Protection Act 2018 (unlawful obtaining etc of personal data),”.
200U.K.In section 199 (bulk personal datasets: interpretation), for subsection (2) substitute—
“(2)In this Part, “personal data” means—
(a)personal data within the meaning of section 3(2) of the Data Protection Act 2018 which is subject to processing described in section 82(1) of that Act, and
(b)data relating to a deceased individual where the data would fall within paragraph (a) if it related to a living individual.”
Prospective
F2201U.K.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
202U.K.In section 206 (additional safeguards for health records), for subsection (7) substitute—
“(7)In subsection (6)—
“health professional” has the same meaning as in the Data Protection Act 2018 (see section 204(1) of that Act);
“health service body” has meaning given by section 204(4) of that Act.”
203(1)Section 237 (information gateway) is amended as follows.U.K.
(2)In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (2) insert—
“(3)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
204(1)Section 49 of the Police Services Ombudsman Act (Northern Ireland) 2016 (disclosure of information) is amended as follows.U.K.
(2)In subsection (4), for paragraph (a) substitute—
“(a)sections 142 to 154, 160 to 164 and 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),”.
(3)For subsection (5) substitute—
“(5)The offences are those under—
(a)any provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (powers of entry and inspection: offences),
(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
(4)After subsection (6) insert—
“(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
205(1)Section 1 of the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (control of information of a relevant person) is amended as follows.U.K.
(2)In subsection (8), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.
(3)After subsection (12) insert—
“(12A)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
206U.K.In section 306(1) of the Mental Capacity Act (Northern Ireland) 2016 (definitions for purposes of Act), for the definition of “health record” substitute—
““health record” has the meaning given by section 205 of the Data Protection Act 2018;”.
Valid from 25/05/2018
207U.K.The Justice Act (Northern Ireland) 2016 is amended as follows.
208(1)Section 17 (disclosure of information) is amended as follows.U.K.
(2)In subsection (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (8), after “section” insert “—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
209U.K.In section 44(3) (disclosure of information)—
(a)in paragraph (a), for “Part 5 of the Data Protection Act 1998” substitute “ sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 ”, and
(b)for paragraph (b) substitute—
“(b)the commission of an offence under—
(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or
(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
Valid from 25/05/2018
210(1)Section 50 of the Policing and Crime Act 2017 (Freedom of Information Act etc: Police Federation for England and Wales) is amended as follows.U.K.
(2)The existing text becomes subsection (1).
(3)In that subsection, in paragraph (b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(4)After that subsection, insert—
“(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 02/12/2019
211U.K.In Schedule 5 to the Children and Social Work Act 2017—
(a)in Part 1 (general amendments to do with social workers etc in England), omit paragraph 6, and
(b)in Part 2 (renaming of Health and Social Work Professions Order 2001), omit paragraph 47(g).
Valid from 25/05/2018
212U.K.The Higher Education and Research Act 2017 is amended as follows.
213(1)Section 63 (cooperation and information sharing by the Office for Students) is amended as follows.U.K.
(2)In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (7), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
214(1)Section 112 (cooperation and information sharing between the Office for Students and UKRI) is amended as follows.U.K.
(2)In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (6) insert —
“(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
Valid from 25/05/2018
215U.K.The Digital Economy Act 2017 is amended as follows.
216(1)Section 40 (further provisions about disclosures under sections 35 to 39) is amended as follows.U.K.
(2)In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (10) insert—
“(11)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
217(1)Section 43 (codes of practice) is amended as follows.U.K.
(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
(3)In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
218(1)Section 49 (further provision about disclosures under section 48) is amended as follows.U.K.
(2)In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (10) insert—
“(11)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
219(1)Section 52 (code of practice) is amended as follows.U.K.
(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
(3)In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.
220(1)Section 57 (further provision about disclosures under section 56) is amended as follows.U.K.
(2)In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (10) insert—
“(11)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
221(1)Section 60 (code of practice) is amended as follows.U.K.
(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
(3)In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.
222(1)Section 65 (supplementary provision about disclosures under section 64) is amended as follows.U.K.
(2)In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (8) insert—
“(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
223(1)Section 70 (code of practice) is amended as follows.U.K.
(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
(3)In subsection (15), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.
224U.K.Omit sections 108 to 110 (charges payable to the Information Commissioner).
Valid from 25/05/2018
225(1)Section 60 of the Landfill Disposals Tax (Wales) Act 2017 (disclosure of information to the Welsh Revenue Authority) is amended as follows.U.K.
(2)In subsection (4)(a)—
(a)in the English language text, for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”, and
(b)in the Welsh language text, for “torri Deddf Diogelu Data 1998 (p. 29)” substitute “torri'r ddeddfwriaeth diogelu data”.
(3)After subsection (7)—
(a)in the English language text insert—
“(8)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”, and
(b)in the Welsh language text insert—
“(8)Yn yr adran hon, mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o'r Ddeddf honno).”
Valid from 25/05/2018
226(1)Section 4 of the Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (additional learning needs code) is amended as follows.U.K.
(2)In the English language text—
(a)in subsection (9), omit from “and in this subsection” to the end, and
(b)after subsection (9) insert—
“(9A)In subsection (9)—
“data subject” (“testun y data”) has the meaning given by section 3(5) of the Data Protection Act 2018;
“personal data” (“data personol”) has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
(3)In the Welsh language text—
(a)in subsection (9), omit from “ac yn yr is-adran hon” to the end, and
(b)after subsection (9) insert—
“(9A)Yn is-adran (9)—
mae i “data personol” yr un ystyr ag a roddir i “personal data” yn Rhannau 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o'r Ddeddf honno);
mae i “testun y data” yr ystyr a roddir i “data subject” gan adran 3(5) o'r Ddeddf honno.”
Valid from 02/12/2019
227(1)Section 204 of this Act (meaning of “health professional” and “social work professional”) is amended as follows (to reflect the arrangements for the registration of social workers in England under Part 2 of the Children and Social Work Act 2017).U.K.
(2)In subsection (1)(g)—
(a)omit “and Social Work”, and
(b)omit “, other than the social work profession in England”.
(3)In subsection (2), for paragraph (a) substitute—
“(a)a person registered as a social worker in the register maintained by Social Work England under section 39(1) of the Children and Social Work Act 2017;”.
Valid from 25/05/2018
228U.K.In the table in the Schedule to the Estate Agents (Specified Offences) (No. 2) Order 1991 (specified offences), at the end insert—
“Data Protection Act 2018 | Section 144 | False statements made in response to an information notice |
Section 148 | Destroying or falsifying information and documents etc” |
229(1)Article 4 of the Channel Tunnel (International Arrangements) Order 1993 (application of enactments) is amended as follows.U.K.
(2)In paragraph (2)—
(a)for “section 5 of the Data Protection Act 1998 (“the 1998 Act”), data which are” substitute “ section 207 of the Data Protection Act 2018 (“the 2018 Act”), data which is ”,
(b)for “data controller” substitute “ controller ”,
(c)after “in the context of” insert “ the activities of ”, and
(d)for “and the 1998 Act” substitute “ and the 2018 Act ”.
(3)In paragraph (3)—
(a)for “section 5 of the 1998 Act, data which are” substitute “ section 207 of the 2018 Act, data which is ”,
(b)for “data controller” substitute “ controller ”,
(c)after “in the context of” insert “ the activities of ”, and
(d)for “and the 1998 Act” substitute “ and the 2018 Act ”.
230U.K.The Access to Health Records (Northern Ireland) Order 1993 is amended as follows.
231U.K.In Article 4 (health professionals), for paragraph (1) substitute—
“(1)In this Order, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act).”
232U.K.In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “ made by the Department ”.
233U.K.In article 4 of the Channel Tunnel (Miscellaneous Provisions) Order 1994 (application of enactments), for paragraphs (2) and (3) substitute—
“(2)For the purposes of section 207 of the Data Protection Act 2018 (“the 2018 Act”), data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the United Kingdom is to be treated as processed by a controller established in the United Kingdom in the context of the activities of that establishment (and accordingly the 2018 Act applies in respect of such data).
(3)For the purposes of section 207 of the 2018 Act, data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the Kingdom of Belgium is to be treated as processed by a controller established in the Kingdom of Belgium in the context of the activities of that establishment (and accordingly the 2018 Act does not apply in respect of such data).”
234U.K.The European Primary and Specialist Dental Qualifications Regulations 1998 are amended as follows.
235(1)Regulation 2(1) (interpretation) is amended as follows.U.K.
(2)Omit the definition of “Directive 95/46/EC”.
(3)At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
236(1)The table in Schedule A1 (functions of the GDC under Directive 2005/36) is amended as follows.U.K.
(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
237U.K.For article 7 of the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 substitute—
7(1)The Parliamentary corporation is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2)The Parliamentary corporation is to be treated as a government department for the purposes of the following provisions—
(a)section 8(d) (lawfulness of processing under the GDPR: public interest etc),
(b)section 209 (application to the Crown),
(c)paragraph 6 of Schedule 1 (statutory etc and government purposes),
(d)paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e)paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).
(3)In the provisions mentioned in paragraph (4)—
(a)references to employment by or under the Crown are to be treated as including employment as a member of staff of the Parliamentary corporation, and
(b)references to a person in the service of the Crown are to be treated as including a person so employed.
(4)The provisions are—
(a)section 24(3) (exemption for certain data relating to employment under the Crown), and
(b)section 209(6) (application of certain provisions to a person in the service of the Crown).
(5)In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
238U.K.For article 9 of the Northern Ireland Assembly Commission (Crown Status) Order 1999 substitute—
9(1)The Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2)The Commission is to be treated as a government department for the purposes of the following provisions—
(a)section 8(d) (lawfulness of processing under the GDPR: public interest etc),
(b)section 209 (application to the Crown),
(c)paragraph 6 of Schedule 1 (statutory etc and government purposes),
(d)paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e)paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).
(3)In the provisions mentioned in paragraph (4)—
(a)references to employment by or under the Crown are to be treated as including employment as a member of staff of the Commission, and
(b)references to a person in the service of the Crown are to be treated as including a person so employed.
(4)The provisions are—
(a)section 24(3) (exemption for certain data relating to employment under the Crown), and
(b)section 209(6) (application of certain provisions to a person in the service of the Crown).
(5)In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
239U.K.The Data Protection (Corporate Finance Exemption) Order 2000 is revoked.
240U.K.The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 is revoked.
241U.K.The Data Protection (Functions of Designated Authority) Order 2000 is revoked.
242U.K.The Data Protection (International Co-operation) Order 2000 is revoked.
243U.K.The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 are revoked.
244U.K.In the Consumer Credit (Credit Reference Agency) Regulations 2000, regulation 4(1) and Schedule 1 (statement of rights under section 9(3) of the Data Protection Act 1998) are revoked.
245U.K.The Data Protection (Subject Access Modification) (Health) Order 2000 is revoked.
246U.K.The Data Protection (Subject Access Modification) (Education) Order 2000 is revoked.
247U.K.The Data Protection (Subject Access Modification) (Social Work) Order 2000 is revoked.
248U.K.The Data Protection (Crown Appointments) Order 2000 is revoked.
249U.K.The Data Protection (Processing of Sensitive Personal Data) Order 2000 is revoked.
250U.K.The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 is revoked.
251U.K.The Data Protection (Designated Codes of Practice) (No. 2) Order 2000 is revoked.
252U.K.The Representation of the People (England and Wales) Regulations 2001 are amended as follows.
253U.K.In regulation 3(1) (interpretation), at the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
254U.K.In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
255U.K.In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
256U.K.In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
257U.K.In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—
“(a)Article 89 GDPR purposes;”.
258(1)Regulation 92(2) (interpretation and application of Part VI etc) is amended as follows.U.K.
(2)After sub-paragraph (b) insert—
“(ba)“relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”
(3)Omit sub-paragraphs (c) and (d).
259U.K.In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.
260U.K.In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
261U.K.In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
262U.K.In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
263U.K.In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
264U.K.In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—
“(i)Article 89 GDPR purposes;”.
265U.K.The Representation of the People (Scotland) Regulations 2001 are amended as follows.
266U.K.In regulation 3(1) (interpretation), at the appropriate places, insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
267U.K.In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
268U.K.In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
269U.K.In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
270U.K.In regulation 61(3) (records and lists kept under Schedule 4), for paragraph (a) (but not the final “or”) substitute—
“(a)Article 89 GDPR purposes;”.
271U.K.In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—
“(a)Article 89 GDPR purposes;”.
272(1)Regulation 92(2) (interpretation of Part VI etc) is amended as follows.U.K.
(2)After sub-paragraph (b) insert—
“(ba)“relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”
(3)Omit sub-paragraphs (c) and (d).
273U.K.In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.
274U.K.In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
275U.K.In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
276U.K.In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
277U.K.In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—
“(i)Article 89 GDPR purposes;”.
278(1)Article 9 of the Financial Services and Markets 2000 (Disclosure of Confidential Information) Regulations 2001 (disclosure by regulators or regulator workers to certain other persons) is amended as follows.U.K.
(2)In paragraph (2B), for sub-paragraph (a) substitute—
“(a)the disclosure is made in accordance with Chapter V of the GDPR;”.
(3)After paragraph (5) insert—
“(6)In this article, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
279U.K.The Nursing and Midwifery Order 2001 is amended as follows.
280(1)Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.U.K.
(2)In paragraph (18), after “enactment” insert “ or the GDPR ”.
(3)After paragraph (18) insert—
“(19)In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
281(1)Article 25 (the Council's power to require disclosure of information) is amended as follows.U.K.
(2)In paragraph (3), after “enactment” insert “ or the GDPR ”.
(3)In paragraph (6)—
(a)for “paragraph (5),” substitute “ paragraph (3)— ”, and
(b)at the appropriate place insert—
““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
282U.K.In article 39B (European professional card), after paragraph (2) insert—
“(3)For the purposes of Schedule 2B, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
283U.K.In article 40(6) (Directive 2005/36/EC: designation of competent authority etc), at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
284(1)Schedule 2B (Directive 2005/36/EC: European professional card) is amended as follows.U.K.
(2)In paragraph 8(1) (access to data) for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).
285(1)The table in Schedule 3 (functions of the Council under Directive 2005/36) is amended as follows.U.K.
(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
286U.K.In Schedule 4 (interpretation), omit the definition of “Directive 95/46/EC”.
287U.K.Regulation 3 of the Electronic Commerce (EC Directive) Regulations 2002 (exclusions) is amended as follows.
288U.K.In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “ the GDPR ”.
289U.K.In paragraph (3)—
(a)omit the definitions of “Data Protection Directive” and “Telecommunications Data Protection Directive”, and
(b)at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
290U.K.The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 is revoked.
291U.K.The Privacy and Electronic Communications (EC Directive) Regulations 2003 are amended as follows.
292U.K.In regulation 2(1) (interpretation), in the definition of “the Information Commissioner” and “the Commissioner”, for “section 6 of the Data Protection Act 1998” substitute “ the Data Protection Act 2018 ”.
293(1)Regulation 4 (relationship between these Regulations and the Data Protection Act 1998) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)In that sub-paragraph, for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(4)After that sub-paragraph insert—
“(2)In this regulation—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act).
(3)Regulation 2(2) and (3) (meaning of certain expressions) do not apply for the purposes of this regulation.”
(5)In the heading of that regulation, for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
294U.K.The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 is amended as follows.
295U.K.In article 8(2) (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales)—
(a)for “The Data Protection Act 1998” substitute “ The Data Protection Act 2018 ”, and
(b)for “are” substitute “ is ”.
296U.K.In article 11(4) (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect)—
(a)for “The Data Protection Act 1998” substitute “ The Data Protection Act 2018 ”,
(b)for “are” substitute “ is ”,
(c)for “section 5” substitute “ section 207 ”,
(d)for “data controller” substitute “ controller ”, and
(e)after “in the context of” insert “ the activities of ”.
297U.K.The Pupils' Educational Records (Scotland) Regulations 2003 are amended as follows.
298(1)Regulation 2 (interpretation) is amended as follows.U.K.
(2)Omit the definition of “the 1998 Act”.
(3)At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
299(1)Regulation 6 (circumstances where information should not be disclosed) is amended as follows.U.K.
(2)After “any information” insert “ to the extent that any of the following conditions are satisfied ”.
(3)For paragraphs (a) to (c) substitute—
“(aa)the pupil to whom the information relates would have no right of access to the information under the GDPR;
(ab)the information is personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences);”.
(4)In paragraph (d), for “to the extent that its disclosure” substitute “ the disclosure of the information ”.
(5)In paragraph (e), for “that” substitute “ the information ”.
300U.K.In regulation 9 (fees), for paragraph (1) substitute—
“(1A)In complying with a request made under regulation 5(2), the responsible body may only charge a fee where Article 12(5) or Article 15(3) of the GDPR would permit the charging of a fee if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.
(1B)Where paragraph (1A) permits the charging of a fee, the responsible body may not charge a fee that—
(a)exceeds the cost of supply, or
(b)exceeds any limit in regulations made under section 12 of the Data Protection Act 2018 that would apply if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.”
301U.K.Schedule 1 to the European Parliamentary Elections (Northern Ireland) Regulations 2004 (European Parliamentary elections rules) is amended as follows.
302(1)Paragraph 74(1) (interpretation) is amended as follows.U.K.
(2)Omit the definitions of “relevant conditions” and “research purposes”.
(3)At the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
303U.K.In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “ Article 89 GDPR purposes ”.
304U.K.In regulation 3(1) of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, omit “the appropriate limit referred to in section 9A(3) and (4) of the 1998 Act and”.
305U.K.The Environmental Information Regulations 2004 are amended as follows.
306(1)Regulation 2 (interpretation) is amended as follows.U.K.
(2)In paragraph (1), at the appropriate places, insert—
““the data protection principles” means the principles set out in—
(a)Article 5(1) of the GDPR,
(b)section 34(1) of the Data Protection Act 2018, and
(c)section 85(1) of that Act;”;
““data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;
““the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”;
““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);”.
(3)For paragraph (4) substitute—
“(4A)In these Regulations, references to the Data Protection Act 2018 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—
(a)the references to an FOI public authority were references to a public authority as defined in these Regulations, and
(b)the references to personal data held by such an authority were to be interpreted in accordance with regulation 3(2).”
307(1)Regulation 13 (personal data) is amended as follows.U.K.
(2)For paragraph (1) substitute—
“(1)To the extent that the information requested includes personal data of which the applicant is not the data subject, a public authority must not disclose the personal data if—
(a)the first condition is satisfied, or
(b)the second or third condition is satisfied and, in all the circumstances of the case, the public interest in not disclosing the information outweighs the public interest in disclosing it.”
(3)For paragraph (2) substitute—
“(2A)The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(2B)The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene—
(a)Article 21 of the GDPR (general processing: right to object to processing), or
(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”
(4)For paragraph (3) substitute—
“(3A)The third condition is that—
(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or
(c)on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”
(5)Omit paragraph (4).
(6)For paragraph (5) substitute—
“(5A)For the purposes of this regulation a public authority may respond to a request by neither confirming nor denying whether such information exists and is held by the public authority, whether or not it holds such information, to the extent that—
(a)the condition in paragraph (5B)(a) is satisfied, or
(b)a condition in paragraph (5B)(b) to (e) is satisfied and in all the circumstances of the case, the public interest in not confirming or denying whether the information exists outweighs the public interest in doing so.
(5B)The conditions mentioned in paragraph (5A) are—
(a)giving a member of the public the confirmation or denial—
(i)would (apart from these Regulations) contravene any of the data protection principles, or
(ii)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded;
(b)giving a member of the public the confirmation or denial would (apart from these Regulations) contravene Article 21 of the GDPR or section 99 of the Data Protection Act 2018 (right to object to processing);
(c)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in paragraph (3A)(a);
(d)on a request under section 45(1)(a) of the Data Protection Act 2018 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section;
(e)on a request under section 94(1)(a) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”
(7)After that paragraph insert—
“(6)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
308U.K.In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “ regulation 13(1)(b) or (5A) ”.
309U.K.In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “ regulation 13(5A) ”.
310U.K.The Environmental Information (Scotland) Regulations 2004 are amended as follows.
311(1)Regulation 2 (interpretation) is amended as follows.U.K.
(2)In paragraph (1), at the appropriate places, insert—
““the data protection principles” means the principles set out in—
(a)Article 5(1) of the GDPR, and
(b)section 34(1) of the Data Protection Act 2018;”;”;
““data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;
““the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”;
““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);”.
(3)For paragraph (3) substitute—
“(3A)In these Regulations, references to the Data Protection Act 2018 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—
(a)the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and
(b)the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.”
312(1)Regulation 11 (personal data) is amended as follows.U.K.
(2)For paragraph (2) substitute—
“(2)To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if—
(a)the first condition set out in paragraph (3A) is satisfied, or
(b)the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.”
(3)For paragraph (3) substitute—
“(3A)The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(3B)The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene Article 21 of the GDPR (general processing: right to object to processing).”
(4)For paragraph (4) substitute—
“(4A)The third condition is that any of the following applies to the information—
(a)it is exempt from the obligation under Article 15(1) of the GDPR (general processing: right of access by the data subject) to provide access to, and information about, personal data by virtue of provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”
(5)Omit paragraph (5).
(6)After paragraph (6) insert—
“(7)In determining, for the purposes of this regulation, whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
313(1)Regulation 7 of the Licensing Act 2003 (Personal Licences) Regulations 2005 (application for grant of a personal licence) is amended as follows.U.K.
(2)In paragraph (1)(b)—
(a)for paragraph (iii) (but not the final “, and”) substitute—
“(iii)the results of a request made under Article 15 of the GDPR or section 45 of the Data Protection Act 2018 (rights of access by the data subject) to the National Identification Service for information contained in the Police National Computer”, and
(b)in the words following paragraph (iii), omit “search”.
(3)After paragraph (2) insert—
“(3)In this regulation, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
314U.K.The Education (Pupil Information) (England) Regulations 2005 are amended as follows.
315U.K.In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “ section 3(4) of the Data Protection Act 2018 ”.
316(1)Regulation 5 (disclosure of curricular and educational records) is amended as follows.U.K.
(2)In paragraph (4)—
(a)in sub-paragraph (a), for “the Data Protection Act 1998” substitute “ the GDPR ”, and
(b)in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “ the GDPR ”.
(3)After paragraph (6) insert—
“(7)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
317(1)Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information) is amended as follows.U.K.
(2)In paragraph (1)(d)—
(a)omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and
(b)for “(2) or (3)” substitute “ (1A), (1B) or (1C) ”.
(3)After paragraph (1) insert—
“(1A)The condition in this paragraph is that the disclosure of the information to a member of the public—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(1B)The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—
(a)Article 21 of the GDPR (general processing: right to object to processing), or
(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).
(1C)The condition in this paragraph is that—
(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or
(c)on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.
(1D)In this regulation—
“the data protection principles” means the principles set out in—
Article 5(1) of the GDPR,
section 34(1) of the Data Protection Act 2018, and
section 85(1) of that Act;
“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
(1E)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
(4)Omit paragraphs (2) to (4).
318U.K.In regulation 3 of the Register of Judgments, Orders and Fines Regulations 2005 (interpretation)—
(a)for the definition of “data protection principles” substitute—
““data protection principles” means the principles set out in Article 5(1) of the GDPR;”, and
(b)at the appropriate place insert—
““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);”.
319U.K.The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 are amended as follows.
320(1)Regulation 39 (sensitive information) is amended as follows.U.K.
(2)In paragraph (1)(d)—
(a)omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and
(b)for “(2) or (3)” substitute “ (1A), (1B) or (1C) ”.
(3)After paragraph (1) insert—
“(1A)The condition in this paragraph is that the disclosure of the information to a member of the public—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(1B)The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—
(a)Article 21 of the GDPR (general processing: right to object to processing), or
(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).
(1C)The condition in this paragraph is that—
(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or
(c)on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.
(1D)In this regulation—
“the data protection principles” means the principles set out in—
Article 5(1) of the GDPR,
section 34(1) of the Data Protection Act 2018, and
section 85(1) of that Act;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
(1E)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
(4)Omit paragraphs (2) to (4).
321U.K.The Data Protection (Processing of Sensitive Personal Data) Order 2006 is revoked.
322(1)Paragraph 14 of Schedule 1 to the National Assembly for Wales (Representation of the People) Order 2007 (absent voting at Assembly elections: conditions on the use, supply and inspection of absent vote records or lists) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)For paragraph (a) of that sub-paragraph (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.
(4)After that sub-paragraph insert—
“(2)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
323U.K.In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant's loss of capacity), for paragraph (b) substitute—
“(b)any material used consists of or includes human cells or human DNA,”.
324U.K.For article 5 of the National Assembly for Wales Commission (Crown Status) Order 2007 substitute—
5(1)The Assembly Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2)The Assembly Commission is to be treated as a government department for the purposes of the following provisions—
(a)section 8(d) (lawfulness of processing under the GDPR: public interest etc),
(b)section 209 (application to the Crown),
(c)paragraph 6 of Schedule 1 (statutory etc and government purposes),
(d)paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e)paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).
(3)In the provisions mentioned in paragraph (4)—
(a)references to employment by or under the Crown are to be treated as including employment as a member of staff of the Assembly Commission, and
(b)references to a person in the service of the Crown are to be treated as including a person so employed.
(4)The provisions are—
(a)section 24(3) (exemption for certain data relating to employment under the Crown), and
(b)section 209(6) (application of certain provisions to a person in the service of the Crown).
(5)In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
325U.K.In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant's loss of capacity) —
(a)in the English language text, for paragraph (c) substitute—
“(c)any material used consists of or includes human cells or human DNA; and”, and
(b)in the Welsh language text, for paragraph (c) substitute—
“(c)os yw unrhyw ddeunydd a ddefnyddir yn gelloedd dynol neu'n DNA dynol neu yn eu cynnwys; ac”.
326(1)Regulation 18 of the Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (conditions on the supply and inspection of absent voter records or lists) is amended as follows.U.K.
(2)In paragraph (1), for sub-paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.
(3)After paragraph (1) insert—
“(2)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
327U.K.In regulation 5 of the Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (conditions on the use, supply and disclosure of documents open to public inspection)—
(a)in paragraph (2), for sub-paragraph (i) (but not the final “or”) substitute—
“(i)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b)after paragraph (3) insert—
“(4)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
328U.K.The Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 are amended as follows.
329U.K.In regulation 2 (interpretation), at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
330U.K.In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “ information to which the pupil to whom the information relates would have no right of access under the GDPR ”.
331U.K.In regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)—
(a)in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “ purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics) ”, and
(b)after paragraph (3) insert—
“(4)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
332U.K.In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act 1998 (c 29)” substitute “ the data protection legislation ”.
333U.K.The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 are amended as follows.
334U.K.In regulation 2(1) (interpretation)—
(a)at the appropriate place in the English language text insert—
““the GDPR” (“y GDPR”) and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”, and
(b)at the appropriate place in the Welsh language text insert—
““mae i “y GDPR” a chyfeiriadau at Atodlen 2 i Ddeddf Diogelu Data 2018 yr un ystyr ag a roddir i “the GDPR” a chyfeiriadau at yr Atodlen honno yn Rhannau 5 i 7 o'r Ddeddf honno (gweler adran 3(10), (11) a (14) o'r Ddeddf honno);”.”
335(1)Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.U.K.
(2)In paragraph (7)—
(a)in the English language text, at the end insert “ or the GDPR ”, and
(b)in the Welsh language text, at the end insert “neu'r GDPR”.
(3)For paragraph (8)—
(a)in the English language text substitute—
“(8)In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b)in the Welsh language text substitute—
“(8)Wrth benderfynu at ddibenion paragraff (7) a yw datgeliad wedi'i wahardd, mae i'w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i'r Ddeddf honno (esemptiadau rhag darpariaethau penodol o'r ddeddfwriaeth diogelu data: datgeliadau sy'n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
336(1)Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.U.K.
(2)In paragraph (6)—
(a)in the English language text, at the end insert “ or the GDPR ”, and
(b)in the Welsh language text, at the end insert “neu'r GDPR”.
(3)For paragraph (7)—
(a)in the English language text substitute—
“(7)In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b)in the Welsh language text substitute—
“(7)Wrth benderfynu at ddibenion paragraff (6) a yw datgeliad wedi'i wahardd, mae i'w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i'r Ddeddf honno (esemptiadau rhag darpariaethau penodol o'r ddeddfwriaeth diogelu data: datgeliadau sy'n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
337(1)Regulation 29 (occurrence reports) is amended as follows.U.K.
(2)In paragraph (3)—
(a)in the English language text, at the end insert “ or the GDPR ”, and
(b)in the Welsh language text, at the end insert “neu'r GDPR”.
(3)For paragraph (4)—
(a)in the English language text substitute—
“(4)In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b)in the Welsh language text substitute—
“(4)Wrth benderfynu at ddibenion paragraff (3) a yw datgeliad wedi'i wahardd, mae i'w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i'r Ddeddf honno (esemptiadau rhag darpariaethau penodol o'r ddeddfwriaeth diogelu data: datgeliadau sy'n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
338(1)Regulation 5 of the Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (information whose disclosure would be affected by the application of other legislation) is amended as follows.U.K.
(2)In paragraph (3)—
(a)omit “within the meaning of section 1(1) of the Data Protection Act 1998”, and
(b)for the words from “where” to the end substitute “ if the condition in paragraph (3A) or (3B) is satisfied ”.
(3)After paragraph (3) insert—
“(3A)The condition in this paragraph is that the disclosure of the information to a member of the public—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(3B)The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—
(a)Article 21 of the GDPR (general processing: right to object to processing), or
(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”
(4)After paragraph (4) insert—
“(5)In this regulation—
“the data protection principles” means the principles set out in—
Article 5(1) of the GDPR,
section 34(1) of the Data Protection Act 2018, and
section 85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
339(1)Paragraph 6 of Schedule 2 to the Companies (Disclosure of Address) Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
“(ii)for the purposes of ensuring that it complies with its data protection obligations;”.
(4)In paragraph (c) of that sub-paragraph—
(a)omit “or” at the end of sub-paragraph (i), and
(b)at the end insert “; or
(iii)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice) or section 148 of that Act (destroying or falsifying information and documents etc);”.
(5)After paragraph (c) of that sub-paragraph insert—
“(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6)After sub-paragraph (1) insert—
“(2)In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),
(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”
340(1)Paragraph 6 of Schedule 2 to the Overseas Companies Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
“(ii)for the purposes of ensuring that it complies with its data protection obligations;”.
(4)In paragraph (c) of that sub-paragraph—
(a)omit “or” at the end of sub-paragraph (i), and
(b)at the end insert “; or
(iii)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice) or section 148 of that Act (destroying or falsifying information and documents etc);”.
(5)After paragraph (c) of that sub-paragraph insert—
“(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6)After sub-paragraph (1) insert—
“(2)In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),
(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”
341U.K.The Data Protection (Processing of Sensitive Personal Data) Order 2009 is revoked.
342U.K.In regulation 25 of the Provision of Services Regulations 2009 (derogations from the freedom to provide services), for paragraph (d) substitute—
“(d)matters covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
343(1)Regulation 9 of the INSPIRE Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.U.K.
(2)In paragraph (2)—
(a)omit “or” at the end of sub-paragraph (a),
(b)for sub-paragraph (b) substitute—
“(b)Article 21 of the GDPR (general processing: right to object to processing), or
(c)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”, and
(c)omit the words following sub-paragraph (b).
(3)After paragraph (7) insert—
“(8)In this regulation—
“the data protection principles” means the principles set out in—
Article 5(1) of the GDPR,
section 34(1) of the Data Protection Act 2018, and
section 85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
(9)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
344(1)Regulation 10 of the INSPIRE (Scotland) Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.U.K.
(2)In paragraph (2)—
(a)omit “or” at the end of sub-paragraph (a),
(b)for sub-paragraph (b) substitute—
“(b)Article 21 of the GDPR (general processing: right to object to processing), or
(c)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”, and
(c)omit the words following sub-paragraph (b).
(3)After paragraph (6) insert—
“(7)In this regulation—
“the data protection principles” means the principles set out in—
Article 5(1) of the GDPR,
section 34(1) of the Data Protection Act 2018, and
section 85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
(8)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
345U.K.The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 are amended as follows.
346U.K.In regulation 2(2) (interpretation), at the appropriate place insert—
““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”.”
347(1)Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.U.K.
(2)In paragraph (7), at the end insert “ or the GDPR ”.
(3)For paragraph (8) substitute—
“(8)In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
348(1)Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.U.K.
(2)In paragraph (6), at the end insert “ or the GDPR ”.
(3)For paragraph (7) substitute—
“(7)In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
349(1)Regulation 29 (occurrence reports) is amended as follows.U.K.
(2)In paragraph (3), at the end insert “ or the GDPR ”.
(3)For paragraph (4) substitute—
“(4)In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
350U.K.The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 are revoked.
351U.K.The Pharmacy Order 2010 is amended as follows.
352U.K.In article 3(1) (interpretation), omit the definition of “Directive 95/46/EC”.
353(1)Article 9 (inspection and enforcement) is amended as follows.U.K.
(2)For paragraph (4) substitute—
“(4)If a report that the Council proposes to publish pursuant to paragraph (3) includes personal data, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure of the personal data is required by paragraph (3) of this article.”
(3)After paragraph (4) insert—
“(5)In this article, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
354U.K.In article 33A (European professional card), after paragraph (2) insert—
“(3)In Schedule 2A, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
355(1)Article 49 (disclosure of information: general) is amended as follows.U.K.
(2)In paragraph (2)(a), after “enactment” insert “ or the GDPR ”.
(3)For paragraph (3) substitute—
“(3)In determining for the purposes of paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (1) of this article.”
(4)After paragraph (5) insert—
“(6)In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
356(1)Article 55 (professional performance assessments) is amended as follows.U.K.
(2)In paragraph (5)(a), after “enactment” insert “ or the GDPR ”.
(3)For paragraph (6) substitute—
“(6)In determining for the purposes of paragraph (5)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (4) of this article.”
(4)After paragraph (8) insert—
“(9)In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
357U.K.In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.), after sub-paragraph (a) insert—
“(aa)“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
358(1)Schedule 2A (Directive 2005/36/EC: European professional card) is amended as follows.U.K.
(2)In paragraph 8(1) (access to data), for “Directive 95/46/EC)” substitute “ the GDPR ”.
(3)In paragraph 9 (processing data)—
(a)omit sub-paragraph (2) (deeming the Council to be the controller for the purposes of Directive 95/46/EC), and
(b)after sub-paragraph (2) insert—
“(3)In this paragraph, “personal data” has the same meaning as in the Data Protection Act 2018 (see section 3(2) of that Act).”
359(1)The table in Schedule 3 (Directive 2005/36/EC: designation of competent authority etc.) is amended as follows.U.K.
(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
360U.K.The Data Protection (Monetary Penalties) Order 2010 is revoked.
361U.K.The National Employment Savings Trust Order 2010 is amended as follows.
362U.K.In article 2 (interpretation)—
(a)omit the definition of “data” and “personal data”, and
(b)at the appropriate place insert—
““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
363(1)Article 10 (disclosure of requested data to the Secretary of State) is amended as follows.U.K.
(2)In paragraph (1)—
(a)for “disclosure of data” substitute “ disclosure of information ”, and
(b)for “requested data” substitute “ requested information ”.
(3)In paragraph (2)—
(a)for “requested data” substitute “ requested information ”,
(b)for “those data are” substitute “ the information is ”, and
(c)for “receive those data” substitute “ receive that information ”.
(4)In paragraph (3), for “requested data” substitute “ requested information ”.
(5)In paragraph (4), for “requested data” substitute “ requested information ”.
364(1)Schedule 3 to the Local Elections (Northern Ireland) Order 2010 (access to marked registers and other documents open to public inspection after an election) is amended as follows.U.K.
(2)In paragraph 1(1) (interpretation and general)—
(a)omit the definition of “research purposes”, and
(b)at the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
(3)In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “ Article 89 GDPR purposes ”.
365(1)Regulation 5 of the Pupil Information (Wales) Regulations 2011 (duties of head teacher - educational records) is amended as follows.U.K.
(2)In paragraph (5)—
(a)in the English language text, for “documents which are subject to any order under section 30(2) of the Data Protection Act 1998” substitute “information—
(a)which the head teacher could not lawfully disclose to the pupil under the GDPR, or
(b)to which the pupil would have no right of access under the GDPR.”, and
(b)in the Welsh language text, for “ddogfennau sy'n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute “wybodaeth—
(a)na allai'r pennaeth ei datgelu'n gyfreithlon i'r disgybl o dan y GDPR, neu
(b)na fyddai gan y disgybl hawl mynediad ati o dan y GDPR.”
(3)After paragraph (5)—
(a)in the English language text insert—
“(6)In this regulation, “the GDPR” (“y GDPR”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”, and
(b)in the Welsh language text insert—
“(6)Yn y rheoliad hwn, ystyr “y GDPR” (“the GDPR”) yw Rheoliad (EU) 2016/679 Senedd Ewrop a'r Cyngor dyddiedig 27 Ebrill 2016 ar ddiogelu personau naturiol o ran prosesu data personol a rhyddid symud data o'r fath (y Rheoliad Diogelu Data Cyffredinol), fel y'i darllenir ynghyd â Phennod 2 o Ran 2 o Ddeddf Diogelu Data 2018.”
366U.K.In Schedule 4 to the Debt Arrangement Scheme (Scotland) Regulations 2011 (payments distributors), omit paragraph 2.
367U.K.The Police and Crime Commissioner Elections Order 2012 is amended as follows.
368(1)Schedule 2 (absent voting in Police and Crime Commissioner elections) is amended as follows.U.K.
(2)In paragraph 20 (absent voter lists: supply of copies etc)—
(a)in sub-paragraph (8), for paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b)after sub-paragraph (10) insert—
“(11)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
(3)In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—
(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and
(b)after that sub-paragraph insert—
“(4)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
369(1)Schedule 10 (access to marked registers and other documents open to public inspection after an election) is amended as follows.U.K.
(2)In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).
(3)In paragraph 5 (restriction on use of documents or of information contained in them)—
(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and
(b)after sub-paragraph (4) insert—
“(5)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
370U.K.The Data Protection (Processing of Sensitive Personal Data) Order 2012 is revoked.
371U.K.Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (registering to vote in a business referendum) is amended as follows.
372(1)Paragraph 29(1) (interpretation of Part 8) is amended as follows.U.K.
(2)At the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
(3)For the definition of “relevant conditions” substitute—
““relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards;”.
(4)Omit the definition of “research purposes”.
373U.K.In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.
374U.K.In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
375U.K.In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
376U.K.In paragraph 39(8) and (97) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
377U.K.In paragraph 45(2) (conditions on the use, supply and disclosure of documents open to public inspection), for paragraph (a) (but not the final “or”) substitute—
“(a)Article 89 GDPR purposes (as defined in paragraph 29),”.
378(1)Regulation 20 of the Controlled Drugs (Supervision of Management and Use) Regulations 2013 (information management) is amended as follows.U.K.
(2)For paragraph (4) substitute—
“(4)Where a CDAO, a responsible body or someone acting on their behalf is permitted to share information which includes personal data by virtue of a function under these Regulations, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
(3)In paragraph (5), after “enactment” insert “ or the GDPR ”.
(4)After paragraph (6) insert—
“(7)In this regulation, “the GDPR”, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (10), (11) and (14) of that Act).”
379(1)Article 3 of the Communications Act 2003 (Disclosure of Information) Order 2014 (specification of relevant functions) is amended as follows.U.K.
(2)The existing text becomes paragraph (1).
(3)In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(4)After that paragraph insert—
“(2)In this article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
380U.K.In the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014, omit Part 4 (data protection in relation to police and judicial co-operation in criminal matters).
381U.K.The Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 is revoked.
382U.K.In regulation 6 of the Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (applications)—
(a)in paragraph (9), omit sub-paragraph (b) and the word “and” before it, and
(b)in paragraph (11), omit the definition of “processing” and “sensitive personal data” and the word “and” before it.
383U.K.In regulation 3 of the Control of Poisons and Explosives Precursors Regulations 2015 (applications in relation to licences under section 4A of the Poisons Act 1972)—
(a)in paragraph (7), omit sub-paragraph (b) and the word “and” before it, and
(b)omit paragraph (8).
384(1)Paragraph 6 of Schedule 2 to the Companies (Disclosure of Date of Birth Information) Regulations 2015 (conditions for permitted disclosure to a credit reference agency) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
“(ii)for the purposes of ensuring that it complies with its data protection obligations;”.
(4)In paragraph (c) of that sub-paragraph—
(a)omit “or” at the end of sub-paragraph (i), and
(b)at the end insert “; or
(iii)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice) or section 148 of that Act (destroying or falsifying information and documents etc);”.
(5)After paragraph (c) of that sub-paragraph insert—
“(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6)After sub-paragraph (1) insert—
“(2)In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),
(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”
385U.K.The Small and Medium Sized Business (Credit Information) Regulations 2015 are amended as follows.
386(1)Regulation 12 (criteria for the designation of a credit reference agency) is amended as follows.U.K.
(2)In paragraph (1)(b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After paragraph (2) insert—
“(3)In this regulation, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
387(1)Regulation 15 (access to and correction of information for individuals and small firms) is amended as follows.U.K.
(2)For paragraph (1) substitute—
“(1)Section 13 of the Data Protection Act 2018 (rights of the data subject under the GDPR: obligations of credit reference agencies) applies in respect of a designated credit reference agency which is not a credit reference agency within the meaning of section 145(8) of the Consumer Credit Act 1974 as if it were such an agency.”
(3)After paragraph (3) insert—
“(4)In this regulation, the reference to section 13 of the Data Protection Act 2018 has the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
388U.K.The European Union (Recognition of Professional Qualifications) Regulations 2015 are amended as follows.
389(1)Regulation 2(1) (interpretation) is amended as follows.U.K.
(2)Omit the definition of “Directive 95/46/EC”.
(3)At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
390U.K.In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives 95/46/EC” substitute “ the GDPR and Directive ”.
391U.K.In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “ the GDPR ”.
392U.K.In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “ the GDPR ”.
393U.K.In regulation 48(2) (processing and access to data regarding the European Professional Card), omit paragraph (2) (deeming the relevant designated competent authorities to be controllers for the purposes of Directive 95/46/EC).
394U.K.In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute “ the GDPR and Directive ”.
395U.K.The Scottish Parliament (Elections etc) Order 2015 is amended as follows.
396(1)Schedule 3 (absent voting) is amended as follows.U.K.
(2)In paragraph 16 (absent voting lists: supply of copies etc)—
(a)in sub-paragraph (4), for paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b)after sub-paragraph (10) insert—
“(11)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
(3)In paragraph 20 (restriction on use of absent voting lists)—
(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b)after that sub-paragraph insert—
“(4)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
397(1)Schedule 8 (access to marked registers and other documents open to public inspection after an election) is amended as follows.U.K.
(2)In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).
(3)In paragraph 5 (restriction on use of documents or of information contained in them)—
(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b)after sub-paragraph (4) insert—
“(5)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
398U.K.In paragraph 1(3) of Schedule 3 to the Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (access to marked registers after a petition), omit the definition of “relevant conditions”.
399U.K.Schedule 4 to the Register of People with Significant Control Regulations 2016 (conditions for permitted disclosure) is amended as follows.
400(1)Paragraph 6 (disclosure to a credit reference agency) is amended as follows.U.K.
(2)In sub-paragraph (b), for paragraph (ii) (together with the final “; and”) substitute—
“(ii)for the purposes of ensuring that it complies with its data protection obligations;”.
(3)In sub-paragraph (c)—
(a)omit “or” at the end of paragraph (ii), and
(b)at the end insert—
“(iv)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice); or
(v)section 148 of that Act (destroying or falsifying information and documents etc);”
(4)After sub-paragraph (c) insert—
“(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in sub-paragraph (c)(iii), other than a penalty notice that has been cancelled.”
401U.K.In paragraph 12A (disclosure to a credit institution or a financial institution), for sub-paragraph (b) substitute—
“(b)for the purposes of ensuring that it complies with its data protection obligations.”
402U.K.In Part 3 (interpretation), after paragraph 13 insert—
“14In this Schedule, “data protection obligations”, in relation to a credit reference agency, a credit institution or a financial institution, means—
(a)where the agency or institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b)where the agency or institution carries on business in a EEA State other than the United Kingdom, obligations under—
(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),
(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”
403U.K.The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 are amended as follows.
404U.K.In regulation 2(1) (interpretation), omit the definition of “the 1998 Act”.
405U.K.In regulation 3(3) (supervision), omit “under the 1998 Act”.
406U.K.For Schedule 2 substitute—
1For the purposes of enforcing these Regulations and the eIDAS Regulation, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 26—
(a)section 140 (publication by the Commissioner);
(b)section 141 (notices from the Commissioner);
(c)section 142 (information notices);
(d)section 143 (information notices: restrictions);
(e)section 144 (false statements made in response to an information notice);
(f)section 145 (information orders);
(g)section 146 (assessment notices);
(h)section 147 (assessment notices: restrictions);
(i)section 148 (destroying or falsifying information and documents etc);
(j)section 149 (enforcement notices);
(k)section 150 (enforcement notices: supplementary);
(l)section 152 (enforcement notices: restrictions);
(m)section 153 (enforcement notices: cancellation and variation);
(n)section 154 and Schedule 15 (powers of entry and inspection);
(o)section 155 and Schedule 16 (penalty notices);
(p)section 156(4)(a) (penalty notices: restrictions);
(q)section 157 (maximum amount of penalty);
(r)section 159 (amount of penalties: supplementary);
(s)section 160 (guidance about regulatory action);
(t)section 161 (approval of first guidance about regulatory action);
(u)section 162 (rights of appeal);
(v)section 163 (determination of appeals);
(w)section 164 (applications in respect of urgent notices);
(x)section 180 (jurisdiction);
(y)section 182(1), (2), (5), (7) and (13) (regulations and consultation);
(z)section 196 (penalties for offences);
(z1)section 197 (prosecution);
(z2)section 202 (proceedings in the First-tier Tribunal: contempt);
(z3)section 203 (Tribunal Procedure Rules).
2The provisions listed in paragraph 1 have effect as if—
(a)references to the Data Protection Act 2018 were references to the provisions of that Act as applied by these Regulations;
(b)references to a particular provision of that Act were references to that provision as applied by these Regulations.
3(1)Section 142 has effect as if subsections (9) and (10) were omitted.
(2)In that section, subsection (1) has effect as if—
(a)in paragraph (a)—
(i)for “controller or processor” there were substituted “ trust service provider ”;
(ii)for “the data protection legislation” there were substituted “ the eIDAS Regulation and the EITSET Regulations ”;
(b)paragraph (b) were omitted.
(3)In that section, subsection (2) has effect as if paragraph (a) were omitted.
4(1)Section 143 has effect as if subsections (1) and (9) were omitted.
(2)In that section—
(a)subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”;
(b)subsection (7)(a) has effect as if for “this Act” there were substituted “ section 144 or 148 or paragraph 15 of Schedule 15 ”;
(c)subsection (8) has effect as if for “this Act (other than an offence under section 144)” there were substituted “ section 148 or paragraph 15 of Schedule 15 ”.
5Section 145(2)(b) has effect as if for “section 142(2)(b)” there were substituted “ section 142(2) ”.
6(1)Section 146 has effect as if subsection (11) were omitted.
(2)In that section—
(a)subsection (1) has effect as if—
(i)for “controller or processor” (in both places) there were substituted “ trust service provider ”;
(ii)for “the data protection legislation” there were substituted “ the eIDAS requirements ”;
(b)subsection (2) has effect as if paragraphs (h) and (i) were omitted;
(c)subsections (7), (8), (9) and (10) have effect as if for “controller or processor” (in each place) there were substituted “trust service provider.
(d)subsection (9)(a) has effect as if for “as described in section 149(2) or that an offence under this Act” there were substituted “ to comply with the eIDAS requirements or that an offence under section 144 or 148 or paragraph 15 of Schedule 15 ”.
7(1)Section 147 has effect as if subsections (5) and (6) were omitted.
(2)In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”.
8(1)Section 149 has effect as if subsections (2) to (5) and (7) to (9) were omitted.
(2)In that section—
(a)subsection (1) has effect as if—
(i)for “as described in subsection (2), (3), (4) or (5)” there were substituted “ to comply with the eIDAS requirements ”;
(ii)for “sections 150 and 151” there were substituted “ section 150 ”;
(b)subsection (6) has effect as if the words “given in reliance on subsection (2), (3) or (5)” were omitted.
9(1)Section 150 has effect as if subsection (3) were omitted.
(2)In that section, subsection (2) has effect as if the words “in reliance on section 149(2)” and “or distress” were omitted.
10Section 152 has effect as if subsections (1), (2) and (4) were omitted.
11The provisions listed in paragraph 1 have effect as if after section 153 there were inserted—
(1)The Commissioner may, by written notice (a “withdrawal notice”), withdraw the qualified status from a trust service provider, or the qualified status of a service provided by a trust service provider, if—
(a)the Commissioner is satisfied that the trust service provider has failed to comply with an information notice or an enforcement notice, and
(b)the condition in subsection (2) or (3) is met.
(2)The condition in this subsection is met if the period for the trust service provider to appeal against the information notice or enforcement notice has ended without an appeal having been brought.
(3)The condition in this subsection is met if an appeal against the information notice or enforcement notice has been brought and—
(a)the appeal and any further appeal in relation to the notice has been decided or has otherwise ended, and
(b)the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.
(4)A withdrawal notice must—
(a)state when the withdrawal takes effect, and
(b)provide information about the rights of appeal under section 162.”
12(1)Schedule 15 has effect as if paragraph 3 were omitted.
(2)Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—
“(a)there are reasonable grounds for suspecting that—
(i)a trust service provider has failed or is failing to comply with the eIDAS requirements, or
(ii)an offence under section 144 or 148 or paragraph 15 of Schedule 15 has been or is being committed,”.
(3)Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—
(a)in sub-paragraphs (1) and (2), for “controller or processor” there were substituted “ trust service provider ”;
(b)in sub-paragraph (2), for “the data protection legislation” there were substituted “ the eIDAS requirements ”.
(4)Paragraph 5 of that Schedule (content of warrants) has effect as if—
(a)in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “ the provision of trust services ”;
(b)in sub-paragraph (2)(d)—
(i)for “controller or processor” there were substituted “ trust service provider ”;
(ii)for “as described in section 149(2)” there were substituted “ to comply with the eIDAS requirements ”;
(c)in sub-paragraph (3)(a) and (d)—
(i)for “controller or processor” there were substituted “ trust service provider ”;
(ii)for “the data protection legislation” there were substituted “ the eIDAS requirements ”.
(5)Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”.
13(1)Section 155 has effect as if subsections (1)(a), (2)(a), (3)(g), (4) and (6) to (8) were omitted.
(2)Subsection (2) of that section has effect as if—
(a)the words “Subject to subsection (4),” were omitted;
(b)in paragraph (b), the words “to the extent that the notice concerns another matter,” were omitted.
(3)Subsection (3) of that section has effect as if—
(a)for “controller or processor”, in each place, there were substituted “ trust services provider ”;
(b)in paragraph (c), the words “or distress” were omitted;
(c)in paragraph (c), for “data subjects” there were substituted “ relying parties ”;
(d)in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “ Article 19(1) of the eIDAS Regulation ”.
14Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.
15Section 157 has effect as if subsections (1) to (3) and (6) were omitted.
16Section 159 has effect as if—
(a)in subsection (1), the words “Article 83 of the GDPR and” were omitted;
(b)in subsection (2), the words “Article 83 of the GDPR” and “and section 158” were omitted.
17(1)Section 160 has effect as if subsections (5) and (12) were omitted.
(2)In that section, subsection (4)(f) has effect as if for “controllers and processors” there were substituted “ trust service providers ”.
18(1)Section 162 has effect as if subsection (4) were omitted.
(2)In that section, subsection (1) has effect as if, after paragraph (c), there were inserted—
“(ca)a withdrawal notice;”.
19Section 163 has effect as if subsection (6) were omitted.
20(1)Section 180 has effect as if subsections (2)(d) and (e) and (3) were omitted.
(2)Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “ subsection (4) ”.
21Section 182 has effect as if subsections (3), (4), (6), (8) to (11) and (14) were omitted.
22(1)Section 196 has effect as if subsections (3) to (5) were omitted.
(2)In that section—
(a)subsection (1) has effect as if the words “section 119 or 173 or” were omitted;
(b)subsection (2) has effect as if for “section 132, 144, 148, 170, 171 or 184” there were substituted “ section 144 or 148 ”.
23Section 197 has effect as if subsections (3) to (6) were omitted.
24Section 202 has effect as if in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “ on an appeal under section 162 ”.
25Section 203 has effect as if—
(a)in subsection (1), for paragraphs (a) and (b) there were substituted “ the exercise of the rights of appeal conferred by section 162 ”;
(b)in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “ the provision of trust services ”.
26(1)This paragraph applies if the first guidance produced under section 160(1) of the Data Protection Act 2018 and the first guidance produced under that provision as applied by this Schedule are laid before Parliament as a single document (“the combined guidance”).
(2)Section 161 of that Act (including that section as applied by this Schedule) has effect as if the references to “the guidance” were references to the combined guidance, except in subsections (2)(b) and (4).
(3)Nothing in subsection (2)(a) of that section (including as applied by this Schedule) prevents another version of the combined guidance being laid before Parliament.
(4)Any duty under subsection (2)(b) of that section (including as applied by this Schedule) may be satisfied by producing another version of the combined guidance.
27In this Schedule—
“the eIDAS requirements” means the requirements of Chapter III of the eIDAS Regulation;
“the EITSET Regulations” means these Regulations;
“withdrawal notice” has the meaning given in section 153A of the Data Protection Act 2018 (as inserted in that Act by this Schedule).”
407U.K.The Court Files Privileged Access Rules (Northern Ireland) 2016 are amended as follows.
408U.K.In rule 5 (information that may released) for “Schedule 1 of the Data Protection Act 1998” substitute “—
(a)Article 5(1) of the GDPR, and
(b)section 34(1) of the Data Protection Act 2018.”
409U.K.In rule 7(2) (provision of information) for “Schedule 1 of the Data Protection Act 1998” substitute “—
(a)Article 5(1) of the GDPR, and
(b)section 34(1) of the Data Protection Act 2018.”
410U.K.The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are amended as follows.
411U.K.In regulation 3(1) (interpretation), at the appropriate places insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;
““the GDPR” and references to provisions of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”.
412U.K.In regulation 16(8) (risk assessment by the Treasury and Home Office), for “the Data Protection Act 1998 or any other enactment” substitute “—
(a)the Data Protection Act 2018 or any other enactment, or
(b)the GDPR.”
413U.K.In regulation 17(9) (risk assessment by supervisory authorities), for “the Data Protection Act 1998 or any other enactment” substitute “—
(a)the Data Protection Act 2018 or any other enactment, or
(b)the GDPR.”
414U.K.For regulation 40(9)(c) (record keeping) substitute—
“(c)“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
(d)“personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
415(1)Regulation 41 (data protection) is amended as follows.U.K.
(2)Omit paragraph (2).
(3)In paragraph (3)(a), after “Regulations” insert “ or the GDPR ”.
(4)Omit paragraphs (4) and (5).
(5)After those paragraphs insert—
“(6)Before establishing a business relationship or entering into an occasional transaction with a new customer, as well as providing the customer with the information required under Article 13 of the GDPR (information to be provided where personal data are collected from the data subject), relevant persons must provide the customer with a statement that any personal data received from the customer will be processed only—
(a)for the purposes of preventing money laundering or terrorist financing, or
(b)as permitted under paragraph (3).
(7)In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest includes processing of personal data in accordance with these Regulations that is necessary for the prevention of money laundering or terrorist financing.
(8)In the case of sensitive processing of personal data for the purposes of the prevention of money laundering or terrorist financing, section 10 of, and Schedule 1 to, the Data Protection Act 2018 make provision about when the processing meets a requirement in Article 9(2) or 10 of the GDPR for authorisation under the law of the United Kingdom (see, for example, paragraphs 10, 11 and 12 of that Schedule).
(9)In this regulation—
“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act);
“sensitive processing” means the processing of personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences etc).”
416(1)Regulation 84 (publication: the Financial Conduct Authority) is amended as follows.U.K.
(2)In paragraph (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)For paragraph (11) substitute—
“(11)For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
417(1)Regulation 85 (publication: the Commissioners) is amended as follows.U.K.
(2)In paragraph (9), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)For paragraph (10) substitute—
“(10)For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
418U.K.For regulation 106(a) (general restrictions) substitute—
“(a)a disclosure in contravention of the data protection legislation; or”.
419U.K.After paragraph 27 of Schedule 3 (relevant offences) insert—
“27AAn offence under the Data Protection Act 2018, apart from an offence under section 173 of that Act.”
420(1)Paragraph 6 of Schedule 5 to the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (conditions for permitted disclosure to a credit institution or a financial institution) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)For paragraph (b) of that sub-paragraph substitute—
“(b)for the purposes of ensuring that it complies with its data protection obligations.”
(4)After sub-paragraph (1) insert—
“(2)In this paragraph, “data protection obligations”, in relation to a relevant institution, means—
(a)where the institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b)where the institution carries on business in a EEA State other than the United Kingdom, obligations under—
(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),
(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”
421U.K.In regulation 1(2) of the Data Protection (Charges and Information) Regulations 2018 (interpretation), at the appropriate places insert—
““data controller” means a person who is a controller for the purposes of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);”;
““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);”.
422U.K.The National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 are amended as follows.
423(1)Regulation 1 (citation and commencement) is amended as follows.U.K.
(2)In paragraph (2), omit “Subject to paragraph (3),”.
(3)Omit paragraph (3).
424U.K.In regulation 3(1) (interpretation)—
(a)omit the definition of “the 1998 Act”,
(b)at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and
(c)omit the definition of “GDPR”.
425(1)Schedule 6 (other contractual terms) is amended as follows.U.K.
(2)In paragraph 63(2) (interpretation: general), for “the 1998 Act or any directly applicable EU instrument relating to data protection” substitute “—
(a)the data protection legislation, or
(b)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”
(3)For paragraph 64 (meaning of data controller etc.) substitute—
64AFor the purposes of this Part—
“controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);
“data protection officer” means a person designated as a data protection officer under the data protection legislation;
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).”
(4)In paragraph 65(2)(b) (roles, responsibilities and obligations: general), for “data controllers” substitute “ controllers ”.
(5)In paragraph 69(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—
(i)the data protection legislation, and
(ii)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
(6)In paragraph 94(4) (variation of a contract: general)—
(a)omit paragraph (b), and
(b)after paragraph (d) (but before the final “and”) insert—
“(da)the data protection legislation;
(db)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
426U.K.The National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 are amended as follows.
427(1)Regulation 1 (citation and commencement) is amended as follows.U.K.
(2)In paragraph (2), omit “Subject to paragraph (3),”.
(3)Omit paragraph (3).
428U.K.In regulation 3(1) (interpretation)—
(a)omit the definition of “the 1998 Act”, and
(b)at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and
(c)omit the definition of “GDPR”.
429(1)Schedule 1 (content of agreements) is amended as follows.U.K.
(2)In paragraph 34 (interpretation)—
(a)in sub-paragraph (1)—
(i)omit “Subject to sub-paragraph (3),”,
(ii)before paragraph (a) insert—
“(za)“controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);
(zb)“data protection officer” means a person designated as a data protection officer under the data protection legislation;”, and
(iii)for paragraph (d) substitute—
“(e)“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).”,
(b)omit sub-paragraphs (2) and (3),
(c)in sub-paragraph (4), for “the 1998 Act and any directly applicable EU instrument relating to data protection” substitute “—
(a)the data protection legislation, or
(b)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”, and
(d)in sub-paragraph (6)(b), for “data controllers” substitute “ controllers ”.
(3)In paragraph 37(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—
(i)the data protection legislation, and
(ii)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
(4)In paragraph 61(3) (variation of agreement: general)—
(a)omit paragraph (b), and
(b)after paragraph (d) (but before the final “and”) insert—
“(da)the data protection legislation;
(db)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
Valid from 25/05/2018
430(1)Unless the context otherwise requires, legislation described in sub-paragraph (2) has effect on and after the day on which this Part of this Schedule comes into force as if it were modified in accordance with this Part of this Schedule.U.K.
(2)That legislation is—
(a)subordinate legislation made before the day on which this Part of this Schedule comes into force;
(b)primary legislation that is passed or made before the end of the Session in which this Act is passed.
(3)In this Part of this Schedule—
“primary legislation” has the meaning given in section 211(7);
“references” includes any references, however expressed.
431(1)References to a particular provision of, or made under, the Data Protection Act 1998 have effect as references to the equivalent provision or provisions of, or made under, the data protection legislation.U.K.
(2)Other references to the Data Protection Act 1998 have effect as references to the data protection legislation.
(3)References to disclosure, use or other processing of information that is prohibited or restricted by an enactment which include disclosure, use or other processing of information that is prohibited or restricted by the Data Protection Act 1998 have effect as if they included disclosure, use or other processing of information that is prohibited or restricted by the GDPR or the applied GDPR.
432(1)References to personal data, and to the processing of such data, as defined in the Data Protection Act 1998, have effect as references to personal data, and to the processing of such data, as defined for the purposes of Parts 5 to 7 of this Act (see section 3(2), (4) and (14)).U.K.
(2)References to processing as defined in the Data Protection Act 1998, in relation to information, have effect as references to processing as defined in section 3(4).
(3)References to a data subject as defined in the Data Protection Act 1998 have effect as references to a data subject as defined in section 3(5).
(4)References to a data controller as defined in the Data Protection Act 1998 have effect as references to a controller as defined for the purposes of Parts 5 to 7 of this Act (see section 3(6) and (14)).
(5)References to the data protection principles set out in the Data Protection Act 1998 have effect as references to the principles set out in—
(a)Article 5(1) of the GDPR and the applied GDPR, and
(b)sections 34(1) and 85(1) of this Act.
(6)References to direct marketing as defined in section 11 of the Data Protection Act 1998 have effect as references to direct marketing as defined in section 122 of this Act.
(7)References to a health professional within the meaning of section 69(1) of the Data Protection Act 1998 have effect as references to a health professional within the meaning of section 204 of this Act.
(8)References to a health record within the meaning of section 68(2) of the Data Protection Act 1998 have effect as references to a health record within the meaning of section 205 of this Act.
Valid from 25/05/2018
433U.K.Section 3(14) does not apply to this Schedule.
434U.K.Provision inserted into subordinate legislation by this Schedule may be amended or revoked as if it had been inserted using the power under which the subordinate legislation was originally made.
Commencement Information
I2Sch. 19 para. 434 in force at Royal Assent for specified purposes, see s. 212(2)(f)
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
This Schedule only you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
This Schedule only you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Point in Time: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: