- Latest available (Revised)
- Point in Time (28/01/2021)
- Original (As enacted)
Version Superseded: 15/12/2021
Point in time view as at 28/01/2021.
Data Protection Act 2018 is up to date with all changes known to be in force on or before 23 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.
Section 10
1(1)This condition is met if—U.K.
(a)the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and
(b)when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).
(2)See also the additional safeguards in Part 4 of this Schedule.
(3)In this paragraph—
“social security” includes any of the branches of social security listed in Article 3(1) of Regulation (EC) No. 883/2004 of the European Parliament and of the Council on the co-ordination of social security systems (as amended from time to time);
“social protection” includes an intervention described in Article 2(b) of Regulation (EC) 458/2007 of the European Parliament and of the Council of 25 April 2007 on the European system of integrated social protection statistics (ESSPROS) [F1as it had effect in EU law immediately before exit day].
Textual Amendments
F1Words in Sch. 1 para. 1(3) substituted (31.12.2020) by The UK Statistics (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/489), regs. 1, 3; 2020 c. 1, Sch. 5 para. 1(1)
2(1)This condition is met if the processing is necessary for health or social care purposes.U.K.
(2)In this paragraph “health or social care purposes” means the purposes of—
(a)preventive or occupational medicine,
(b)the assessment of the working capacity of an employee,
(c)medical diagnosis,
(d)the provision of health care or treatment,
(e)the provision of social care, or
(f)the management of health care systems or services or social care systems or services.
(3)See also the conditions and safeguards in Article 9(3) of the [F2UK GDPR] (obligations of secrecy) and section 11(1).
Textual Amendments
F2Words in Sch. 1 para. 2(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 91(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
3U.K.This condition is met if the processing—
(a)is necessary for reasons of public interest in the area of public health, and
(b)is carried out—
(i)by or under the responsibility of a health professional, or
(ii)by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
4U.K.This condition is met if the processing—
(a)is necessary for archiving purposes, scientific or historical research purposes or statistical purposes,
(b)is carried out in accordance with Article 89(1) of the [F3UK GDPR] (as supplemented by section 19), and
(c)is in the public interest.
Textual Amendments
F3Words in Sch. 1 para. 4(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 91(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
5(1)Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).U.K.
(2)See also the additional safeguards in Part 4 of this Schedule.
6(1)This condition is met if the processing—U.K.
(a)is necessary for a purpose listed in sub-paragraph (2), and
(b)is necessary for reasons of substantial public interest.
(2)Those purposes are—
(a)the exercise of a function conferred on a person by an enactment or rule of law;
(b)the exercise of a function of the Crown, a Minister of the Crown or a government department.
7U.K.This condition is met if the processing is necessary—
(a)for the administration of justice, or
(b)for the exercise of a function of either House of Parliament.
8(1)This condition is met if the processing—U.K.
(a)is of a specified category of personal data, and
(b)is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained,
subject to the exceptions in sub-paragraphs (3) to (5).
(2)In sub-paragraph (1), “specified” means specified in the following table—
Category of personal data | Groups of people (in relation to a category of personal data) |
---|---|
Personal data revealing racial or ethnic origin | People of different racial or ethnic origins |
Personal data revealing religious or philosophical beliefs | People holding different religious or philosophical beliefs |
Data concerning health | People with different states of physical or mental health |
Personal data concerning an individual's sexual orientation | People of different sexual orientation |
(3)Processing does not meet the condition in sub-paragraph (1) if it is carried out for the purposes of measures or decisions with respect to a particular data subject.
(4)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.
(5)Processing does not meet the condition in sub-paragraph (1) if—
(a)an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),
(b)the notice gave the controller a reasonable period in which to stop processing such data, and
(c)that period has ended.
9(1)This condition is met if the processing—U.K.
(a)is of personal data revealing racial or ethnic origin,
(b)is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally,
(c)is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations, and
(d)can reasonably be carried out without the consent of the data subject,
subject to the exception in sub-paragraph (3).
(2)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b)the controller is not aware of the data subject withholding consent.
(3)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.
(4)For the purposes of this paragraph, an individual holds a senior position in an organisation if the individual—
(a)holds a position listed in sub-paragraph (5), or
(b)does not hold such a position but is a senior manager of the organisation.
(5)Those positions are—
(a)a director, secretary or other similar officer of a body corporate;
(b)a member of a limited liability partnership;
(c)a partner in a partnership within the Partnership Act 1890, a limited partnership registered under the Limited Partnerships Act 1907 or an entity of a similar character formed under the law of a country or territory outside the United Kingdom.
(6)In this paragraph, “senior manager”, in relation to an organisation, means a person who plays a significant role in—
(a)the making of decisions about how the whole or a substantial part of the organisation's activities are to be managed or organised, or
(b)the actual managing or organising of the whole or a substantial part of those activities.
(7)The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
10(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of the prevention or detection of an unlawful act,
(b)must be carried out without the consent of the data subject so as not to prejudice those purposes, and
(c)is necessary for reasons of substantial public interest.
(2)If the processing consists of the disclosure of personal data to a competent authority, or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
(3)In this paragraph—
“act” includes a failure to act;
“competent authority” has the same meaning as in Part 3 of this Act (see section 30).
11(1)This condition is met if the processing—U.K.
(a)is necessary for the exercise of a protective function,
(b)must be carried out without the consent of the data subject so as not to prejudice the exercise of that function, and
(c)is necessary for reasons of substantial public interest.
(2)In this paragraph, “protective function” means a function which is intended to protect members of the public against—
(a)dishonesty, malpractice or other seriously improper conduct,
(b)unfitness or incompetence,
(c)mismanagement in the administration of a body or association, or
(d)failures in services provided by a body or association.
12(1)This condition is met if—U.K.
(a)the processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has—
(i)committed an unlawful act, or
(ii)been involved in dishonesty, malpractice or other seriously improper conduct,
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing, and
(c)the processing is necessary for reasons of substantial public interest.
(2)In this paragraph—
“act” includes a failure to act;
“regulatory requirement” means—
a requirement imposed by legislation or by a person in exercise of a function conferred by legislation, or
a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity.
13(1)This condition is met if—U.K.
(a)the processing consists of the disclosure of personal data for the special purposes,
(b)it is carried out in connection with a matter described in sub-paragraph (2),
(c)it is necessary for reasons of substantial public interest,
(d)it is carried out with a view to the publication of the personal data by any person, and
(e)the controller reasonably believes that publication of the personal data would be in the public interest.
(2)The matters mentioned in sub-paragraph (1)(b) are any of the following (whether alleged or established)—
(a)the commission of an unlawful act by a person;
(b)dishonesty, malpractice or other seriously improper conduct of a person;
(c)unfitness or incompetence of a person;
(d)mismanagement in the administration of a body or association;
(e)a failure in services provided by a body or association.
(3)The condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
(4)In this paragraph—
“act” includes a failure to act;
“the special purposes” means—
the purposes of journalism;
academic purposes;
artistic purposes;
literary purposes.
14(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of preventing fraud or a particular kind of fraud, and
(b)consists of—
(i)the disclosure of personal data by a person as a member of an anti-fraud organisation,
(ii)the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation, or
(iii)the processing of personal data disclosed as described in sub-paragraph (i) or (ii).
(2)In this paragraph, “anti-fraud organisation” has the same meaning as in section 68 of the Serious Crime Act 2007.
15U.K.This condition is met if the processing is necessary for the purposes of making a disclosure in good faith under either of the following—
(a)section 21CA of the Terrorism Act 2000 (disclosures between certain entities within regulated sector in relation to suspicion of commission of terrorist financing offence or for purposes of identifying terrorist property);
(b)section 339ZB of the Proceeds of Crime Act 2002 (disclosures within regulated sector in relation to suspicion of money laundering).
16(1)This condition is met if the processing—U.K.
(a)is carried out by a not-for-profit body which provides support to individuals with a particular disability or medical condition,
(b)is of a type of personal data falling within sub-paragraph (2) which relates to an individual falling within sub-paragraph (3),
(c)is necessary for the purposes of—
(i)raising awareness of the disability or medical condition, or
(ii)providing support to individuals falling within sub-paragraph (3) or enabling such individuals to provide support to each other,
(d)can reasonably be carried out without the consent of the data subject, and
(e)is necessary for reasons of substantial public interest.
(2)The following types of personal data fall within this sub-paragraph—
(a)personal data revealing racial or ethnic origin;
(b)genetic data or biometric data;
(c)data concerning health;
(d)personal data concerning an individual's sex life or sexual orientation.
(3)An individual falls within this sub-paragraph if the individual is or has been a member of the body mentioned in sub-paragraph (1)(a) and—
(a)has the disability or condition mentioned there, has had that disability or condition or has a significant risk of developing that disability or condition, or
(b)is a relative or carer of an individual who satisfies paragraph (a) of this sub-paragraph.
(4)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b)the controller is not aware of the data subject withholding consent.
(5)In this paragraph—
“carer” means an individual who provides or intends to provide care for another individual other than—
under or by virtue of a contract, or
as voluntary work;
“disability” has the same meaning as in the Equality Act 2010 (see section 6 of, and Schedule 1 to, that Act).
(6)The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
17(1)This condition is met if the processing—U.K.
(a)is necessary for the provision of confidential counselling, advice or support or of another similar service provided confidentially,
(b)is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(c)is necessary for reasons of substantial public interest.
(2)The reasons mentioned in sub-paragraph (1)(b) are—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the service mentioned in sub-paragraph (1)(a).
18(1)This condition is met if—U.K.
(a)the processing is necessary for the purposes of—
(i)protecting an individual from neglect or physical, mental or emotional harm, or
(ii)protecting the physical, mental or emotional well-being of an individual,
(b)the individual is—
(i)aged under 18, or
(ii)aged 18 or over and at risk,
(c)the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(d)the processing is necessary for reasons of substantial public interest.
(2)The reasons mentioned in sub-paragraph (1)(c) are—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
(3)For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—
(a)has needs for care and support,
(b)is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
(c)as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.
(4)In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.
19(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of protecting the economic well-being of an individual at economic risk who is aged 18 or over,
(b)is of data concerning health,
(c)is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(d)is necessary for reasons of substantial public interest.
(2)The reasons mentioned in sub-paragraph (1)(c) are—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
(3)In this paragraph, “individual at economic risk” means an individual who is less able to protect his or her economic well-being by reason of physical or mental injury, illness or disability.
20(1)This condition is met if the processing—U.K.
(a)is necessary for an insurance purpose,
(b)is of personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health, and
(c)is necessary for reasons of substantial public interest,
subject to sub-paragraphs (2) and (3).
(2)Sub-paragraph (3) applies where—
(a)the processing is not carried out for the purposes of measures or decisions with respect to the data subject, and
(b)the data subject does not have and is not expected to acquire—
(i)rights against, or obligations in relation to, a person who is an insured person under an insurance contract to which the insurance purpose mentioned in sub-paragraph (1)(a) relates, or
(ii)other rights or obligations in connection with such a contract.
(3)Where this sub-paragraph applies, the processing does not meet the condition in sub-paragraph (1) unless, in addition to meeting the requirements in that sub-paragraph, it can reasonably be carried out without the consent of the data subject.
(4)For the purposes of sub-paragraph (3), processing can reasonably be carried out without the consent of the data subject only where—
(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b)the controller is not aware of the data subject withholding consent.
(5)In this paragraph—
“insurance contract” means a contract of general insurance or long-term insurance;
“insurance purpose” means—
advising on, arranging, underwriting or administering an insurance contract,
administering a claim under an insurance contract, or
exercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law.
(6)The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
(7)Terms used in the definition of “insurance contract” in sub-paragraph (5) and also in an order made under section 22 of the Financial Services and Markets Act 2000 (regulated activities) have the same meaning in that definition as they have in that order.
21(1)This condition is met if the processing—U.K.
(a)is necessary for the purpose of making a determination in connection with eligibility for, or benefits payable under, an occupational pension scheme,
(b)is of data concerning health which relates to a data subject who is the parent, grandparent, great-grandparent or sibling of a member of the scheme,
(c)is not carried out for the purposes of measures or decisions with respect to the data subject, and
(d)can reasonably be carried out without the consent of the data subject.
(2)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b)the controller is not aware of the data subject withholding consent.
(3)In this paragraph—
“occupational pension scheme” has the meaning given in section 1 of the Pension Schemes Act 1993;
“member”, in relation to a scheme, includes an individual who is seeking to become a member of the scheme.
(4)The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
22(1)This condition is met if the processing—U.K.
(a)is of personal data revealing political opinions,
(b)is carried out by a person or organisation included in the register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000, and
(c)is necessary for the purposes of the person's or organisation's political activities,
subject to the exceptions in sub-paragraphs (2) and (3).
(2)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to a person.
(3)Processing does not meet the condition in sub-paragraph (1) if—
(a)an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),
(b)the notice gave the controller a reasonable period in which to stop processing such data, and
(c)that period has ended.
(4)In this paragraph, “political activities” include campaigning, fund-raising, political surveys and case-work.
23(1)This condition is met if—U.K.
(a)the processing is carried out—
(i)by an elected representative or a person acting with the authority of such a representative,
(ii)in connection with the discharge of the elected representative's functions, and
(iii)in response to a request by an individual that the elected representative take action on behalf of the individual, and
(b)the processing is necessary for the purposes of, or in connection with, the action reasonably taken by the elected representative in response to that request,
subject to sub-paragraph (2).
(2)Where the request is made by an individual other than the data subject, the condition in sub-paragraph (1) is met only if the processing must be carried out without the consent of the data subject for one of the following reasons—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)obtaining the consent of the data subject would prejudice the action taken by the elected representative;
(d)the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.
(3)In this paragraph, “elected representative” means—
(a)a member of the House of Commons;
(b)a member of the National Assembly for Wales;
(c)a member of the Scottish Parliament;
(d)a member of the Northern Ireland Assembly;
F4(e). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(f)an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972, namely—
(i)in England, a county council, a district council, a London borough council or a parish council;
(ii)in Wales, a county council, a county borough council or a community council;
(g)an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000;
(h)a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;
(i)the Mayor of London or an elected member of the London Assembly;
(j)an elected member of—
(i)the Common Council of the City of London, or
(ii)the Council of the Isles of Scilly;
(k)an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994;
(l)an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.));
(m)a police and crime commissioner.
(4)For the purposes of sub-paragraph (3), a person who is—
(a)a member of the House of Commons immediately before Parliament is dissolved,
(b)a member of the National Assembly for Wales immediately before that Assembly is dissolved,
(c)a member of the Scottish Parliament immediately before that Parliament is dissolved, or
(d)a member of the Northern Ireland Assembly immediately before that Assembly is dissolved,
is to be treated as if the person were such a member until the end of the fourth day after the day on which the subsequent general election in relation to that Parliament or Assembly is held.
(5)For the purposes of sub-paragraph (3), a person who is an elected member of the Common Council of the City of London and whose term of office comes to an end at the end of the day preceding the annual Wardmotes is to be treated as if he or she were such a member until the end of the fourth day after the day on which those Wardmotes are held.
Textual Amendments
24(1)This condition is met if—U.K.
(a)the processing consists of the disclosure of personal data—
(i)to an elected representative or a person acting with the authority of such a representative, and
(ii)in response to a communication to the controller from that representative or person which was made in response to a request from an individual,
(b)the personal data is relevant to the subject matter of that communication, and
(c)the disclosure is necessary for the purpose of responding to that communication,
subject to sub-paragraph (2).
(2)Where the request to the elected representative came from an individual other than the data subject, the condition in sub-paragraph (1) is met only if the disclosure must be made without the consent of the data subject for one of the following reasons—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)obtaining the consent of the data subject would prejudice the action taken by the elected representative;
(d)the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.
(3)In this paragraph, “elected representative” has the same meaning as in paragraph 23.
25(1)This condition is met if—U.K.
(a)the processing consists of the processing of personal data about a prisoner for the purpose of informing a member of the House of Commons, a member of the National Assembly for Wales or a member of the Scottish Parliament about the prisoner, and
(b)the member is under an obligation not to further disclose the personal data.
(2)The references in sub-paragraph (1) to personal data about, and to informing someone about, a prisoner include personal data about, and informing someone about, arrangements for the prisoner's release.
(3)In this paragraph—
“prison” includes a young offender institution, a remand centre, a secure training centre or a secure college;
“prisoner” means a person detained in a prison.
26U.K.This condition is met if the processing—
(a)consists of the publication of a judgment or other decision of a court or tribunal, or
(b)is necessary for the purposes of publishing such a judgment or decision.
27(1)This condition is met if the processing is necessary—U.K.
(a)for the purposes of measures designed to eliminate doping which are undertaken by or under the responsibility of a body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally, or
(b)for the purposes of providing information about doping, or suspected doping, to such a body or association.
(2)The reference in sub-paragraph (1)(a) to measures designed to eliminate doping includes measures designed to identify or prevent doping.
(3)If the processing consists of the disclosure of personal data to a body or association described in sub-paragraph (1)(a), or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
28(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event,
(b)must be carried out without the consent of the data subject so as not to prejudice those purposes, and
(c)is necessary for reasons of substantial public interest.
(2)In sub-paragraph (1)(a), the reference to measures designed to protect the integrity of a sport or a sporting event is a reference to measures designed to protect a sport or a sporting event against—
(a)dishonesty, malpractice or other seriously improper conduct, or
(b)failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or event.
29U.K.This condition is met if the data subject has given consent to the processing.
30U.K.This condition is met if—
(a)the processing is necessary to protect the vital interests of an individual, and
(b)the data subject is physically or legally incapable of giving consent.
31U.K.This condition is met if the processing is carried out—
(a)in the course of its legitimate activities with appropriate safeguards by a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, and
(b)on condition that—
(i)the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and
(ii)the personal data is not disclosed outside that body without the consent of the data subjects.
32U.K.This condition is met if the processing relates to personal data which is manifestly made public by the data subject.
33U.K.This condition is met if the processing—
(a)is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
(b)is necessary for the purpose of obtaining legal advice, or
(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
34U.K.This condition is met if the processing is necessary when a court or tribunal is acting in its judicial capacity.
35(1)This condition is met if—U.K.
(a)the processing is of personal data about a conviction or caution for an offence listed in sub-paragraph (2),
(b)the processing is necessary for the purpose of administering an account relating to the payment card used in the commission of the offence or cancelling that payment card, and
(c)when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).
(2)Those offences are an offence under—
(a)section 1 of the Protection of Children Act 1978 (indecent photographs of children),
(b)Article 3 of the Protection of Children (Northern Ireland) Order 1978 (S.I. 1978/1047 (N.I. 17)) (indecent photographs of children),
(c)section 52 of the Civic Government (Scotland) Act 1982 (indecent photographs etc of children),
(d)section 160 of the Criminal Justice Act 1988 (possession of indecent photograph of child),
(e)Article 15 of the Criminal Justice (Evidence etc) (Northern Ireland) Order 1988 (S.I. 1988/1847 (N.I. 17)) (possession of indecent photograph of child), or
(f)section 62 of the Coroners and Justice Act 2009 (possession of prohibited images of children),
or incitement to commit an offence under any of those provisions.
(3)See also the additional safeguards in Part 4 of this Schedule.
(4)In this paragraph—
“caution” means a caution given to a person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;
“conviction” has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978 (S.I. 1978/1908 (N.I. 27));
“payment card” includes a credit card, a charge card and a debit card.
36U.K.This condition is met if the processing would meet a condition in Part 2 of this Schedule but for an express requirement for the processing to be necessary for reasons of substantial public interest.
37U.K.This condition is met if the processing—
(a)would meet the condition in paragraph 20 in Part 2 of this Schedule (the “insurance condition”), or
(b)would meet the condition in paragraph 36 by virtue of the insurance condition,
but for the requirement for the processing to be processing of a category of personal data specified in paragraph 20(1)(b).
38U.K.This Part of this Schedule makes provision about the processing of personal data carried out in reliance on a condition in Part 1, 2 or 3 of this Schedule which requires the controller to have an appropriate policy document in place when the processing is carried out.
39U.K.The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on a condition described in paragraph 38 if the controller has produced a document which—
(a)explains the controller's procedures for securing compliance with the principles in Article 5 of the [F5UK GDPR] (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and
(b)explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.
Textual Amendments
F5Words in Sch. 1 para. 39(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 91(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
40(1)Where personal data is processed in reliance on a condition described in paragraph 38, the controller must during the relevant period—U.K.
(a)retain the appropriate policy document,
(b)review and (if appropriate) update it from time to time, and
(c)make it available to the Commissioner, on request, without charge.
(2)“Relevant period”, in relation to the processing of personal data in reliance on a condition described in paragraph 38, means a period which—
(a)begins when the controller starts to carry out processing of personal data in reliance on that condition, and
(b)ends at the end of the period of 6 months beginning when the controller ceases to carry out such processing.
41U.K.A record maintained by the controller, or the controller's representative, under Article 30 of the [F6UK GDPR] in respect of the processing of personal data in reliance on a condition described in paragraph 38 must include the following information—
(a)which condition is relied on,
(b)how the processing satisfies Article 6 of the [F6UK GDPR] (lawfulness of processing), and
(c)whether the personal data is retained and erased in accordance with the policies described in paragraph 39(b) and, if it is not, the reasons for not following those policies.
Textual Amendments
F6Words in Sch. 1 para. 41 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 91(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Section 15
Textual Amendments
F7Words in Sch. 2 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F8Words in Sch. 2 Pt. 1 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F9Words in Sch. 2 para. 1 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
1U.K.In this Part of this Schedule, “the listed GDPR provisions” means—
(a)the following provisions of the [F10UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F10UK GDPR])—
(i)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(ii)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(iii)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(iv)Article 16 (right to rectification);
(v)Article 17(1) and (2) (right to erasure);
(vi)Article 18(1) (restriction of processing);
(vii)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
(viii)Article 20(1) and (2) (right to data portability);
(ix)Article 21(1) (objections to processing);
(x)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (i) to (ix); and
(b)the following provisions of the [F11UK GDPR] (the application of which may be adapted by virtue of Article 6(3) of the [F11UK GDPR])—
(i)Article 5(1)(a) (lawful, fair and transparent processing), other than the lawfulness requirements set out in Article 6;
(ii)Article 5(1)(b) (purpose limitation).
Textual Amendments
F10Words in Sch. 2 para. 1(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(5)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F11Words in Sch. 2 para. 1(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(5)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
2(1)The listed GDPR provisions and Article 34(1) and (4) of the [F12UK GDPR] (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes—U.K.
(a)the prevention or detection of crime,
(b)the apprehension or prosecution of offenders, or
(c)the assessment or collection of a tax or duty or an imposition of a similar nature,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).
(2)Sub-paragraph (3) applies where—
(a)personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and
(b)another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions.
(3)Controller 2 is exempt from the obligations in the following provisions of the [F13UK GDPR]—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),
to the same extent that Controller 1 is exempt from those obligations by virtue of sub-paragraph (1).
Textual Amendments
F12Words in Sch. 2 para. 2(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(6)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F13Words in Sch. 2 para. 2(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(6)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
3(1)The [F14UK GDPR] provisions listed in sub-paragraph (3) do not apply to personal data which consists of a classification applied to the data subject as part of a risk assessment system falling within sub-paragraph (2) to the extent that the application of those provisions would prevent the system from operating effectively.U.K.
(2)A risk assessment system falls within this sub-paragraph if—
(a)it is operated by a government department, a local authority or another authority administering housing benefit, and
(b)it is operated for the purposes of—
(i)the assessment or collection of a tax or duty or an imposition of a similar nature, or
(ii)the prevention or detection of crime or apprehension or prosecution of offenders, where the offence concerned involves the unlawful use of public money or an unlawful claim for payment out of public money.
(3)The [F15UK GDPR] provisions referred to in sub-paragraph (1) are the following provisions of the [F15UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F15UK GDPR])—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c).
Textual Amendments
F14Words in Sch. 2 para. 3(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(7)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F15Words in Sch. 2 para. 3(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(7)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
4(1)The [F16UK GDPR] provisions listed in sub-paragraph (2) do not apply to personal data processed for any of the following purposes—U.K.
(a)the maintenance of effective immigration control, or
(b)the investigation or detection of activities that would undermine the maintenance of effective immigration control,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).
(2)The [F17UK GDPR] provisions referred to in sub-paragraph (1) are the following provisions of the [F17UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F17UK GDPR])—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d)Article 17(1) and (2) (right to erasure);
(e)Article 18(1) (restriction of processing);
(f)Article 21(1) (objections to processing);
(g)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f).
(That is, the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing) and Article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)
(3)Sub-paragraph (4) applies where—
(a)personal data is processed by a person (“Controller 1”), and
(b)another person (“Controller 2”) obtains the data from Controller 1 for any of the purposes mentioned in sub-paragraph (1)(a) and (b) and processes it for any of those purposes.
(4)Controller 1 is exempt from the obligations in the following provisions of the [F18UK GDPR]—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),
to the same extent that Controller 2 is exempt from those obligations by virtue of sub-paragraph (1).
Textual Amendments
F16Words in Sch. 2 para. 4(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(8)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F17Words in Sch. 2 para. 4(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(8)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F18Words in Sch. 2 para. 4(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(8)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
5(1)The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.U.K.
(2)The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.
(3)The listed GDPR provisions do not apply to personal data where disclosure of the data—
(a)is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
(b)is necessary for the purpose of obtaining legal advice, or
(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
to the extent that the application of those provisions would prevent the controller from making the disclosure.
Textual Amendments
F19Words in Sch. 2 Pt. 2 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(9) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F20Words in Sch. 2 para. 6 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(10) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
6U.K.In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the [F21UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F21UK GDPR])—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d)Article 16 (right to rectification);
(e)Article 17(1) and (2) (right to erasure);
(f)Article 18(1) (restriction of processing);
(g)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
(h)Article 20(1) and (2) (right to data portability);
(i)Article 21(1) (objections to processing);
(j)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (i).
Textual Amendments
F21Words in Sch. 2 para. 6 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(11) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
7U.K.The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—
(a)is designed as described in column 1 of the Table, and
(b)meets the condition relating to the function specified in column 2 of the Table,
to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
Description of function design | Condition |
---|---|
1. The function is designed to protect members of the public against— (a) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate, or (b) financial loss due to the conduct of discharged or undischarged bankrupts. | The function is— (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest. |
2. The function is designed to protect members of the public against— (a) dishonesty, malpractice or other seriously improper conduct, or (b) unfitness or incompetence. | The function is— (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest. |
3. The function is designed— (a) to protect charities or community interest companies against misconduct or mismanagement (whether by trustees, directors or other persons) in their administration, (b) to protect the property of charities or community interest companies from loss or misapplication, or (c) to recover the property of charities or community interest companies. | The function is— (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest. |
4. The function is designed— (a) to secure the health, safety and welfare of persons at work, or (b) to protect persons other than those at work against risk to health or safety arising out of or in connection with the action of persons at work. | The function is— (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest. |
5. The function is designed to protect members of the public against— (a) maladministration by public bodies, (b) failures in services provided by public bodies, or (c) a failure of a public body to provide a service which it is a function of the body to provide. | The function is conferred by any enactment on— (a) the Parliamentary Commissioner for Administration, (b) the Commissioner for Local Administration in England, (c) the Health Service Commissioner for England, (d) the Public Services Ombudsman for Wales, (e) the Northern Ireland Public Services Ombudsman, (f) the Prison Ombudsman for Northern Ireland, or (g) the Scottish Public Services Ombudsman. |
6. The function is designed— (a) to protect members of the public against conduct which may adversely affect their interests by persons carrying on a business, (b) to regulate agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or (c) to regulate conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market. | The function is conferred on the Competition and Markets Authority by an enactment. |
8(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.U.K.
(2)The functions are any function that is conferred by an enactment on—
(a)the Comptroller and Auditor General;
(b)the Auditor General for Scotland;
(c)the Auditor General for Wales;
(d)the Comptroller and Auditor General for Northern Ireland.
9(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a relevant function of the Bank of England to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.U.K.
(2)“Relevant function of the Bank of England” means—
(a)a function discharged by the Bank acting in its capacity as a monetary authority (as defined in section 244(2)(c) and (2A) of the Banking Act 2009);
(b)a public function of the Bank within the meaning of section 349 of the Financial Services and Markets Act 2000;
(c)a function conferred on the Prudential Regulation Authority by or under the Financial Services and Markets Act 2000 or by another enactment.
10(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.U.K.
(2)The functions are—
(a)a function of the Legal Services Board;
(b)the function of considering a complaint under the scheme established under Part 6 of the Legal Services Act 2007 (legal complaints);
(c)the function of considering a complaint under—
(i)section 14 of the NHS Redress Act 2006,
(ii)section 113(1) or (2) or section 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003,
(iii)section 24D or 26 of the Children Act 1989, or
(iv)Part 2A of the Public Services Ombudsman (Wales) Act 2005 [F22or Part 5 of the Public Services Ombudsman (Wales) Act 2019];
(d)the function of considering a complaint or representations under Chapter 1 of Part 10 of the Social Services and Well-being (Wales) Act 2014 (anaw 4).
Textual Amendments
F22Words in Sch. 2 para. 10(2)(c)(iv) inserted (E.W.) (23.7.2019) by Public Services Ombudsman (Wales) Act 2019 (anaw 3), s. 77(1), Sch. 5 para. 28; S.I. 2019/1096, reg. 2
11U.K.The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—
(a)is a function of a person described in column 1 of the Table, and
(b)is conferred on that person as described in column 2 of the Table,
to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
Person on whom function is conferred | How function is conferred |
---|---|
1. The Commissioner. | By or under— (a) the data protection legislation; (b) the Freedom of Information Act 2000; (c) section 244 of the Investigatory Powers Act 2016; (d) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426); (e) the Environmental Information Regulations 2004 (S.I. 2004/3391); (f) the INSPIRE Regulations 2009 (S.I. 2009/3157); (g) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC; (h) the Re-use of Public Sector Information Regulations 2015 (S.I. 2015/1415); (i) the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696). |
2. The Scottish Information Commissioner. | By or under— (a) the Freedom of Information (Scotland) Act 2002 (asp 13); (b) the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520); (c) the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440). |
3. The Pensions Ombudsman. | By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland. |
4. The Board of the Pension Protection Fund. | By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland. |
5. The Ombudsman for the Board of the Pension Protection Fund. | By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland. |
6. The Pensions Regulator. | By an enactment. |
7. The Financial Conduct Authority. | By or under the Financial Services and Markets Act 2000 or by another enactment. |
8. The Financial Ombudsman. | By or under Part 16 of the Financial Services and Markets Act 2000. |
9. The investigator of complaints against the financial regulators. | By or under Part 6 of the Financial Services Act 2012. |
F23. . . | F23. . . |
11. The monitoring officer of a relevant authority. | By or under the Local Government and Housing Act 1989. |
12. The monitoring officer of a relevant Welsh authority. | By or under the Local Government Act 2000. |
13. The Public Services Ombudsman for Wales. | By or under the Local Government Act 2000. |
14. The Charity Commission. | By or under— (a) the Charities Act 1992; (b) the Charities Act 2006; (c) the Charities Act 2011. |
Textual Amendments
F23Words in Sch. 2 para. 11 table omitted (31.12.2020) by virtue of The Consumer Protection (Enforcement) (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/203), regs. 1, 5(a); 2020 c. 1, Sch. 5 para. 1(1)
Modifications etc. (not altering text)
C1Sch. 2 para. 11 table modified (28.1.2021 for specified purposes, 30.7.2022 in so far as not already in force) by The Financial Services and Markets Act 2000 (Regulated Activities) (Amendment) Order 2021 (S.I. 2021/90), arts. 1(2)(3), 15(2)
12U.K.In the Table in paragraph 11—
F24...
F24...
the “Financial Ombudsman” means the scheme operator within the meaning of Part 16 of the Financial Services and Markets Act 2000 (see section 225 of that Act);
the “investigator of complaints against the financial regulators” means the person appointed under section 84(1)(b) of the Financial Services Act 2012;
“relevant authority” has the same meaning as in section 5 of the Local Government and Housing Act 1989, and “monitoring officer”, in relation to such an authority, means a person designated as such under that section;
“relevant Welsh authority” has the same meaning as “relevant authority” in section 49(6) of the Local Government Act 2000, and “monitoring officer”, in relation to such an authority, has the same meaning as in Part 3 of that Act.
Textual Amendments
F24Words in Sch. 2 para. 12 omitted (31.12.2020) by virtue of The Consumer Protection (Enforcement) (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/203), regs. 1, 5(b); 2020 c. 1, Sch. 5 para. 1(1)
13U.K.The listed GDPR provisions and Article 34(1) and (4) of the [F25UK GDPR] (communication of personal data breach to the data subject) do not apply to personal data where this is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.
Textual Amendments
F25Words in Sch. 2 para. 13 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(12) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
14(1)The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person's suitability for judicial office or the office of Queen's Counsel.U.K.
(2)The listed GDPR provisions do not apply to personal data processed by—
(a)an individual acting in a judicial capacity, or
(b)a court or tribunal acting in its judicial capacity.
(3)As regards personal data not falling within sub-paragraph (1) or (2), the listed GDPR provisions do not apply to the extent that the application of those provisions would be likely to prejudice judicial independence or judicial proceedings.
15(1)The listed GDPR provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity.U.K.
(2)The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person's suitability for any of the following offices—
(a)archbishops and diocesan and suffragan bishops in the Church of England;
(b)deans of cathedrals of the Church of England;
(c)deans and canons of the two Royal Peculiars;
(d)the First and Second Church Estates Commissioners;
(e)lord-lieutenants;
(f)Masters of Trinity College and Churchill College, Cambridge;
(g)the Provost of Eton;
(h)the Poet Laureate;
(i)the Astronomer Royal.
(3)The Secretary of State may by regulations amend the list in sub-paragraph (2) to—
(a)remove an office, or
(b)add an office to which appointments are made by Her Majesty.
(4)Regulations under sub-paragraph (3) are subject to the affirmative resolution procedure.
Commencement Information
I1Sch. 2 para. 15 in force at Royal Assent for specified purposes, see s. 212(2)(f)
Textual Amendments
F26Words in Sch. 2 Pt. 3 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(13) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
16(1)Article 15(1) to (3) of the [F27UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers), and Article 5 of the [F27UK GDPR] so far as its provisions correspond to the rights and obligations provided for in Article 15(1) to (3), do not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information.U.K.
(2)Sub-paragraph (1) does not remove the controller's obligation where—
(a)the other individual has consented to the disclosure of the information to the data subject, or
(b)it is reasonable to disclose the information to the data subject without the consent of the other individual.
(3)In determining whether it is reasonable to disclose the information without consent, the controller must have regard to all the relevant circumstances, including—
(a)the type of information that would be disclosed,
(b)any duty of confidentiality owed to the other individual,
(c)any steps taken by the controller with a view to seeking the consent of the other individual,
(d)whether the other individual is capable of giving consent, and
(e)any express refusal of consent by the other individual.
(4)For the purposes of this paragraph—
(a)“information relating to another individual” includes information identifying the other individual as the source of information;
(b)an individual can be identified from information to be provided to a data subject by a controller if the individual can be identified from—
(i)that information, or
(ii)that information and any other information that the controller reasonably believes the data subject is likely to possess or obtain.
Textual Amendments
F27Words in Sch. 2 para. 16(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(14) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
17(1)For the purposes of paragraph 16(2)(b), it is to be considered reasonable for a controller to disclose information to a data subject without the consent of the other individual where—U.K.
(a)the health data test is met,
(b)the social work data test is met, or
(c)the education data test is met.
(2)The health data test is met if—
(a)the information in question is contained in a health record, and
(b)the other individual is a health professional who has compiled or contributed to the health record or who, in his or her capacity as a health professional, has been involved in the diagnosis, care or treatment of the data subject.
(3)The social work data test is met if—
(a)the other individual is—
(i)a children's court officer,
(ii)a person who is or has been employed by a person or body referred to in paragraph 8 of Schedule 3 in connection with functions exercised in relation to the information, or
(iii)a person who has provided for reward a service that is similar to a service provided in the exercise of any relevant social services functions, and
(b)the information relates to the other individual in an official capacity or the other individual supplied the information—
(i)in an official capacity, or
(ii)in a case within paragraph (a)(iii), in connection with providing the service mentioned in paragraph (a)(iii).
(4)The education data test is met if—
(a)the other individual is an education-related worker, or
(b)the other individual is employed by an education authority (within the meaning of the Education (Scotland) Act 1980) in pursuance of its functions relating to education and—
(i)the information relates to the other individual in his or her capacity as such an employee, or
(ii)the other individual supplied the information in his or her capacity as such an employee.
(5)In this paragraph—
“children's court officer” means a person referred to in paragraph 8(1)(q), (r), (s), (t) or (u) of Schedule 3;
“
” means a person referred to in paragraph 14(4)(a) or (b) or 16(4)(a), (b) or (c) of Schedule 3 (educational records);“relevant social services functions” means functions specified in paragraph 8(1)(a), (b), (c) or (d) of Schedule 3.
Textual Amendments
F28Words in Sch. 2 Pt. 4 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(15) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F29Words in Sch. 2 para. 18 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(16) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
18U.K.In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the [F30UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F30UK GDPR])—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (c).
Textual Amendments
F30Words in Sch. 2 para. 18 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(17) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
19U.K.The listed GDPR provisions do not apply to personal data that consists of—
(a)information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications, could be maintained in legal proceedings, or
(b)information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.
20(1)A person need not comply with the listed GDPR provisions to the extent that compliance would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.U.K.
(2)The reference to an offence in sub-paragraph (1) does not include an offence under—
(a)this Act,
(b)section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),
(c)section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or
(d)Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
(3)Information disclosed by any person in compliance with Article 15 of the [F31UK GDPR] is not admissible against the person in proceedings for an offence under this Act.
Textual Amendments
F31Words in Sch. 2 para. 20(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(18) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
21(1)The listed GDPR provisions do not apply to personal data processed for the purposes of or in connection with a corporate finance service provided by a relevant person to the extent that either Condition A or Condition B is met.U.K.
(2)Condition A is that the application of the listed GDPR provisions would be likely to affect the price of an instrument.
(3)Condition B is that—
(a)the relevant person reasonably believes that the application of the listed GDPR provisions to the personal data in question could affect a decision of a person—
(i)whether to deal in, subscribe for or issue an instrument, or
(ii)whether to act in a way likely to have an effect on a business activity (such as an effect on the industrial strategy of a person, the capital structure of an undertaking or the legal or beneficial ownership of a business or asset), and
(b)the application of the listed GDPR provisions to that personal data would have a prejudicial effect on the orderly functioning of financial markets or the efficient allocation of capital within the economy.
(4)In this paragraph—
“corporate finance service” means a service consisting in—
underwriting in respect of issues of, or the placing of issues of, any instrument,
services relating to such underwriting, or
advice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings;
“instrument” means an instrument listed in section C of Annex 1 to Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments, and references to an instrument include an instrument not yet in existence but which is to be or may be created;
“price” includes value;
“relevant person” means—
a person who, by reason of a permission under Part 4A of the Financial Services and Markets Act 2000, is able to carry on a corporate finance service without contravening the general prohibition;
an EEA firm of the kind mentioned in paragraph 5(a) or (b) of Schedule 3 to that Act which has qualified for authorisation under paragraph 12 of that Schedule, and may lawfully carry on a corporate finance service;
a person who is exempt from the general prohibition in respect of any corporate finance service—
as a result of an exemption order made under section 38(1) of that Act, or
by reason of section 39(1) of that Act (appointed representatives);
a person, not falling within paragraph (a), (b) or (c), who may lawfully carry on a corporate finance service without contravening the general prohibition;
a person who, in the course of employment, provides to their employer a service falling within paragraph (b) or (c) of the definition of “corporate finance service”;
a partner who provides to other partners in the partnership a service falling within either of those paragraphs.
(5)In the definition of “relevant person” in sub-paragraph (4), references to “the general prohibition” are to the general prohibition within the meaning of section 19 of the Financial Services and Markets Act 2000.
22U.K.The listed GDPR provisions do not apply to personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that the application of those provisions would be likely to prejudice the conduct of the business or activity concerned.
23U.K.The listed GDPR provisions do not apply to personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject to the extent that the application of those provisions would be likely to prejudice those negotiations.
24U.K.The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of—
(a)the education, training or employment (or prospective education, training or employment) of the data subject,
(b)the placement (or prospective placement) of the data subject as a volunteer,
(c)the appointment (or prospective appointment) of the data subject to any office, or
(d)the provision (or prospective provision) by the data subject of any service.
25(1)The listed GDPR provisions do not apply to personal data consisting of information recorded by candidates during an exam.U.K.
(2)Where personal data consists of marks or other information processed by a controller—
(a)for the purposes of determining the results of an exam, or
(b)in consequence of the determination of the results of an exam,
the duty in Article 12(3) or (4) of the [F32UK GDPR] for the controller to provide information requested by the data subject within a certain time period, as it applies to Article 15 of the [F32UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers), is modified as set out in sub-paragraph (3).
(3)Where a question arises as to whether the controller is obliged by Article 15 of the [F33UK GDPR] to disclose personal data, and the question arises before the day on which the exam results are announced, the controller must provide the information mentioned in Article 12(3) or (4)—
(a)before the end of the period of 5 months beginning when the question arises, or
(b)if earlier, before the end of the period of 40 days beginning with the announcement of the results.
(4)In this paragraph, “exam” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate's performance while undertaking work or any other activity.
(5)For the purposes of this paragraph, the results of an exam are treated as announced when they are first published or, if not published, first communicated to the candidate.
Textual Amendments
F32Words in Sch. 2 para. 25(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(19)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F33Words in Sch. 2 para. 25(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(19)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F34Words in Sch. 2 Pt. 5 heading omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(20) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
26(1)In this paragraph, “the special purposes” means one or more of the following—U.K.
(a)the purposes of journalism;
(b)academic purposes;
(c)artistic purposes;
(d)literary purposes.
(2)Sub-paragraph (3) applies to the processing of personal data carried out for the special purposes if—
(a)the processing is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and
(b)the controller reasonably believes that the publication of the material would be in the public interest.
(3)The listed GDPR provisions do not apply to the extent that the controller reasonably believes that the application of those provisions would be incompatible with the special purposes.
(4)In determining whether publication would be in the public interest the controller must take into account the special importance of the public interest in the freedom of expression and information.
(5)In determining whether it is reasonable to believe that publication would be in the public interest, the controller must have regard to any of the codes of practice or guidelines listed in sub-paragraph (6) that is relevant to the publication in question.
(6)The codes of practice and guidelines are—
(a)BBC Editorial Guidelines;
(b)Ofcom Broadcasting Code;
(c)Editors' Code of Practice.
(7)The Secretary of State may by regulations amend the list in sub-paragraph (6).
(8)Regulations under sub-paragraph (7) are subject to the affirmative resolution procedure.
(9)For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the [F35UK GDPR] (which may be exempted or derogated from by virtue of Article 85(2) of the [F35UK GDPR])—
(a)in Chapter II of the [F36UK GDPR] (principles)—
(i)Article 5(1)(a) to (e) (principles relating to processing);
(ii)Article 6 (lawfulness);
(iii)Article 7 (conditions for consent);
(iv)Article 8(1) and (2) (child's consent);
(v)Article 9 (processing of special categories of data);
(vi)Article 10 (data relating to criminal convictions etc);
(vii)Article 11(2) (processing not requiring identification);
(b)in Chapter III of the [F37UK GDPR] (rights of the data subject)—
(i)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(ii)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(iii)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(iv)Article 16 (right to rectification);
(v)Article 17(1) and (2) (right to erasure);
(vi)Article 18(1)(a), (b) and (d) (restriction of processing);
(vii)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
(viii)Article 20(1) and (2) (right to data portability);
(ix)Article 21(1) (objections to processing);
(c)in Chapter IV of the [F38UK GDPR] (controller and processor)—
(i)Article 34(1) and (4) (communication of personal data breach to the data subject);
(ii)Article 36 (requirement for controller to consult Commissioner prior to high risk processing);
(d)in Chapter V of the [F39UK GDPR] (transfers of data to third countries etc), Article 44 (general principles for transfers);
F40(e). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F35Words in Sch. 2 para. 26(9) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(21)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F36Words in Sch. 2 para. 26(9)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(21)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F37Words in Sch. 2 para. 26(9)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(21)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F38Words in Sch. 2 para. 26(9)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(21)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F39Words in Sch. 2 para. 26(9)(d) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(21)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F40Sch. 2 para. 26(9)(e) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(21)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Commencement Information
I2Sch. 2 para. 26 in force at Royal Assent for specified purposes, see s. 212(2)(f)
Textual Amendments
F41Words in Sch. 2 Pt. 6 heading omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(22) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
27(1)The listed GDPR provisions do not apply to personal data processed for—U.K.
(a)scientific or historical research purposes, or
(b)statistical purposes,
to the extent that the application of those provisions would prevent or seriously impair the achievement of the purposes in question.
This is subject to [F42sub-paragraphs (3) and (4)].
(2)For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the [F43UK GDPR]—
(a)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(b)Article 16 (right to rectification);
(c)Article 18(1) (restriction of processing);
(d)Article 21(1) (objections to processing).
(3)The exemption in sub-paragraph (1) is available only where—
(a)the personal data is processed in accordance with Article 89(1) of the [F44UK GDPR] (as supplemented by section 19), and
(b)as regards the disapplication of Article 15(1) to (3), the results of the research or any resulting statistics are not made available in a form which identifies a data subject.
[F45(4)Where processing for a purpose described in sub-paragraph (1) serves at the same time another purpose, the exemption in sub-paragraph (1) is available only where the personal data is processed for a purpose referred to in that sub-paragraph.]
Textual Amendments
F42Words in Sch. 2 para. 27(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(23)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F43Words in Sch. 2 para. 27(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(23)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F44Words in Sch. 2 para. 27(3)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(23)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F45Sch. 2 para. 27(4) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(23)(d) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Commencement Information
I3Sch. 2 para. 27 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
28(1)The listed GDPR provisions do not apply to personal data processed for archiving purposes in the public interest to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes.U.K.
This is subject to [F46sub-paragraphs (3) and (4)].
(2)For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the [F47UK GDPR]—
(a)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(b)Article 16 (right to rectification);
(c)Article 18(1) (restriction of processing);
(d)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
(e)Article 20(1) (right to data portability);
(f)Article 21(1) (objections to processing).
(3)The exemption in sub-paragraph (1) is available only where the personal data is processed in accordance with Article 89(1) of the [F48UK GDPR] (as supplemented by section 19).
[F49(4)Where processing for a purpose described in sub-paragraph (1) serves at the same time another purpose, the exemption in sub-paragraph (1) is available only where the personal data is processed for a purpose referred to in that sub-paragraph.]
Textual Amendments
F46Words in Sch. 2 para. 28(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(24)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F47Words in Sch. 2 para. 28(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(24)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F48Words in Sch. 2 para. 28(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(24)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F49Sch. 2 para. 28(4) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(24)(d) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Commencement Information
I4Sch. 2 para. 28 in force at 25.5.2018 by S.I. 2018/625, reg. 2(1)(b)
Section 15
Textual Amendments
F50Words in Sch. 3 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F51Words in Sch. 3 Pt. 1 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
1U.K.In this Schedule “the listed GDPR provisions” means the following provisions of the [F52UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F52UK GDPR])—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d)Article 16 (right to rectification);
(e)Article 17(1) and (2) (right to erasure);
(f)Article 18(1) (restriction of processing);
(g)Article 20(1) and (2) (right to data portability);
(h)Article 21(1) (objections to processing);
(i)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (h).
Textual Amendments
F52Words in Sch. 3 para. 1 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
2(1)In this Part of this Schedule—U.K.
“the appropriate health professional”, in relation to a question as to whether the serious harm test is met with respect to data concerning health, means—
the health professional who is currently or was most recently responsible for the diagnosis, care or treatment of the data subject in connection with the matters to which the data relates,
where there is more than one such health professional, the health professional who is the most suitable to provide an opinion on the question, or
a health professional who has the necessary experience and qualifications to provide an opinion on the question, where—
there is no health professional available falling within paragraph (a) or (b), or
the controller is the Secretary of State and data is processed in connection with the exercise of the functions conferred on the Secretary of State by or under the Child Support Act 1991 and the Child Support Act 1995, or the Secretary of State's functions in relation to social security or war pensions, or
the controller is the Department for Communities in Northern Ireland and data is processed in connection with the exercise of the functions conferred on the Department by or under the Child Support (Northern Ireland) Order 1991 (S.I. 1991/2628 (N.I. 23)) and the Child Support (Northern Ireland) Order 1995 (S.I. 1995/2702 (N.I. 13));
“war pension” has the same meaning as in section 25 of the Social Security Act 1989 (establishment and functions of war pensions committees).
(2)For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to data concerning health if the application of Article 15 of the [F53UK GDPR] to the data would be likely to cause serious harm to the physical or mental health of the data subject or another individual.
Textual Amendments
F53Words in Sch. 3 para. 2(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
3(1)The listed GDPR provisions do not apply to data concerning health if—U.K.
(a)it is processed by a court,
(b)it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and
(c)in accordance with those rules, the data may be withheld by the court in whole or in part from the data subject.
(2)Those rules are—
(a)the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);
(b)the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));
(c)the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);
(d)the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);
(e)the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
(f)the Sheriff Court Adoption Rules 2009;
(g)the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
(h)the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).
4(1)This paragraph applies where a request for data concerning health is made in exercise of a power conferred by an enactment or rule of law and—U.K.
(a)in relation to England and Wales or Northern Ireland, the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject,
(b)in relation to Scotland, the data subject is an individual aged under 16 and the person making the request has parental responsibilities for the data subject, or
(c)the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.
(2)The listed GDPR provisions do not apply to data concerning health to the extent that complying with the request would disclose information—
(a)which was provided by the data subject in the expectation that it would not be disclosed to the person making the request,
(b)which was obtained as a result of any examination or investigation to which the data subject consented in the expectation that the information would not be so disclosed, or
(c)which the data subject has expressly indicated should not be so disclosed.
(3)The exemptions under sub-paragraph (2)(a) and (b) do not apply if the data subject has expressly indicated that he or she no longer has the expectation mentioned there.
Textual Amendments
F54Words in Sch. 3 para. 5 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
5(1)Article 15(1) to (3) of the [F55UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers) do not apply to data concerning health to the extent that the serious harm test is met with respect to the data.U.K.
(2)A controller who is not a health professional may not rely on sub-paragraph (1) to withhold data concerning health unless the controller has obtained an opinion from the person who appears to the controller to be the appropriate health professional to the effect that the serious harm test is met with respect to the data.
(3)An opinion does not count for the purposes of sub-paragraph (2) if—
(a)it was obtained before the beginning of the relevant period, or
(b)it was obtained during that period but it is reasonable in all the circumstances to re-consult the appropriate health professional.
(4)In this paragraph, “the relevant period” means the period of 6 months ending with the day on which the opinion would be relied on.
Textual Amendments
F55Words in Sch. 3 para. 5(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(7) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F56Words in Sch. 3 para. 6 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(8) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
6(1)Article 15(1) to (3) of the [F57UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers) do not permit the disclosure of data concerning health by a controller who is not a health professional unless the controller has obtained an opinion from the person who appears to the controller to be the appropriate health professional to the effect that the serious harm test is not met with respect to the data.U.K.
(2)Sub-paragraph (1) does not apply to the extent that the controller is satisfied that the data concerning health has already been seen by, or is within the knowledge of, the data subject.
(3)An opinion does not count for the purposes of sub-paragraph (1) if—
(a)it was obtained before the beginning of the relevant period, or
(b)it was obtained during that period but it is reasonable in all the circumstances to re-consult the appropriate health professional.
(4)In this paragraph, “the relevant period” means the period of 6 months ending with the day on which the opinion would be relied on.
Textual Amendments
F57Words in Sch. 3 para. 6(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(9) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
7(1)In this Part of this Schedule—U.K.
“education data” has the meaning given by paragraph 17 of this Schedule;
“Health and Social Care trust” means a Health and Social Care trust established under the Health and Personal Social Services (Northern Ireland) Order 1991 (S.I. 1991/194 (N.I. 1));
“Principal Reporter” means the Principal Reporter appointed under the Children's Hearings (Scotland) Act 2011 (asp 1), or an officer of the Scottish Children's Reporter Administration to whom there is delegated under paragraph 10(1) of Schedule 3 to that Act any function of the Principal Reporter;
“social work data” means personal data which—
is data to which paragraph 8 applies, but
is not education data or data concerning health.
(2)For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to social work data if the application of Article 15 of the [F58UK GDPR] to the data would be likely to prejudice carrying out social work, because it would be likely to cause serious harm to the physical or mental health of the data subject or another individual.
(3)In sub-paragraph (2), “carrying out social work” is to be taken to include doing any of the following—
(a)the exercise of any functions mentioned in paragraph 8(1)(a), (d), (f) to (j), (m), (p), (s), (t), (u), (v) or (w);
(b)the provision of any service mentioned in paragraph 8(1)(b), (c) or (k);
(c)the exercise of the functions of a body mentioned in paragraph 8(1)(e) or a person mentioned in paragraph 8(1)(q) or (r).
(4)In this Part of this Schedule, a reference to a local authority, in relation to data processed or formerly processed by it, includes a reference to the Council of the Isles of Scilly, in relation to data processed or formerly processed by the Council in connection with any functions mentioned in paragraph 8(1)(a)(ii) which are or have been conferred on the Council by an enactment.
Textual Amendments
F58Words in Sch. 3 para. 7(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(10) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
8(1)This paragraph applies to personal data falling within any of the following descriptions—U.K.
(a)data processed by a local authority—
(i)in connection with its social services functions (within the meaning of the Local Authority Social Services Act 1970 or the Social Services and Well-being (Wales) Act 2014 (anaw 4)) or any functions exercised by local authorities under the Social Work (Scotland) Act 1968 or referred to in section 5(1B) of that Act, or
(ii)in the exercise of other functions but obtained or consisting of information obtained in connection with any of the functions mentioned in sub-paragraph (i);
(b)data processed by the Regional Health and Social Care Board—
(i)in connection with the provision of social care within the meaning of section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)), or
(ii)in the exercise of other functions but obtained or consisting of information obtained in connection with the provision of that care;
(c)data processed by a Health and Social Care trust—
(i)in connection with the provision of social care within the meaning of section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)) on behalf of the Regional Health and Social Care Board by virtue of an authorisation made under Article 3(1) of the Health and Personal Social Services (Northern Ireland) Order 1994 (S.I. 1994/429 (N.I. 2)), or
(ii)in the exercise of other functions but obtained or consisting of information obtained in connection with the provision of that care;
(d)data processed by a council in the exercise of its functions under Part 2 of Schedule 9 to the Health and Social Services and Social Security Adjudications Act 1983;
(e)data processed by—
(i)a probation trust established under section 5 of the Offender Management Act 2007, or
(ii)the Probation Board for Northern Ireland established by the Probation Board (Northern Ireland) Order 1982 (S.I. 1982/713 (N.I. 10));
(f)data processed by a local authority in the exercise of its functions under section 36 of the Children Act 1989 or Chapter 2 of Part 6 of the Education Act 1996, so far as those functions relate to ensuring that children of compulsory school age (within the meaning of section 8 of the Education Act 1996) receive suitable education whether by attendance at school or otherwise;
(g)data processed by the Education Authority in the exercise of its functions under Article 55 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)) or Article 45 of, and Schedule 13 to, the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)), so far as those functions relate to ensuring that children of compulsory school age (within the meaning of Article 46 of the Education and Libraries (Northern Ireland) Order 1986) receive efficient full-time education suitable to their age, ability and aptitude and to any special educational needs they may have, either by regular attendance at school or otherwise;
(h)data processed by an education authority in the exercise of its functions under sections 35 to 42 of the Education (Scotland) Act 1980 so far as those functions relate to ensuring that children of school age (within the meaning of section 31 of the Education (Scotland) Act 1980) receive efficient education suitable to their age, ability and aptitude, whether by attendance at school or otherwise;
(i)data relating to persons detained in a hospital at which high security psychiatric services are provided under section 4 of the National Health Service Act 2006 and processed by a Special Health Authority established under section 28 of that Act in the exercise of any functions similar to any social services functions of a local authority;
(j)data relating to persons detained in special accommodation provided under Article 110 of the Mental Health (Northern Ireland) Order 1986 (S.I. 1986/595 (N.I. 4)) and processed by a Health and Social Care trust in the exercise of any functions similar to any social services functions of a local authority;
(k)data which—
(i)is processed by the National Society for the Prevention of Cruelty to Children, or by any other voluntary organisation or other body designated under this paragraph by the Secretary of State or the Department of Health in Northern Ireland, and
(ii)appears to the Secretary of State or the Department, as the case may be, to be processed for the purposes of the provision of any service similar to a service provided in the exercise of any functions specified in paragraph (a), (b), (c) or (d);
(l)data processed by a body mentioned in sub-paragraph (2)—
(i)which was obtained, or consists of information which was obtained, from an authority or body mentioned in any of paragraphs (a) to (k) or from a government department, and
(ii)in the case of data obtained, or consisting of information obtained, from an authority or body mentioned in any of paragraphs (a) to (k), fell within any of those paragraphs while processed by the authority or body;
(m)data processed by a National Health Service trust first established under section 25 of the National Health Service Act 2006, section 18 of the National Health Service (Wales) Act 2006 or section 5 of the National Health Service and Community Care Act 1990 in the exercise of any functions similar to any social services functions of a local authority;
(n)data processed by an NHS foundation trust in the exercise of any functions similar to any social services functions of a local authority;
(o)data processed by a government department—
(i)which was obtained, or consists of information which was obtained, from an authority or body mentioned in any of paragraphs (a) to (n), and
(ii)which fell within any of those paragraphs while processed by that authority or body;
(p)data processed for the purposes of the functions of the Secretary of State pursuant to section 82(5) of the Children Act 1989;
(q)data processed by—
(i)a children's guardian appointed under Part 16 of the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17)),
(ii)a guardian ad litem appointed under Article 60 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)) or Article 66 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22)), or
(iii)a safeguarder appointed under section 30(2) or 31(3) of the Children's Hearings (Scotland) Act 2011 (asp 1);
(r)data processed by the Principal Reporter;
(s)data processed by an officer of the Children and Family Court Advisory and Support Service for the purpose of the officer's functions under section 7 of the Children Act 1989 or Part 16 of the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
(t)data processed by the Welsh family proceedings officer for the purposes of the functions under section 7 of the Children Act 1989 or Part 16 of the Family Procedure Rules 2010;
(u)data processed by an officer of the service appointed as guardian ad litem under Part 16 of the Family Procedure Rules 2010;
(v)data processed by the Children and Family Court Advisory and Support Service for the purpose of its functions under section 12(1) and (2) and section 13(1), (2) and (4) of the Criminal Justice and Court Services Act 2000;
(w)data processed by the Welsh Ministers for the purposes of their functions under section 35(1) and (2) and section 36(1), (2), (4), (5) and (6) of the Children Act 2004;
(x)data processed for the purposes of the functions of the appropriate Minister pursuant to section 12 of the Adoption and Children Act 2002 (independent review of determinations).
(2)The bodies referred to in sub-paragraph (1)(l) are—
(a)a National Health Service trust first established under section 25 of the National Health Service Act 2006 or section 18 of the National Health Service (Wales) Act 2006;
(b)a National Health Service trust first established under section 5 of the National Health Service and Community Care Act 1990;
(c)an NHS foundation trust;
(d)a clinical commissioning group established under section 14D of the National Health Service Act 2006;
(e)the National Health Service Commissioning Board;
(f)a Local Health Board established under section 11 of the National Health Service (Wales) Act 2006;
(g)a Health Board established under section 2 of the National Health Service (Scotland) Act 1978.
9(1)The listed GDPR provisions do not apply to data that is not education data or data concerning health if—U.K.
(a)it is processed by a court,
(b)it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and
(c)in accordance with any of those rules, the data may be withheld by the court in whole or in part from the data subject.
(2)Those rules are—
(a)the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);
(b)the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));
(c)the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);
(d)the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);
(e)the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
(f)the Sheriff Court Adoption Rules 2009;
(g)the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
(h)the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).
10(1)This paragraph applies where a request for social work data is made in exercise of a power conferred by an enactment or rule of law and—U.K.
(a)in relation to England and Wales or Northern Ireland, the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject,
(b)in relation to Scotland, the data subject is an individual aged under 16 and the person making the request has parental responsibilities for the data subject, or
(c)the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.
(2)The listed GDPR provisions do not apply to social work data to the extent that complying with the request would disclose information—
(a)which was provided by the data subject in the expectation that it would not be disclosed to the person making the request,
(b)which was obtained as a result of any examination or investigation to which the data subject consented in the expectation that the information would not be so disclosed, or
(c)which the data subject has expressly indicated should not be so disclosed.
(3)The exemptions under sub-paragraph (2)(a) and (b) do not apply if the data subject has expressly indicated that he or she no longer has the expectation mentioned there.
Textual Amendments
F59Words in Sch. 3 para. 11 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(11) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
11U.K.Article 15(1) to (3) of the [F60UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers) do not apply to social work data to the extent that the serious harm test is met with respect to the data.
Textual Amendments
F60Words in Sch. 3 para. 11 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(12) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F61Words in Sch. 3 para. 12 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(13) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
12(1)This paragraph applies where—U.K.
(a)a question arises as to whether a controller who is a social work authority is obliged by Article 15(1) to (3) of the [F62UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers) to disclose social work data, and
(b)the data—
(i)originated from or was supplied by the Principal Reporter acting in pursuance of the Principal Reporter's statutory duties, and
(ii)is not data which the data subject is entitled to receive from the Principal Reporter.
(2)The controller must inform the Principal Reporter of the fact that the question has arisen before the end of the period of 14 days beginning when the question arises.
(3)Article 15(1) to (3) of the [F63UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers) do not permit the controller to disclose the data to the data subject unless the Principal Reporter has informed the controller that, in the opinion of the Principal Reporter, the serious harm test is not met with respect to the data.
(4)In this paragraph “social work authority” means a local authority for the purposes of the Social Work (Scotland) Act 1968.
Textual Amendments
F62Words in Sch. 3 para. 12(1)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(14) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F63Words in Sch. 3 para. 12(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(14) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
13U.K.In this Part of this Schedule “educational record” means a record to which paragraph 14, 15 or 16 applies.
14(1)This paragraph applies to a record of information which—U.K.
(a)is processed by or on behalf of the proprietor of, or a teacher at, a school in England and Wales specified in sub-paragraph (3),
(b)relates to an individual who is or has been a pupil at the school, and
(c)originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).
(2)But this paragraph does not apply to information which is processed by a teacher solely for the teacher's own use.
(3)The schools referred to in sub-paragraph (1)(a) are—
(a)a school maintained by a local authority;
(b)an Academy school;
(c)an alternative provision Academy;
(d)an independent school that is not an Academy school or an alternative provision Academy;
(e)a non-maintained special school.
(4)The persons referred to in sub-paragraph (1)(c) are—
(a)an employee of the local authority which maintains the school;
(b)in the case of—
(i)a voluntary aided, foundation or foundation special school (within the meaning of the School Standards and Framework Act 1998),
(ii)an Academy school,
(iii)an alternative provision Academy,
(iv)an independent school that is not an Academy school or an alternative provision Academy, or
(v)a non-maintained special school,
a teacher or other employee at the school (including an educational psychologist engaged by the proprietor under a contract for services);
(c)the pupil to whom the record relates;
(d)a parent, as defined by section 576(1) of the Education Act 1996, of that pupil.
(5)In this paragraph—
“independent school” has the meaning given by section 463 of the Education Act 1996;
“local authority” has the same meaning as in that Act (see sections 579(1) and 581 of that Act);
“non-maintained special school” has the meaning given by section 337A of that Act;
“proprietor” has the meaning given by section 579(1) of that Act.
15(1)This paragraph applies to a record of information which is processed—U.K.
(a)by an education authority in Scotland, and
(b)for the purpose of the relevant function of the authority.
(2)But this paragraph does not apply to information which is processed by a teacher solely for the teacher's own use.
(3)For the purposes of this paragraph, information processed by an education authority is processed for the purpose of the relevant function of the authority if the processing relates to the discharge of that function in respect of a person—
(a)who is or has been a pupil in a school provided by the authority, or
(b)who receives, or has received, further education provided by the authority.
(4)In this paragraph “the relevant function” means, in relation to each education authority, its function under section 1 of the Education (Scotland) Act 1980 and section 7(1) of the Self-Governing Schools etc. (Scotland) Act 1989.
16(1)This paragraph applies to a record of information which—U.K.
(a)is processed by or on behalf of the Board of Governors, proprietor or trustees of, or a teacher at, a school in Northern Ireland specified in sub-paragraph (3),
(b)relates to an individual who is or has been a pupil at the school, and
(c)originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).
(2)But this paragraph does not apply to information which is processed by a teacher solely for the teacher's own use.
(3)The schools referred to in sub-paragraph (1)(a) are—
(a)a grant-aided school;
(b)an independent school.
(4)The persons referred to in sub-paragraph (1)(c) are—
(a)a teacher at the school;
(b)an employee of the Education Authority, other than a teacher at the school;
(c)an employee of the Council for Catholic Maintained Schools, other than a teacher at the school;
(d)the pupil to whom the record relates;
(e)a parent, as defined by Article 2(2) of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).
(5)In this paragraph, “grant-aided school”, “independent school”, “proprietor” and “trustees” have the same meaning as in the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).
17(1)In this Part of this Schedule—U.K.
“education authority” and “further education” have the same meaning as in the Education (Scotland) Act 1980;
“education data” means personal data consisting of information which—
constitutes an educational record, but
is not data concerning health;
“Principal Reporter” means the Principal Reporter appointed under the Children's Hearings (Scotland) Act 2011 (asp 1), or an officer of the Scottish Children's Reporter Administration to whom there is delegated under paragraph 10(1) of Schedule 3 to that Act any function of the Principal Reporter;
“pupil” means—
in relation to a school in England and Wales, a registered pupil within the meaning of the Education Act 1996,
in relation to a school in Scotland, a pupil within the meaning of the Education (Scotland) Act 1980, and
in relation to a school in Northern Ireland, a registered pupil within the meaning of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3));
“school”—
in relation to England and Wales, has the same meaning as in the Education Act 1996,
in relation to Scotland, has the same meaning as in the Education (Scotland) Act 1980, and
in relation to Northern Ireland, has the same meaning as in the Education and Libraries (Northern Ireland) Order 1986;
“teacher” includes—
in Great Britain, head teacher, and
in Northern Ireland, the principal of a school.
(2)For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to education data if the application of Article 15 of the [F64UK GDPR] to the data would be likely to cause serious harm to the physical or mental health of the data subject or another individual.
Textual Amendments
F64Words in Sch. 3 para. 17(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(15) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
18(1)The listed GDPR provisions do not apply to education data if—U.K.
(a)it is processed by a court,
(b)it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and
(c)in accordance with those rules, the data may be withheld by the court in whole or in part from the data subject.
(2)Those rules are—
(a)the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);
(b)the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));
(c)the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);
(d)the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);
(e)the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
(f)the Sheriff Court Adoption Rules 2009;
(g)the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
(h)the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).
Textual Amendments
F65Words in Sch. 3 para. 19 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(16) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
19U.K.Article 15(1) to (3) of the [F66UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers) do not apply to education data to the extent that the serious harm test is met with respect to the data.
Textual Amendments
F66Words in Sch. 3 para. 19 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(17) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F67Words in Sch. 3 para. 20 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(18) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
20(1)This paragraph applies where—U.K.
(a)a question arises as to whether a controller who is an education authority is obliged by Article 15(1) to (3) of the [F68UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers) to disclose education data, and
(b)the controller believes that the data—
(i)originated from or was supplied by or on behalf of the Principal Reporter acting in pursuance of the Principal Reporter's statutory duties, and
(ii)is not data which the data subject is entitled to receive from the Principal Reporter.
(2)The controller must inform the Principal Reporter of the fact that the question has arisen before the end of the period of 14 days beginning when the question arises.
(3)Article 15(1) to (3) of the [F69UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers) do not permit the controller to disclose the data to the data subject unless the Principal Reporter has informed the controller that, in the opinion of the Principal Reporter, the serious harm test is not met with respect to the data.
Textual Amendments
F68Words in Sch. 3 para. 20(1)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(19) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F69Words in Sch. 3 para. 20(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(19) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F70Words in Sch. 3 para. 21 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(20) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
21(1)This paragraph applies where a request for child abuse data is made in exercise of a power conferred by an enactment or rule of law and—U.K.
(a)the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject, or
(b)the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.
(2)Article 15(1) to (3) of the [F71UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers) do not apply to child abuse data to the extent that the application of that provision would not be in the best interests of the data subject.
(3)“Child abuse data” is personal data consisting of information as to whether the data subject is or has been the subject of, or may be at risk of, child abuse.
(4)For this purpose, “child abuse” includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18.
(5)This paragraph does not apply in relation to Scotland.
Textual Amendments
F71Words in Sch. 3 para. 21(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(21) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Section 15
Textual Amendments
F72Words in Sch. 4 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 94(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F73Words in Sch. 4 para. 1 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 94(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
1U.K.In this Schedule “the listed GDPR provisions” means the following provisions of the [F74UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F74UK GDPR])—
(a)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(b)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in Article 15(1) to (3).
Textual Amendments
F74Words in Sch. 4 para. 1 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 94(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
2U.K.The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by any of sections 31, 31ZA to 31ZE and 33A to 33D of the Human Fertilisation and Embryology Act 1990.
3(1)The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by an enactment listed in sub-paragraph (2), (3) or (4).U.K.
(2)The enactments extending to England and Wales are—
(a)regulation 14 of the Adoption Agencies Regulations 1983 (S.I. 1983/1964);
(b)regulation 41 of the Adoption Agencies Regulations 2005 (S.I. 2005/389);
(c)regulation 42 of the Adoption Agencies (Wales) Regulations 2005 (S.I. 2005/1313 (W. 95));
(d)rules 5, 6, 9, 17, 18, 21, 22 and 53 of the Adoption Rules 1984 (S.I. 1984/265);
(e)rules 24, 29, 30, 65, 72, 73, 77, 78 and 83 of the Family Procedure (Adoption) Rules 2005 (S.I. 2005/2795 (L. 22));
(f)in the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17)), rules 14.6, 14.11, 14.12, 14.13, 14.14, 14.24, 16.20 (so far as it applies to a children's guardian appointed in proceedings to which Part 14 of those Rules applies), 16.32 and 16.33 (so far as it applies to a children and family reporter in proceedings to which Part 14 of those Rules applies).
(3)The enactments extending to Scotland are—
(a)regulation 23 of the Adoption Agencies (Scotland) Regulations 1996 (S.I. 1996/3266 (S. 254));
(b)rule 67.3 of the Act of Sederunt (Rules of the Court of Session 1994) 1994 (S.I. 1994/1443 (S. 69));
(c)rules 10.3, 17.2, 21, 25, 39, 43.3, 46.2 and 47 of the Act of Sederunt (Sheriff Court Rules Amendment) (Adoption and Children (Scotland) Act 2007) 2009 (S.S.I. 2009/284);
(d)sections 53 and 55 of the Adoption and Children (Scotland) Act 2007 (asp 4);
(e)regulation 28 of the Adoption Agencies (Scotland) Regulations 2009 (S.S.I. 2009/154);
(f)regulation 3 of the Adoption (Disclosure of Information and Medical Information about Natural Parents) (Scotland) Regulations 2009 (S.S.I. 2009/268).
(4)The enactments extending to Northern Ireland are—
(a)Articles 50 and 54 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22));
(b)rule 53 of Order 84 of the Rules of the Court of Judicature (Northern Ireland) 1980 (S.R. (N.I.) 1980 No. 346);
(c)rules 4A.4(5), 4A.5(1), 4A.6(6), 4A.22(5) and 4C.7 of Part IVA of the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322).
4(1)The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by an enactment listed in sub-paragraph (2).U.K.
(2)The enactments are—
(a)regulation 17 of the Special Educational Needs and Disability Regulations 2014 (S.I. 2014/1530);
(b)regulation 10 of the Additional Support for Learning (Co-ordinated Support Plan) (Scotland) Amendment Regulations 2005 (S.S.I. 2005/518);
(c)regulation 22 of the Education (Special Educational Needs) Regulations (Northern Ireland) 2005 (S.R. (N.I.) 2005 No. 384).
5(1)The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by an enactment listed in sub-paragraph (2), (3) or (4).U.K.
(2)The enactments extending to England and Wales are—
(a)sections 60, 77, 78 and 79 of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of and Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985) in relation to parental orders made under—
(i)section 30 of the Human Fertilisation and Embryology Act 1990, or
(ii)section 54 of the Human Fertilisation and Embryology Act 2008;
(b)rules made under section 144 of the Magistrates' Courts Act 1980 by virtue of section 141(1) of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of and Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010, so far as the rules relate to—
(i)the appointment and duties of the parental order reporter, and
(ii)the keeping of registers and the custody, inspection and disclosure of documents and information relating to parental order proceedings or related proceedings;
(c)rules made under section 75 of the Courts Act 2003 by virtue of section 141(1) of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985), so far as the rules relate to—
(i)the appointment and duties of the parental order reporter, and
(ii)the keeping of registers and the custody, inspection and disclosure of documents and information relating to parental order proceedings or related proceedings.
(3)The enactments extending to Scotland are—
(a)sections 53 and 55 of the Adoption and Children (Scotland) Act 2007 (asp 4), as applied with modifications by regulation 4 of and Schedule 3 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985) in relation to parental orders made under—
(i)section 30 of the Human Fertilisation and Embryology Act 1990, or
(ii)section 54 of the Human Fertilisation and Embryology Act 2008;
(b)rules 2.47 and 2.59 of the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
(c)rules 21 and 25 of the Sheriff Court Adoption Rules 2009.
(4)The enactments extending to Northern Ireland are—
(a)Articles 50 and 54 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22)), as applied with modifications by regulation 3 of and Schedule 2 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 in respect of parental orders made under—
(i)section 30 of the Human Fertilisation and Embryology Act 1990, or
(ii)section 54 of the Human Fertilisation and Embryology Act 2008;
(b)rules 4, 5 and 16 of Order 84A of the Rules of the Court of Judicature (Northern Ireland) 1980 (S.R. (N.I.) 1980 No. 346);
(c)rules 3, 4 and 15 of Order 50A of the County Court Rules (Northern Ireland) 1981 (S.R. (N.I.) 1981 No. 225).
6U.K.The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by any of the following enactments—
(a)section 178 of the Children's Hearings (Scotland) Act 2011 (asp 1);
(b)the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).
Section 17
1(1)This Schedule applies where—U.K.
(a)a person (“the applicant”) applies to an accreditation authority for accreditation as a certification provider, and
(b)is dissatisfied with the decision on that application.
(2)In this Schedule—
“accreditation authority” means—
the Commissioner, or
the [F75UK national accreditation body];
“certification provider” and “[F75UK national accreditation body]” have the same meaning as in section 17.
Textual Amendments
F75Words in Sch. 5 para. 1(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 95(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
2(1)The applicant may ask the accreditation authority to review the decision.U.K.
(2)The request must be made in writing before the end of the period of 28 days beginning with the day on which the person receives written notice of the accreditation authority's decision.
(3)The request must specify—
(a)the decision to be reviewed, and
(b)the reasons for asking for the review.
(4)The request may be accompanied by additional documents which the applicant wants the accreditation authority to take into account for the purposes of the review.
(5)If the applicant makes a request in accordance with sub-paragraphs (1) to (4), the accreditation authority must—
(a)review the decision, and
(b)inform the applicant of the outcome of the review in writing before the end of the period of 28 days beginning with the day on which the request for a review is received.
3(1)If the applicant is dissatisfied with the decision on the review under paragraph 2, the applicant may ask the accreditation authority to refer the decision to an appeal panel constituted in accordance with paragraph 4.U.K.
(2)The request must be made in writing before the end of the period of 3 months beginning with the day on which the person receives written notice of the decision on the review.
(3)A request must specify—
(a)the decision to be referred to the appeal panel, and
(b)the reasons for asking for it to be referred.
(4)The request may be accompanied by additional documents which the applicant wants the appeal panel to take into account.
(5)The applicant may discontinue an appeal at any time by giving notice in writing to the accreditation authority.
4(1)If the applicant makes a request in accordance with paragraph 3, an appeal panel must be established in accordance with this paragraph.U.K.
(2)An appeal panel must consist of a chair and at least two other members.
(3)Where the request relates to a decision of the Commissioner—
(a)the Secretary of State may appoint one person to be a member of the appeal panel other than the chair, and
(b)subject to paragraph (a), the Commissioner must appoint the members of the appeal panel.
(4)Where the request relates to a decision of the [F76UK national accreditation body]—
(a)the Secretary of State—
(i)may appoint one person to be a member of the appeal panel other than the chair, or
(ii)may direct the Commissioner to appoint one person to be a member of the appeal panel other than the chair, and
(b)subject to paragraph (a), the chair of the [F76UK national accreditation body] must appoint the members of the appeal panel.
(5)A person may not be a member of an appeal panel if the person—
(a)has a commercial interest in the decision referred to the panel,
(b)has had any prior involvement in any matters relating to the decision, or
(c)is an employee or officer of the accreditation authority.
(6)The Commissioner may not be a member of an appeal panel to which a decision of the Commissioner is referred.
(7)The applicant may object to all or any of the members of the appeal panel appointed under sub-paragraph (3) or (4).
(8)If the applicant objects to a member of the appeal panel under sub-paragraph (7), the person who appointed that member must appoint a replacement.
(9)The applicant may not object to a member of the appeal panel appointed under sub-paragraph (8).
Textual Amendments
F76Words in Sch. 5 para. 4(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 95(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
5(1)If the appeal panel considers it necessary, a hearing must be held at which both the applicant and the accreditation authority may be represented.U.K.
(2)Any additional documents which the applicant or the accreditation authority want the appeal panel to take into account must be submitted to the chair of the appeal panel at least 5 working days before the hearing.
(3)The appeal panel may allow experts and witnesses to give evidence at a hearing.
6(1)The appeal panel must, before the end of the period of 28 days beginning with the day on which the appeal panel is established in accordance with paragraph 4—U.K.
(a)make a reasoned recommendation in writing to the accreditation authority, and
(b)give a copy of the recommendation to the applicant.
(2)For the purposes of sub-paragraph (1), where there is an objection under paragraph 4(7), an appeal panel is not to be taken to be established in accordance with paragraph 4 until the replacement member is appointed (or, if there is more than one objection, until the last replacement member is appointed).
(3)The accreditation authority must, before the end of the period of 3 working days beginning with the day on which the authority receives the recommendation—
(a)make a reasoned final decision in writing, and
(b)give a copy of the decision to the applicant.
(4)Where the accreditation authority is the [F77UK national accreditation body], the recommendation must be given to, and the final decision must be made by, the chief executive of that body.
Textual Amendments
F77Words in Sch. 5 para. 6(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 95(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
7U.K.In this Schedule, “working day” means any day other than—
(a)Saturday or Sunday,
(b)Christmas Day or Good Friday, or
(c)a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom.
Section 22
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F78Sch. 6 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 96 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Section 30
1U.K.Any United Kingdom government department other than a non-ministerial government department.
2U.K.The Scottish Ministers.
3U.K.Any Northern Ireland department.
4U.K.The Welsh Ministers.
5U.K.The chief constable of a police force maintained under section 2 of the Police Act 1996.
6U.K.The Commissioner of Police of the Metropolis.
7U.K.The Commissioner of Police for the City of London.
8U.K.The Chief Constable of the Police Service of Northern Ireland.
9U.K.The chief constable of the Police Service of Scotland.
10U.K.The chief constable of the British Transport Police.
11U.K.The chief constable of the Civil Nuclear Constabulary.
12U.K.The chief constable of the Ministry of Defence Police.
13U.K.The Provost Marshal of the Royal Navy Police.
14U.K.The Provost Marshal of the Royal Military Police.
15U.K.The Provost Marshal of the Royal Air Force Police.
16U.K.The chief officer of—
(a)a body of constables appointed under provision incorporating section 79 of the Harbours, Docks, and Piers Clauses Act 1847;
(b)a body of constables appointed under an order made under section 14 of the Harbours Act 1964;
(c)the body of constables appointed under section 154 of the Port of London Act 1968 (c.xxxii).
17U.K.A body established in accordance with a collaboration agreement under section 22A of the Police Act 1996.
18U.K.The Director General of the Independent Office for Police Conduct.
19U.K.The Police Investigations and Review Commissioner.
20U.K.The Police Ombudsman for Northern Ireland.
21U.K.The Commissioners for Her Majesty's Revenue and Customs.
22U.K.The Welsh Revenue Authority.
23U.K.Revenue Scotland.
24U.K.The Director General of the National Crime Agency.
25U.K.The Director of the Serious Fraud Office.
26U.K.The Director of Border Revenue.
27U.K.The Financial Conduct Authority.
28U.K.The Health and Safety Executive.
29U.K.The Competition and Markets Authority.
30U.K.The Gas and Electricity Markets Authority.
31U.K.The Food Standards Agency.
32U.K.Food Standards Scotland.
33U.K.Her Majesty's Land Registry.
34U.K.The Criminal Cases Review Commission.
35U.K.The Scottish Criminal Cases Review Commission.
36U.K.A provider of probation services (other than the Secretary of State), acting in pursuance of arrangements made under section 3(2) of the Offender Management Act 2007.
37U.K.The Youth Justice Board for England and Wales.
38U.K.The Parole Board for England and Wales.
39U.K.The Parole Board for Scotland.
40U.K.The Parole Commissioners for Northern Ireland.
41U.K.The Probation Board for Northern Ireland.
42U.K.The Prisoner Ombudsman for Northern Ireland.
43U.K.A person who has entered into a contract for the running of, or part of—
(a)a prison or young offender institution under section 84 of the Criminal Justice Act 1991, or
(b)a secure training centre under section 7 of the Criminal Justice and Public Order Act 1994.
44U.K.A person who has entered into a contract with the Secretary of State—
(a)under section 80 of the Criminal Justice Act 1991 for the purposes of prisoner escort arrangements, or
(b)under paragraph 1 of Schedule 1 to the Criminal Justice and Public Order Act 1994 for the purposes of escort arrangements.
45U.K.A person who is, under or by virtue of any enactment, responsible for securing the electronic monitoring of an individual.
46U.K.A youth offending team established under section 39 of the Crime and Disorder Act 1998.
47U.K.The Director of Public Prosecutions.
48U.K.The Director of Public Prosecutions for Northern Ireland.
49U.K.The Lord Advocate.
50U.K.A Procurator Fiscal.
51U.K.The Director of Service Prosecutions.
52U.K.The Information Commissioner.
53U.K.The Scottish Information Commissioner.
54U.K.The Scottish Courts and Tribunal Service.
55U.K.The Crown agent.
56U.K.A court or tribunal.
Section 35(5)
1U.K.This condition is met if the processing—
(a)is necessary for the exercise of a function conferred on a person by an enactment or rule of law, and
(b)is necessary for reasons of substantial public interest.
2U.K.This condition is met if the processing is necessary for the administration of justice.
3U.K.This condition is met if the processing is necessary to protect the vital interests of the data subject or of another individual.
4(1)This condition is met if—U.K.
(a)the processing is necessary for the purposes of—
(i)protecting an individual from neglect or physical, mental or emotional harm, or
(ii)protecting the physical, mental or emotional well-being of an individual,
(b)the individual is—
(i)aged under 18, or
(ii)aged 18 or over and at risk,
(c)the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(d)the processing is necessary for reasons of substantial public interest.
(2)The reasons mentioned in sub-paragraph (1)(c) are—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
(3)For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—
(a)has needs for care and support,
(b)is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
(c)as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.
(4)In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.
5U.K.This condition is met if the processing relates to personal data which is manifestly made public by the data subject.
6U.K.This condition is met if the processing—
(a)is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
(b)is necessary for the purpose of obtaining legal advice, or
(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
7U.K.This condition is met if the processing is necessary when a court or other judicial authority is acting in its judicial capacity.
8(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of preventing fraud or a particular kind of fraud, and
(b)consists of—
(i)the disclosure of personal data by a competent authority as a member of an anti-fraud organisation,
(ii)the disclosure of personal data by a competent authority in accordance with arrangements made by an anti-fraud organisation, or
(iii)the processing of personal data disclosed as described in sub-paragraph (i) or (ii).
(2)In this paragraph, “anti-fraud organisation” has the same meaning as in section 68 of the Serious Crime Act 2007.
9U.K.This condition is met if the processing is necessary—
(a)for archiving purposes in the public interest,
(b)for scientific or historical research purposes, or
(c)for statistical purposes.
Section 86
1U.K.The data subject has given consent to the processing.
2U.K.The processing is necessary—
(a)for the performance of a contract to which the data subject is a party, or
(b)in order to take steps at the request of the data subject prior to entering into a contract.
3U.K.The processing is necessary for compliance with a legal obligation to which the controller is subject, other than an obligation imposed by contract.
4U.K.The processing is necessary in order to protect the vital interests of the data subject or of another individual.
5U.K.The processing is necessary—
(a)for the administration of justice,
(b)for the exercise of any functions of either House of Parliament,
(c)for the exercise of any functions conferred on a person by an enactment or rule of law,
(d)for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
(e)for the exercise of any other functions of a public nature exercised in the public interest by a person.
6(1)The processing is necessary for the purposes of legitimate interests pursued by—U.K.
(a)the controller, or
(b)the third party or parties to whom the data is disclosed.
(2)Sub-paragraph (1) does not apply where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject.
(3)In this paragraph, “third party”, in relation to personal data, means a person other than the data subject, the controller or a processor or other person authorised to process personal data for the controller or processor.
Section 86
1U.K.The data subject has given consent to the processing.
2U.K.The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by an enactment or rule of law on the controller in connection with employment.
3U.K.The processing is necessary—
(a)in order to protect the vital interests of the data subject or of another person, in a case where—
(i)consent cannot be given by or on behalf of the data subject, or
(ii)the controller cannot reasonably be expected to obtain the consent of the data subject, or
(b)in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.
4(1)This condition is met if—U.K.
(a)the processing is necessary for the purposes of—
(i)protecting an individual from neglect or physical, mental or emotional harm, or
(ii)protecting the physical, mental or emotional well-being of an individual,
(b)the individual is—
(i)aged under 18, or
(ii)aged 18 or over and at risk,
(c)the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(d)the processing is necessary for reasons of substantial public interest.
(2)The reasons mentioned in sub-paragraph (1)(c) are—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
(3)For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—
(a)has needs for care and support,
(b)is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
(c)as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.
(4)In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.
5U.K.The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
6U.K.The processing—
(a)is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
(b)is necessary for the purpose of obtaining legal advice, or
(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
7U.K.The processing is necessary—
(a)for the administration of justice,
(b)for the exercise of any functions of either House of Parliament,
(c)for the exercise of any functions conferred on any person by an enactment or rule of law, or
(d)for the exercise of any functions of the Crown, a Minister of the Crown or a government department.
8(1)The processing is necessary for medical purposes and is undertaken by—U.K.
(a)a health professional, or
(b)a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.
(2)In this paragraph, “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.
9(1)The processing—U.K.
(a)is of sensitive personal data consisting of information as to racial or ethnic origin,
(b)is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and
(c)is carried out with appropriate safeguards for the rights and freedoms of data subjects.
(2)In this paragraph, “sensitive personal data” means personal data the processing of which constitutes sensitive processing (see section 86(7)).
Section 112
1U.K.In this Schedule, “the listed provisions” means—
(a)Chapter 2 of Part 4 (the data protection principles), except section 86(1)(a) and (2) and Schedules 9 and 10;
(b)Chapter 3 of Part 4 (rights of data subjects);
(c)in Chapter 4 of Part 4 , section 108 (communication of personal data breach to the Commissioner).
2U.K.The listed provisions do not apply to personal data processed for any of the following purposes—
(a)the prevention and detection of crime, or
(b)the apprehension and prosecution of offenders,
to the extent that the application of the listed provisions would be likely to prejudice any of the matters mentioned in paragraph (a) or (b).
3(1)The listed provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of the listed provisions would prevent the controller from complying with that obligation.U.K.
(2)The listed provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or the order of a court, to the extent that the application of the listed provisions would prevent the controller from making the disclosure.
(3)The listed provisions do not apply to personal data where disclosure of the data—
(a)is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
(b)is necessary for the purpose of obtaining legal advice, or
(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
to the extent that the application of the listed provisions would prevent the controller from making the disclosure.
4U.K.The listed provisions do not apply to personal data where this is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.
5U.K.The listed provisions do not apply to personal data to the extent that the application of the listed provisions would be likely to prejudice judicial proceedings.
6U.K.The listed provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity.
7U.K.The listed provisions do not apply to personal data to the extent that the application of the listed provisions would be likely to prejudice the combat effectiveness of any of the armed forces of the Crown.
8U.K.The listed provisions do not apply to personal data to the extent that the application of the listed provisions would be likely to prejudice the economic well-being of the United Kingdom.
9U.K.The listed provisions do not apply to personal data that consists of—
(a)information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications, could be maintained in legal proceedings, or
(b)information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.
10U.K.The listed provisions do not apply to personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject to the extent that the application of the listed provisions would be likely to prejudice the negotiations.
11U.K.The listed provisions do not apply to personal data consisting of a reference given (or to be given) in confidence by the controller for the purposes of—
(a)the education, training or employment (or prospective education, training or employment) of the data subject,
(b)the appointment (or prospective appointment) of the data subject to any office, or
(c)the provision (or prospective provision) by the data subject of any service.
12(1)The listed provisions do not apply to personal data consisting of information recorded by candidates during an exam.U.K.
(2)Where personal data consists of marks or other information processed by a controller—
(a)for the purposes of determining the results of an exam, or
(b)in consequence of the determination of the results of an exam,
section 94 has effect subject to sub-paragraph (3).
(3)Where the relevant time falls before the results of the exam are announced, the period mentioned in section 94(10)(b) is extended until the earlier of—
(a)the end of the period of 5 months beginning with the relevant time, and
(b)the end of the period of 40 days beginning with the announcement of the results.
(4)In this paragraph—
“exam” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate's performance while undertaking work or any other activity;
“the relevant time” has the same meaning as in section 94.
(5)For the purposes of this paragraph, the results of an exam are treated as announced when they are first published or, if not published, first communicated to the candidate.
13(1)The listed provisions do not apply to personal data processed for—U.K.
(a)scientific or historical research purposes, or
(b)statistical purposes,
to the extent that the application of those provisions would prevent or seriously impair the achievement of the purposes in question.
(2)The exemption in sub-paragraph (1) is available only where—
(a)the personal data is processed subject to appropriate safeguards for the rights and freedoms of data subjects, and
(b)the results of the research or any resulting statistics are not made available in a form which identifies a data subject.
14(1)The listed provisions do not apply to personal data processed for archiving purposes in the public interest to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes.U.K.
(2)The exemption in sub-paragraph (1) is available only where the personal data is processed subject to appropriate safeguards for the rights and freedoms of data subjects.
Section 114
1(1)The Commissioner is to continue to be a corporation sole.U.K.
(2)The Commissioner and the Commissioner's officers and staff are not to be regarded as servants or agents of the Crown.
2(1)The Commissioner is to be appointed by Her Majesty by Letters Patent.U.K.
(2)No recommendation may be made to Her Majesty for the appointment of a person as the Commissioner unless the person concerned has been selected on merit on the basis of fair and open competition.
(3)The Commissioner is to hold office for such term not exceeding 7 years as may be determined at the time of the Commissioner's appointment, subject to paragraph 3.
(4)A person cannot be appointed as the Commissioner more than once.
3(1)The Commissioner may be relieved of office by Her Majesty at the Commissioner's own request.U.K.
(2)The Commissioner may be removed from office by Her Majesty on an Address from both Houses of Parliament.
(3)No motion is to be made in either House of Parliament for such an Address unless a Minister of the Crown has presented a report to that House stating that the Minister is satisfied that one or both of the following grounds is made out—
(a)the Commissioner is guilty of serious misconduct;
(b)the Commissioner no longer fulfils the conditions required for the performance of the Commissioner's functions.
4(1)The Commissioner is to be paid such salary as may be specified by a resolution of the House of Commons.U.K.
(2)There is to be paid in respect of the Commissioner such pension as may be specified by a resolution of the House of Commons.
(3)A resolution for the purposes of this paragraph may—
(a)specify the salary or pension,
(b)specify the salary or pension and provide for it to be increased by reference to such variables as may be specified in the resolution, or
(c)provide that the salary or pension is to be the same as, or calculated on the same basis as, that payable to, or in respect of, a person employed in a specified office under, or in a specified capacity in the service of, the Crown.
(4)A resolution for the purposes of this paragraph may take effect from—
(a)the date on which it is passed, or
(b)from an earlier date or later date specified in the resolution.
(5)A resolution for the purposes of this paragraph may make different provision in relation to the pension payable to, or in respect of, different holders of the office of Commissioner.
(6)A salary or pension payable under this paragraph is to be charged on and issued out of the Consolidated Fund.
(7)In this paragraph, “pension” includes an allowance or gratuity and a reference to the payment of a pension includes a reference to the making of payments towards the provision of a pension.
5(1)The Commissioner—U.K.
(a)must appoint one or more deputy commissioners, and
(b)may appoint other officers and staff.
(2)The Commissioner is to determine the remuneration and other conditions of service of people appointed under this paragraph.
(3)The Commissioner may pay pensions, allowances or gratuities to, or in respect of, people appointed under this paragraph, including pensions, allowances or gratuities paid by way of compensation in respect of loss of office or employment.
(4)The references in sub-paragraph (3) to paying pensions, allowances or gratuities includes making payments towards the provision of pensions, allowances or gratuities.
(5)In making appointments under this paragraph, the Commissioner must have regard to the principle of selection on merit on the basis of fair and open competition.
(6)The Employers' Liability (Compulsory Insurance) Act 1969 does not require insurance to be effected by the Commissioner.
6(1)The functions of the Commissioner are to be carried out by the deputy commissioner or deputy commissioners if—U.K.
(a)there is a vacancy in the office of the Commissioner, or
(b)the Commissioner is for any reason unable to act.
(2)When the Commissioner appoints a second or subsequent deputy commissioner, the Commissioner must specify which deputy commissioner is to carry out which of the Commissioner's functions in the circumstances referred to in sub-paragraph (1).
(3)A function of the Commissioner may, to the extent authorised by the Commissioner, be carried out by any of the Commissioner's officers or staff.
7E+W+N.I.The application of the seal of the Commissioner is to be authenticated by—
(a)the Commissioner's signature, or
(b)the signature of another person authorised for the purpose.
8E+W+N.I.A document purporting to be an instrument issued by the Commissioner and to be—
(a)duly executed under the Commissioner's seal, or
(b)signed by or on behalf of the Commissioner,
is to be received in evidence and is to be deemed to be such an instrument unless the contrary is shown.
9U.K.The Secretary of State may make payments to the Commissioner out of money provided by Parliament.
10(1)All fees, charges, penalties and other sums received by the Commissioner in carrying out the Commissioner's functions are to be paid by the Commissioner to the Secretary of State.U.K.
(2)Sub-paragraph (1) does not apply where the Secretary of State, with the consent of the Treasury, otherwise directs.
(3)Any sums received by the Secretary of State under sub-paragraph (1) are to be paid into the Consolidated Fund.
11(1)The Commissioner must—U.K.
(a)keep proper accounts and other records in relation to the accounts, and
(b)prepare in respect of each financial year a statement of account in such form as the Secretary of State may direct.
(2)The Commissioner must send a copy of the statement to the Comptroller and Auditor General—
(a)on or before 31 August next following the end of the year to which the statement relates, or
(b)on or before such earlier date after the end of that year as the Treasury may direct.
(3)The Comptroller and Auditor General must examine, certify and report on the statement.
(4)The Commissioner must arrange for copies of the statement and the Comptroller and Auditor General's report to be laid before Parliament.
(5)In this paragraph, “financial year” means a period of 12 months beginning with 1 April.
12U.K.Paragraphs 1(1), 7 and 8 do not extend to Scotland.
Section 116
1(1)The Commissioner must—U.K.
(a)monitor and enforce Parts 3 and 4 of this Act;
(b)promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing of personal data to which those Parts apply;
(c)advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to processing of personal data to which those Parts apply;
(d)promote the awareness of controllers and processors of their obligations under Parts 3 and 4 of this Act;
(e)on request, provide information to a data subject concerning the exercise of the data subject's rights under Parts 3 and 4 of this Act and, if appropriate, co-operate with F79... foreign designated authorities to provide such information;
(f)co-operate with F80... foreign designated authorities with a view to ensuring the consistency of application and enforcement of F80... the Data Protection Convention, including by sharing information and providing mutual assistance;
(g)conduct investigations on the application of Parts 3 and 4 of this Act, including on the basis of information received from F81... a foreign designated authority or another public authority;
(h)monitor relevant developments to the extent that they have an impact on the protection of personal data, including the development of information and communication technologies;
F82(i). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(2)Section 3(14)(c) does not apply to the reference to personal data in sub-paragraph (1)(h).
Textual Amendments
F79Words in Sch. 13 para. 1(1)(e) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 97(2)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F80Words in Sch. 13 para. 1(1)(f) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 97(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F81Words in Sch. 13 para. 1(1)(g) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 97(2)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F82Sch. 13 para. 1(1)(i) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 97(2)(d) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
2U.K.The Commissioner has the following investigative, corrective, authorisation and advisory powers in relation to processing of personal data to which Part 3 or 4 of this Act applies—
(a)to notify the controller or the processor of an alleged infringement of Part 3 or 4 of this Act;
(b)to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of Part 3 or 4 of this Act;
(c)to issue reprimands to a controller or processor where processing operations have infringed provisions of Part 3 or 4 of this Act;
(d)to issue, on the Commissioner's own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.
3U.K.In this Schedule—
“foreign designated authority” means an authority designated for the purposes of Article 13 of the Data Protection Convention by a party, other than the United Kingdom, which is bound by that Convention;
F83...
Textual Amendments
F83Words in Sch. 13 para. 3 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 97(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Section 118
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F84Sch. 14 Pt. 1 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 98 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
6(1)The Commissioner must, at the request of a foreign designated authority—U.K.
(a)provide that authority with such information referred to in Article 13(3)(a) of the Data Protection Convention (information on law and administrative practice in the field of data protection) as is the subject of the request, and
(b)take appropriate measures in accordance with Article 13(3)(b) of the Data Protection Convention for providing that authority with information relating to the processing of personal data in the United Kingdom.
(2)The Commissioner may ask a foreign designated authority—
(a)to provide the Commissioner with information referred to in Article 13(3) of the Data Protection Convention, or
(b)to take appropriate measures to provide such information.
7(1)This paragraph applies where a request for assistance in exercising any of the rights referred to in Article 8 of the Data Protection Convention in the United Kingdom is made by a person resident outside the United Kingdom, including where the request is forwarded to the Commissioner through the Secretary of State or a foreign designated authority.U.K.
(2)The Commissioner must take appropriate measures to assist the person to exercise those rights.
8(1)This paragraph applies where a request for assistance in exercising any of the rights referred to in Article 8 of the Data Protection Convention in a country or territory (other than the United Kingdom) specified in the request is—U.K.
(a)made by a person resident in the United Kingdom, and
(b)submitted through the Commissioner under Article 14(2) of the Convention.
(2)If the Commissioner is satisfied that the request contains all necessary particulars referred to in Article 14(3) of the Data Protection Convention, the Commissioner must send the request to the foreign designated authority in the specified country or territory.
(3)Otherwise, the Commissioner must, where practicable, notify the person making the request of the reasons why the Commissioner is not required to assist.
9U.K.Where the Commissioner receives information from a foreign designated authority as a result of—
(a)a request made by the Commissioner under paragraph 6(2), or
(b)a request received by the Commissioner under paragraph 6(1) or 7,
the Commissioner may use the information only for the purposes specified in the request.
10U.K.In this Part of this Schedule, “foreign designated authority” means an authority designated for the purposes of Article 13 of the Data Protection Convention by a party, other than the United Kingdom, which is bound by that Data Protection Convention.
Section 154
1(1)This paragraph applies if a judge of the High Court, a circuit judge or a District Judge (Magistrates' Courts) is satisfied by information on oath supplied by the Commissioner that—U.K.
(a)there are reasonable grounds for suspecting that—
(i)a controller or processor has failed or is failing as described in section 149(2), or
(ii)an offence under this Act has been or is being committed, and
(b)there are reasonable grounds for suspecting that evidence of the failure or of the commission of the offence is to be found on premises specified in the information or is capable of being viewed using equipment on such premises.
(2)The judge may grant a warrant to the Commissioner.
2(1)This paragraph applies if a judge of the High Court, a circuit judge or a District Judge (Magistrates' Courts) is satisfied by information on oath supplied by the Commissioner that a controller or processor has failed to comply with a requirement imposed by an assessment notice.U.K.
(2)The judge may, for the purpose of enabling the Commissioner to determine whether the controller or processor has complied or is complying with the data protection legislation, grant a warrant to the Commissioner in relation to premises that were specified in the assessment notice.
3U.K.A judge must not issue a warrant under this Schedule in respect of personal data processed for the special purposes unless a determination under section 174 with respect to the data or the processing has taken effect.
4(1)A judge must not issue a warrant under this Schedule unless satisfied that—U.K.
(a)the conditions in sub-paragraphs (2) to (4) are met,
(b)compliance with those conditions would defeat the object of entry to the premises in question, or
(c)the Commissioner requires access to the premises in question urgently.
(2)The first condition is that the Commissioner has given 7 days' notice in writing to the occupier of the premises in question demanding access to the premises.
(3)The second condition is that—
(a)access to the premises was demanded at a reasonable hour and was unreasonably refused, or
(b)entry to the premises was granted but the occupier unreasonably refused to comply with a request by the Commissioner or the Commissioner's officers or staff to be allowed to do any of the things referred to in paragraph 5.
(4)The third condition is that, since the refusal, the occupier of the premises—
(a)has been notified by the Commissioner of the application for the warrant, and
(b)has had an opportunity to be heard by the judge on the question of whether or not the warrant should be issued.
(5)In determining whether the first condition is met, an assessment notice given to the occupier is to be disregarded.
5(1)A warrant issued under this Schedule must authorise the Commissioner or any of the Commissioner's officers or staff—U.K.
(a)to enter the premises,
(b)to search the premises, and
(c)to inspect, examine, operate and test any equipment found on the premises which is used or intended to be used for the processing of personal data.
(2)A warrant issued under paragraph 1 must authorise the Commissioner or any of the Commissioner's officers or staff—
(a)to inspect and seize any documents or other material found on the premises which may be evidence of the failure or offence mentioned in that paragraph,
(b)to require any person on the premises to provide, in an appropriate form, a copy of information capable of being viewed using equipment on the premises which may be evidence of that failure or offence,
(c)to require any person on the premises to provide an explanation of any document or other material found on the premises and of any information capable of being viewed using equipment on the premises, and
(d)to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the controller or processor has failed or is failing as described in section 149(2).
(3)A warrant issued under paragraph 2 must authorise the Commissioner or any of the Commissioner's officers or staff—
(a)to inspect and seize any documents or other material found on the premises which may enable the Commissioner to determine whether the controller or processor has complied or is complying with the data protection legislation,
(b)to require any person on the premises to provide, in an appropriate form, a copy of information capable of being viewed using equipment on the premises which may enable the Commissioner to make such a determination,
(c)to require any person on the premises to provide an explanation of any document or other material found on the premises and of any information capable of being viewed using equipment on the premises, and
(d)to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the controller or processor has complied or is complying with the data protection legislation.
(4)A warrant issued under this Schedule must authorise the Commissioner or any of the Commissioner's officers or staff to do the things described in sub-paragraphs (1) to (3) at any time in the period of 7 days beginning with the day on which the warrant is issued.
(5)For the purposes of this paragraph, a copy of information is in an “appropriate form” if —
(a)it can be taken away, and
(b)it is visible and legible or it can readily be made visible and legible.
6U.K.A judge who issues a warrant under this Schedule must—
(a)issue two copies of it, and
(b)certify them clearly as copies.
7U.K.A person executing a warrant issued under this Schedule may use such reasonable force as may be necessary.
8U.K.A warrant issued under this Schedule may be executed only at a reasonable hour, unless it appears to the person executing it that there are grounds for suspecting that exercising it at a reasonable hour would defeat the object of the warrant.
9(1)If an occupier of the premises in respect of which a warrant is issued under this Schedule is present when the warrant is executed, the person executing the warrant must—U.K.
(a)show the occupier the warrant, and
(b)give the occupier a copy of it.
(2)Otherwise, a copy of the warrant must be left in a prominent place on the premises.
10(1)This paragraph applies where a person executing a warrant under this Schedule seizes something.U.K.
(2)The person must, on request—
(a)give a receipt for it, and
(b)give an occupier of the premises a copy of it.
(3)Sub-paragraph (2)(b) does not apply if the person executing the warrant considers that providing a copy would result in undue delay.
(4)Anything seized may be retained for so long as is necessary in all the circumstances.
11(1)The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable in respect of a communication which is made—U.K.
(a)between a professional legal adviser and the adviser's client, and
(b)in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
(2)The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable in respect of a communication which is made—
(a)between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
(b)in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
(c)for the purposes of such proceedings.
(3)Sub-paragraphs (1) and (2) do not prevent the exercise of powers conferred by a warrant issued under this Schedule in respect of—
(a)anything in the possession of a person other than the professional legal adviser or the adviser's client, or
(b)anything held with the intention of furthering a criminal purpose.
(4)The references to a communication in sub-paragraphs (1) and (2) include—
(a)a copy or other record of the communication, and
(b)anything enclosed with or referred to in the communication if made as described in sub-paragraph (1)(b) or in sub-paragraph (2)(b) and (c).
(5)In sub-paragraphs (1) to (3), the references to the client of a professional legal adviser include a person acting on behalf of such a client.
12U.K.The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable where their exercise would involve an infringement of the privileges of either House of Parliament.
13(1)This paragraph applies if a person in occupation of premises in respect of which a warrant is issued under this Schedule objects to the inspection or seizure of any material under the warrant on the grounds that it consists partly of matters in respect of which those powers are not exercisable.U.K.
(2)The person must, if the person executing the warrant so requests, provide that person with a copy of so much of the material as is not exempt from those powers.
14(1)Where a warrant issued under this Schedule is executed—U.K.
(a)it must be returned to the court from which it was issued after being executed, and
(b)the person by whom it is executed must write on the warrant a statement of the powers that have been exercised under the warrant.
(2)Where a warrant issued under this Schedule is not executed, it must be returned to the court from which it was issued within the time authorised for its execution.
15(1)It is an offence for a person—U.K.
(a)intentionally to obstruct a person in the execution of a warrant issued under this Schedule, or
(b)to fail without reasonable excuse to give a person executing such a warrant such assistance as the person may reasonably require for the execution of the warrant.
(2)It is an offence for a person—
(a)to make a statement in response to a requirement under paragraph 5(2)(c) or (d) or (3)(c) or (d) which the person knows to be false in a material respect, or
(b)recklessly to make a statement in response to such a requirement which is false in a material respect.
16(1)An explanation given, or information provided, by a person in response to a requirement under paragraph 5(2)(c) or (d) or (3)(c) or (d) may only be used in evidence against that person—U.K.
(a)on a prosecution for an offence under a provision listed in sub-paragraph (2), or
(b)on a prosecution for any other offence where—
(i)in giving evidence that person makes a statement inconsistent with that explanation or information, and
(ii)evidence relating to that explanation or information is adduced, or a question relating to it is asked, by that person or on that person's behalf.
(2)Those provisions are—
(a)paragraph 15,
(b)section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),
(c)section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or
(d)Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
17U.K.In this Schedule—
(a)“premises” includes a vehicle, vessel or other means of transport, and
(b)references to the occupier of premises include the person in charge of a vehicle, vessel or other means of transport.
18U.K.In the application of this Schedule to Scotland—
(a)references to a judge of the High Court have effect as if they were references to a judge of the Court of Session,
(b)references to a circuit judge have effect as if they were references to the sheriff or the summary sheriff,
(c)references to information on oath have effect as if they were references to evidence on oath, and
(d)references to the court from which the warrant was issued have effect as if they were references to the sheriff clerk.
19U.K.In the application of this Schedule to Northern Ireland—
(a)references to a circuit judge have effect as if they were references to a county court judge, and
(b)references to information on oath have effect as if they were references to a complaint on oath.
Section 155
1U.K.In this Schedule, “penalty” means a penalty imposed by a penalty notice.
2(1)Before giving a person a penalty notice, the Commissioner must, by written notice (a “notice of intent”) inform the person that the Commissioner intends to give a penalty notice.U.K.
(2)The Commissioner may not give a penalty notice to a person in reliance on a notice of intent after the end of the period of 6 months beginning when the notice of intent is given, subject to sub-paragraph (3).
(3)The period for giving a penalty notice to a person may be extended by agreement between the Commissioner and the person.
3(1)A notice of intent must contain the following information—U.K.
(a)the name and address of the person to whom the Commissioner proposes to give a penalty notice;
(b)the reasons why the Commissioner proposes to give a penalty notice (see sub-paragraph (2));
(c)an indication of the amount of the penalty the Commissioner proposes to impose, including any aggravating or mitigating factors that the Commissioner proposes to take into account.
(2)The information required under sub-paragraph (1)(b) includes—
(a)a description of the circumstances of the failure, and
(b)where the notice is given in respect of a failure described in section 149(2), the nature of the personal data involved in the failure.
(3)A notice of intent must also—
(a)state that the person may make written representations about the Commissioner's intention to give a penalty notice, and
(b)specify the period within which such representations may be made.
(4)The period specified for making written representations must be a period of not less than 21 days beginning when the notice of intent is given.
(5)If the Commissioner considers that it is appropriate for the person to have an opportunity to make oral representations about the Commissioner's intention to give a penalty notice, the notice of intent must also—
(a)state that the person may make such representations, and
(b)specify the arrangements for making such representations and the time at which, or the period within which, they may be made.
4(1)The Commissioner may not give a penalty notice before a time, or before the end of a period, specified in the notice of intent for making oral or written representations.U.K.
(2)When deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commissioner must consider any oral or written representations made by the person in accordance with the notice of intent.
5(1)A penalty notice must contain the following information—U.K.
(a)the name and address of the person to whom it is addressed;
(b)details of the notice of intent given to the person;
(c)whether the Commissioner received oral or written representations in accordance with the notice of intent;
(d)the reasons why the Commissioner proposes to impose the penalty (see sub-paragraph (2));
(e)the reasons for the amount of the penalty, including any aggravating or mitigating factors that the Commissioner has taken into account;
(f)details of how the penalty is to be paid;
(g)details of the rights of appeal under section 162;
(h)details of the Commissioner's enforcement powers under this Schedule.
(2)The information required under sub-paragraph (1)(d) includes—
(a)a description of the circumstances of the failure, and
(b)where the notice is given in respect of a failure described in section 149(2), the nature of the personal data involved in the failure.
6(1)A penalty must be paid to the Commissioner within the period specified in the penalty notice.U.K.
(2)The period specified must be a period of not less than 28 days beginning when the penalty notice is given.
7(1)The Commissioner may vary a penalty notice by giving written notice (a “penalty variation notice”) to the person to whom it was given.U.K.
(2)A penalty variation notice must specify—
(a)the penalty notice concerned, and
(b)how it is varied.
(3)A penalty variation notice may not—
(a)reduce the period for payment of the penalty;
(b)increase the amount of the penalty;
(c)otherwise vary the penalty notice to the detriment of the person to whom it was given.
(4)If—
(a)a penalty variation notice reduces the amount of the penalty, and
(b)when that notice is given, an amount has already been paid that exceeds the amount of the reduced penalty,
the Commissioner must repay the excess.
8(1)The Commissioner may cancel a penalty notice by giving written notice to the person to whom it was given.U.K.
(2)If a penalty notice is cancelled, the Commissioner—
(a)may not take any further action under section 155 or this Schedule in relation to the failure to which that notice relates, and
(b)must repay any amount that has been paid in accordance with that notice.
9(1)The Commissioner must not take action to recover a penalty unless—U.K.
(a)the period specified in accordance with paragraph 6 has ended,
(b)any appeals against the penalty notice have been decided or otherwise ended,
(c)if the penalty notice has been varied, any appeals against the penalty variation notice have been decided or otherwise ended, and
(d)the period for the person to whom the penalty notice was given to appeal against the penalty, and any variation of it, has ended.
(2)In England and Wales, a penalty is recoverable—
(a)if the county court so orders, as if it were payable under an order of that court;
(b)if the High Court so orders, as if it were payable under an order of that court.
(3)In Scotland, a penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.
(4)In Northern Ireland, a penalty is recoverable—
(a)if a county court so orders, as if it were payable under an order of that court;
(b)if the High Court so orders, as if it were payable under an order of that court.
Section 178
1U.K.In this Schedule—
“relevant period” means—
the period of 18 months beginning when the Commissioner starts the first review under section 178, and
the period of 12 months beginning when the Commissioner starts a subsequent review under that section;
“the relevant review”, in relation to a relevant period, means the review under section 178 which the Commissioner must produce a report about by the end of that period.
2(1)This paragraph applies where the Commissioner gives an information notice during a relevant period.U.K.
(2)If the information notice—
(a)states that, in the Commissioner's opinion, the information is required for the purposes of the relevant review, and
(b)gives the Commissioner's reasons for reaching that opinion,
subsections (5) and (6) of section 142 do not apply but the notice must not require the information to be provided before the end of the period of 24 hours beginning when the notice is given.
3(1)Sub-paragraph (2) applies where the Commissioner gives an assessment notice to a person during a relevant period.U.K.
(2)If the assessment notice—
(a)states that, in the Commissioner's opinion, it is necessary for the controller or processor to comply with a requirement in the notice for the purposes of the relevant review, and
(b)gives the Commissioner's reasons for reaching that opinion,
subsections (6) and (7) of section 146 do not apply but the notice must not require the controller or processor to comply with the requirement before the end of the period of 7 days beginning when the notice is given.
(3)During a relevant period, section 147 has effect as if for subsection (5) there were substituted—
“(5)The Commissioner may not give a controller or processor an assessment notice with respect to the processing of personal data for the special purposes unless a determination under section 174 with respect to the data or the processing has taken effect.”
4U.K.Section 164 applies where an information notice or assessment notice contains a statement under paragraph 2(2)(a) or 3(2)(a) as it applies where such a notice contains a statement under section 142(7)(a) or 146(8)(a).
Section 184
1(1)In section 184, “relevant record” means—U.K.
(a)a relevant health record (see paragraph 2),
(b)a relevant record relating to a conviction or caution (see paragraph 3), or
(c)a relevant record relating to statutory functions (see paragraph 4).
(2)A record is not a “relevant record” to the extent that it relates, or is to relate, only to personal data which falls within [F85Article 2(1A) of the UK GDPR] (manual unstructured personal data held by FOI public authorities).
Textual Amendments
F85Words in Sch. 18 para. 1(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 99(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
2U.K.“Relevant health record” means a health record which has been or is to be obtained by a data subject in the exercise of a data subject access right.
3(1)“Relevant record relating to a conviction or caution” means a record which—U.K.
(a)has been or is to be obtained by a data subject in the exercise of a data subject access right from a person listed in sub-paragraph (2), and
(b)contains information relating to a conviction or caution.
(2)Those persons are—
(a)the chief constable of a police force maintained under section 2 of the Police Act 1996;
(b)the Commissioner of Police of the Metropolis;
(c)the Commissioner of Police for the City of London;
(d)the Chief Constable of the Police Service of Northern Ireland;
(e)the chief constable of the Police Service of Scotland;
(f)the Director General of the National Crime Agency;
(g)the Secretary of State.
(3)In this paragraph—
“caution” means a caution given to a person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;
“conviction” has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978 (S.I. 1978/1908 (N.I. 27)).
4(1)“Relevant record relating to statutory functions” means a record which—U.K.
(a)has been or is to be obtained by a data subject in the exercise of a data subject access right from a person listed in sub-paragraph (2), and
(b)contains information relating to a relevant function in relation to that person.
(2)Those persons are—
(a)the Secretary of State;
(b)the Department for Communities in Northern Ireland;
(c)the Department of Justice in Northern Ireland;
(d)the Scottish Ministers;
(e)the Disclosure and Barring Service.
(3)In relation to the Secretary of State, the “relevant functions” are—
(a)the Secretary of State's functions in relation to a person sentenced to detention under—
(i)section 92 of the Powers of Criminal Courts (Sentencing) Act 2000,
[F86(ia)section 260 of the Sentencing Code,]
(ii)section 205(2) or 208 of the Criminal Procedure (Scotland) Act 1995, or
(iii)Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 (S.I. 1998/1504 (N.I. 9));
(b)the Secretary of State's functions in relation to a person imprisoned or detained under—
(i)the Prison Act 1952,
(ii)the Prisons (Scotland) Act 1989, or
(iii)the Prison Act (Northern Ireland) 1953 (c. 18 (N.I.));
(c)the Secretary of State's functions under—
(i)the Social Security Contributions and Benefits Act 1992,
(ii)the Social Security Administration Act 1992,
(iii)the Jobseekers Act 1995,
(iv)Part 5 of the Police Act 1997,
(v)Part 1 of the Welfare Reform Act 2007, or
(vi)Part 1 of the Welfare Reform Act 2012.
(4)In relation to the Department for Communities in Northern Ireland, the “relevant functions” are its functions under—
(a)the Social Security Contributions and Benefits (Northern Ireland) Act 1992,
(b)the Social Security Administration (Northern Ireland) Act 1992,
(c)the Jobseekers (Northern Ireland) Order 1995 (S.I. 1995/2705 (N.I. 15)), or
(d)Part 1 of the Welfare Reform Act (Northern Ireland) 2007 (c. 2 (N.I.)).
(5)In relation to the Department of Justice in Northern Ireland, the “relevant functions” are its functions under Part 5 of the Police Act 1997.
(6)In relation to the Scottish Ministers, the “relevant functions” are their functions under
(a)Part 5 of the Police Act 1997, or
(b)Parts 1 and 2 of the Protection of Vulnerable Groups (Scotland) Act 2007 (asp 14).
(7)In relation to the Disclosure and Barring Service, the “relevant functions” are its functions under—
(a)Part 5 of the Police Act 1997,
(b)the Safeguarding Vulnerable Groups Act 2006, or
(c)the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (S.I. 2007/1351 (N.I. 11)).
Textual Amendments
F86Sch. 18 para. 4(3)(a)(ia) inserted (1.12.2020) by Sentencing Act 2020 (c. 17), s. 416(1), Sch. 24 para. 297 (with Sch. 27); S.I. 2020/1236, reg. 2
5U.K.In this Schedule, “data subject access right” means a right under—
(a)Article 15 of the [F87UK GDPR] (right of access by the data subject);
(b)Article 20 of the [F88UK GDPR] (right to data portability);
(c)section 45 of this Act (law enforcement processing: right of access by the data subject);
(d)section 94 of this Act (intelligence services processing: right of access by the data subject).
Textual Amendments
F87Words in Sch. 18 para. 5(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 99(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F88Words in Sch. 18 para. 5(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 99(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
6U.K.For the purposes of this Schedule, a record which states that a controller is not processing personal data relating to a particular matter is to be taken to be a record containing information relating to that matter.
7(1)The Secretary of State may by regulations amend this Schedule.U.K.
(2)Regulations under this paragraph are subject to the affirmative resolution procedure.
Commencement Information
I5Sch. 18 para. 7 in force at Royal Assent for specified purposes, see s. 212(2)(f)
Section 211
1(1)Section 19AC of the Registration Service Act 1953 (codes of practice) is amended as follows.U.K.
(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
(3)In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
2(1)Section 1A of the Veterinary Surgeons Act 1966 (functions of the Royal College of Veterinary Surgeons as competent authority) is amended as follows.U.K.
(2)In subsection (8)—
(a)omit “personal data protection legislation in the United Kingdom that implements”,
(b)for paragraph (a) substitute—
“(a)the GDPR; and”, and
(c)in paragraph (b), at the beginning insert “ legislation in the United Kingdom that implements ”.
(3)In subsection (9), after “section” insert “—
“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
3U.K.In section 11AA(1) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner to Information Commissioner)—
(a)in paragraph (a), for sub-paragraph (i) substitute—
“(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),”, and
(b)for paragraph (b) substitute—
“(b)the commission of an offence under—
(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or
(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
4U.K.The Local Government Act 1974 is amended as follows.
5U.K.In section 33A(1) (disclosure of information by Local Commissioner to Information Commissioner)—
(a)in paragraph (a), for sub-paragraph (i) substitute—
“(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),”, and
(b)for paragraph (b) substitute—
“(b)the commission of an offence under—
(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or
(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
6U.K.In section 34O(1) (disclosure of information by Local Commissioner to Information Commissioner)—
(a)in paragraph (a), for sub-paragraph (i) substitute—
“(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),”, and
(b)for paragraph (b) substitute—
“(b)the commission of an offence under—
(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or
(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
7U.K.The Consumer Credit Act 1974 is amended as follows.
8U.K.In section 157(2A) (duty to disclose name etc of agency)—
(a)in paragraph (a), for “the Data Protection Act 1998” substitute “ the GDPR ”, and
(b)in paragraph (b), after “any” insert “ other ”.
9U.K.In section 159(1)(a) (correction of wrong information) for “section 7 of the Data Protection Act 1998” substitute “ Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) ”.
10U.K.In section 189(1) (definitions), at the appropriate place insert—
““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);”.
11U.K.The Pharmacy (Northern Ireland) Order 1976 is amended as follows.
12U.K.In article 2(2) (interpretation), omit the definition of “Directive 95/46/EC”.
13U.K.In article 8D (European professional card), after paragraph (3) insert—
“(4)In Schedule 2C, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
14U.K.In article 22A(6) (Directive 2005/36/EC: functions of competent authority etc.), before sub-paragraph (a) insert—
“(za)“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
15(1)Schedule 2C (Directive 2005/36/EC: European professional card) is amended as follows.U.K.
(2)In paragraph 8(1) (access to data), for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).
16(1)The table in Schedule 2D (functions of the Society under Directive 2005/36/EC) is amended as follows.U.K.
(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
17(1)Paragraph 2 of Schedule 3 (fitness to practice: disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (2)(a), after “provision” insert “ or the GDPR ”.
(3)For sub-paragraph (3) substitute—
“(3)In determining for the purposes of sub-paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”
(4)After sub-paragraph (4) insert—
“(5)In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
18(1)Schedule 2 to the Representation of the People Act 1983 (provisions which may be contained in regulations as to registration etc) is amended as follows.U.K.
(2)In paragraph 1A(5), for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
(3)In paragraph 8C(2), for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
(4)In paragraph 11A—
(a)in sub-paragraph (1) for “who are data users to supply data, or documents containing information extracted from data and” substitute “ to supply information ”, and
(b)omit sub-paragraph (2).
19U.K.The Medical Act 1983 is amended as follows.
20(1)Section 29E (evidence) is amended as follows.U.K.
(2)In subsection (5), after “enactment” insert “ or the GDPR ”.
(3)For subsection (7) substitute—
“(7)In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4)In subsection (9), at the end insert—
““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
21(1)Section 35A (General Medical Council's power to require disclosure of information) is amended as follows.U.K.
(2)In subsection (4), after “enactment” insert “ or the GDPR ”.
(3)For subsection (5A) substitute—
“(5A)In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4)In subsection (7), at the end insert—
““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
22U.K.In section 49B(7) (Directive 2005/36: designation of competent authority etc.), after “Schedule 4A” insert “—
“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
23U.K.In section 55(1) (interpretation), omit the definition of “Directive 95/46/EC”.
24(1)Paragraph 9B of Schedule 1 (incidental powers of the General Medical Council) is amended as follows.U.K.
(2)In sub-paragraph (2)(a), after “enactment” insert “ or the GPDR ”.
(3)After sub-paragraph (3) insert—
“(4)In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
25(1)Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows.U.K.
(2)In sub-paragraph (8), after “enactment” insert “ or the GDPR ”.
(3)For sub-paragraph (8A) substitute—
“(8A)In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”
(4)After sub-paragraph (13) insert—
“(14)In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
26(1)The table in Schedule 4A (functions of the General Medical Council as competent authority under Directive 2005/36) is amended as follows.U.K.
(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
27U.K.The Dentists Act 1984 is amended as follows.
28(1)Section 33B (the General Dental Council's power to require disclosure of information: the dental profession) is amended as follows.U.K.
(2)In subsection (3), after “enactment” insert “ or relevant provision of the GDPR ”.
(3)For subsection (4) substitute—
“(4)For the purposes of subsection (3)—
“relevant enactment” means any enactment other than—
this Act, or
the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2018 (exemptions to Part 4 : disclosures required by law);
“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2018 (GDPR provisions to be adapted or restricted: disclosures required by law).”
(4)After subsection (10) insert—
“(11)In this section, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
29U.K.In section 36ZA(6) (Directive 2005/36: designation of competent authority etc), after “Schedule 4ZA—” insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
30(1)Section 36Y (the General Dental Council's power to require disclosure of information: professions complementary to dentistry) is amended as follows.U.K.
(2)In subsection (3), after “enactment” insert “ or relevant provision of the GDPR ”.
(3)For subsection (4) substitute—
“(4)For the purposes of subsection (3)—
“relevant enactment” means any enactment other than—
this Act, or
the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2018 (exemptions to Part 4 : disclosures required by law);
“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2018 (GDPR provisions to be adapted or restricted: disclosures required by law).”
(4)After subsection (10) insert—
“(11)In this section, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
31U.K.In section 53(1) (interpretation), omit the definition of “Directive 95/46/EC”.
32(1)The table in Schedule 4ZA (Directive 2005/36: functions of the General Dental Council under section 36ZA(3)) is amended as follows.U.K.
(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
33U.K.In section 449(11) of the Companies Act 1985 (provision for security of information obtained), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
34U.K.In section 2(1) of the Access to Medical Reports Act 1988 (interpretation), for the definition of “health professional” substitute—
““health professional” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act);”.
35(1)Section 13B of the Opticians Act 1989 (the Council's power to require disclosure of information) is amended as follows.U.K.
(2)In subsection (3), after “enactment” insert “ or the GDPR ”.
(3)For subsection (4) substitute—
“(4)In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4)After subsection (9) insert—
“(10)In this section, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
36U.K.The Access to Health Records Act 1990 is amended as follows.
37U.K.For section 2 substitute—
In this Act, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act).”
38(1)Section 3 (right of access to health records) is amended as follows.U.K.
(2)In subsection (2), omit “Subject to subsection (4) below,”.
(3)In subsection (4), omit from “other than the following” to the end.
39(1)Section 33D of the Human Fertilisation and Embryology Act 1990 (disclosure for the purposes of medical or other research) is amended as follows.U.K.
(2)In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (9), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
40(1)Section 251B of the Trade Union and Labour Relations (Consolidation) Act 1992 (prohibition on disclosure of information) is amended as follows.U.K.
(2)In subsection (3), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (6) insert—
“(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
41U.K.In the table in Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals to which the Act applies), in the second column, in paragraph 14(a), for “section 6 of the Data Protection Act 1998” substitute “ section 114 of the Data Protection Act 2018 ”.
42(1)Article 90B of the Industrial Relations (Northern Ireland) Order 1992 (prohibition on disclosure of information held by the Labour Relations Agency) is amended as follows.U.K.
(2)In paragraph (3), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After paragraph (6) insert—
“(7)In this Article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
43U.K.In section 18A(1) of the Health Service Commissioners Act 1993 (power to disclose information)—
(a)in paragraph (a), for sub-paragraph (i) substitute—
“(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),”, and
(b)for paragraph (b) substitute—
“(b)the commission of an offence under—
(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or
(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
44U.K.The Data Protection Act 1998 is repealed, with the exception of section 62 and paragraphs 13, 15, 16, 18 and 19 of Schedule 15 (which amend other enactments).
45U.K.In section 17A(4) of the Crime and Disorder Act 1998 (sharing of information), for “(within the meaning of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.
46(1)Section 19 of the Food Standards Act 1999 (publication etc by the Food Standards Agency of advice and information) is amended as follows.U.K.
(2)In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (8), after “section” insert “—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
47(1)Section 13 of the Immigration and Asylum Act 1999 (proof of identity of persons to be removed or deported) is amended as follows.U.K.
(2)For subsection (4) substitute—
“(4)For the purposes of Article 49(1)(d) of the GDPR, the provision under this section of identification data is a transfer of personal data which is necessary for important reasons of public interest.”
(3)After subsection (4) insert—
“(4A)“The GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
48U.K.The Financial Services and Markets Act 2000 is amended as follows.
F8949U.K.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F89Sch. 19 para. 49 omitted (21.7.2019) by virtue of The Financial Services and Markets Act 2000 (Prospectus) Regulations 2019 (S.I. 2019/1043), regs. 1(1), 37
50U.K.In section 391A(6)(b) (publication: special provisions relating to the capital requirements directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
51U.K.In section 391C(7)(a) (publication: special provisions relating to the UCITS directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
52U.K.In section 391D(9)(a) (publication: special provisions relating to the markets in financial instruments directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
53U.K.In section 417 (definitions), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
54U.K.In section 21F(2)(d) of the Terrorism Act 2000 (other permitted disclosures between institutions etc) for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.
55U.K.The Freedom of Information Act 2000 is amended as follows.
56U.K.In section 2(3) (absolute exemptions), for paragraph (f) substitute—
“(f)section 40(1),
(fa)section 40(2) so far as relating to cases where the first condition referred to in that subsection is satisfied,”.
57U.K.In section 18 (the Information Commissioner), omit subsection (1).
58(1)Section 40 (personal information) is amended as follows.U.K.
(2)In subsection (2)—
(a)in paragraph (a), for “do” substitute “ does ”, and
(b)in paragraph (b), for “either the first or the second” substitute “ the first, second or third ”.
(3)For subsection (3) substitute—
“(3A)The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(3B)The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”
(4)For subsection (4) substitute—
“(4A)The third condition is that—
(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”
(5)For subsection (5) substitute—
“(5A)The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1).
(5B)The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies—
(a)giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)—
(i)would (apart from this Act) contravene any of the data protection principles, or
(ii)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded;
(b)giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene Article 21 of the GDPR (general processing: right to object to processing);
(c)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in subsection (4A)(a);
(d)on a request under section 45(1)(a) of the Data Protection Act 2018 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”
(6)Omit subsection (6).
(7)For subsection (7) substitute—
“(7)In this section—
“the data protection principles” means the principles set out in—
Article 5(1) of the GDPR, and
section 34(1) of the Data Protection Act 2018;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“the GDPR”, “personal data”, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4), (10), (11) and (14) of that Act).
(8)In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
59U.K.Omit section 49 (reports to be laid before Parliament).
60U.K.For section 61 (appeal proceedings) substitute—
(1)Tribunal Procedure Rules may make provision for regulating the exercise of rights of appeal conferred by sections 57(1) and (2) and 60(1) and (4).
(2)In relation to appeals under those provisions, Tribunal Procedure Rules may make provision about—
(a)securing the production of material used for the processing of personal data, and
(b)the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.
(3)Subsection (4) applies where—
(a)a person does something, or fails to do something, in relation to proceedings before the First-tier Tribunal on an appeal under those provisions, and
(b)if those proceedings were proceedings before a court having power to commit for contempt, the act or omission would constitute contempt of court.
(4)The First-tier Tribunal may certify the offence to the Upper Tribunal.
(5)Where an offence is certified under subsection (4), the Upper Tribunal may—
(a)inquire into the matter, and
(b)deal with the person charged with the offence in any manner in which it could deal with the person if the offence had been committed in relation to the Upper Tribunal.
(6)Before exercising the power under subsection (5)(b), the Upper Tribunal must—
(a)hear any witness who may be produced against or on behalf of the person charged with the offence, and
(b)hear any statement that may be offered in defence.
(7)In this section, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).”
Commencement Information
I6Sch. 19 para. 60 in force at Royal Assent for specified purposes, see s. 212(2)(f)
61U.K.In section 76(1) (disclosure of information between Commissioner and ombudsmen), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
62U.K.After section 76A insert—
(1)No enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the First-tier Tribunal or the Upper Tribunal with information necessary for the discharge of their functions in connection with appeals under section 60 of this Act.
(2)But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
(3)Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.”
63U.K.In section 77(1)(b) (offence of altering etc records with intent to prevent disclosure), omit “or section 7 of the Data Protection Act 1998,”.
64U.K.In section 84 (interpretation), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
65(1)Paragraph 28 of Schedule 19C to the Political Parties, Elections and Referendums Act 2000 (civil sanctions: disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (4)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After sub-paragraph (5) insert—
“(6)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
66U.K.The Public Finance and Accountability (Scotland) Act 2000 is amended as follows.
67U.K.In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
68U.K.In section 26C(3)(a) (power to require disclosure of data), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
69U.K.In section 29(1) (interpretation), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
70U.K.The Criminal Justice and Police Act 2001 is amended as follows.
71U.K.In section 57(1) (retention of seized items)—
(a)omit paragraph (m), and
(b)after paragraph (s) insert—
“(t)paragraph 10 of Schedule 15 to the Data Protection Act 2018;”.
72U.K.In section 65(7) (meaning of “legal privilege”)—
(a)for “paragraph 1 of Schedule 9 to the Data Protection Act 1998 (c. 29)” substitute “ paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2018 ”, and
(b)for “paragraph 9” substitute “ paragraph 11 (matters exempt from inspection and seizure: privileged communications) ”.
73U.K.In Schedule 1 (powers of seizure)—
(a)omit paragraph 65, and
(b)after paragraph 73R insert—
73SThe power of seizure conferred by paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2018 (powers of entry and inspection).”
74U.K.The Anti-terrorism, Crime and Security Act 2001 is amended as follows.
75(1)Section 19 (disclosure of information held by revenue departments) is amended as follows.U.K.
(2)In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)In subsection (9), after “section” insert “—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
Prospective
F9076U.K.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
77(1)Section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 (power to obtain information etc) is amended as follows.U.K.
(2)In subsection (3), after “provision” insert “ or the GDPR ”.
(3)For subsection (5) substitute—
“(5)In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4)After subsection (7) insert—
“(8)In this section, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
78(1)Section 5A of the Justice (Northern Ireland) Act 2002 (disclosure of information to the Commission) is amended as follows.U.K.
(2)In subsection (3)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (9) insert—
“(10)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
79U.K.The Proceeds of Crime Act 2002 is amended as follows.
80U.K.In section 333C(2)(d) (other permitted disclosures between institutions etc), for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.
81U.K.In section 436(3)(a) (disclosure of information to certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
82U.K.In section 438(8)(a) (disclosure of information by certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
83U.K.In section 439(3)(a) (disclosure of information to Lord Advocate and to Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
84U.K.In section 441(7)(a) (disclosure of information by Lord Advocate and Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
85U.K.After section 442 insert—
In this Part, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
86(1)Section 237 of the Enterprise Act 2002 (general restriction on disclosure) is amended as follows.U.K.
(2)In subsection (4), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (6) insert—
“(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
87(1)In Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (disclosure of information by the Ombudsman), the entry for the Information Commissioner is amended as follows.U.K.
(2)In paragraph 1, for sub-paragraph (a) substitute—
“(a)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),”.
(3)For paragraph 2 substitute—
“2The commission of an offence under—
(a)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or
(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
88U.K.The Freedom of Information (Scotland) Act 2002 is amended as follows.
89U.K.In section 2(2)(e)(ii) (absolute exemptions), omit “by virtue of subsection (2)(a)(i) or (b) of that section”.
90(1)Section 38 (personal information) is amended as follows.U.K.
(2)In subsection (1), for paragraph (b) substitute—
“(b)personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));”.
(3)For subsection (2) substitute—
“(2A)The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(2B)The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”
(4)For subsection (3) substitute—
“(3A)The third condition is that—
(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”
(5)Omit subsection (4).
(6)In subsection (5), for the definitions of “the data protection principles” and of “data subject” and “personal data” substitute—
““the data protection principles” means the principles set out in—
(a)Article 5(1) of the GDPR, and
(b)section 34(1) of the Data Protection Act 2018;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“the GDPR”, “personal data”, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4), (10), (11) and (14) of that Act);”.
(7)After that subsection insert—
“(5A)In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
91U.K.Schedule 5 to the Courts Act 2003 (collection of fines) is amended as follows.
92(1)Paragraph 9C (disclosure of information in connection with making of attachment of earnings orders or applications for benefit deductions: supplementary) is amended as follows.U.K.
(2)In sub-paragraph (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After sub-paragraph (5) insert—
“(6)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
93(1)Paragraph 10A (attachment of earnings orders (Justice Act (Northern Ireland) 2016): disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In sub-paragraph (8), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
94(1)Section 94 of the Sexual Offences Act 2003 (Part 2: supply of information to the Secretary of State etc for verification) is amended as follows.U.K.
(2)In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)In subsection (8), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
95U.K.The Criminal Justice Act 2003 is amended as follows.
96U.K.In section 327A(9) (disclosure of information about convictions etc of child sex offenders to members of the public), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
97U.K.In section 327B (disclosure of information about convictions etc of child sex offenders to members of the public: interpretation), after subsection (4) insert—
“(4A)“The data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
98(1)Section 279 of the Mental Health (Care and Treatment) (Scotland) Act 2003 (information for research) is amended as follows.U.K.
(2)In subsection (2), for “research purposes within the meaning given by section 33 of the Data Protection Act 1998 (c. 29) (research, history and statistics)” substitute “ purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics) ”.
(3)After subsection (9) insert—
“(10)In this section, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
99(1)Section 64C of the Public Audit (Wales) Act 2004 (voluntary provision of data) is amended as follows.U.K.
(2)In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)In subsection (5), at the beginning insert “In this section—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
100U.K.The Companies (Audit, Investigations and Community Enterprise) Act 2004 is amended as follows.
101(1)Section 15A (disclosure of information by tax authorities) is amended as follows.U.K.
(2)In subsection (2)—
(a)omit “within the meaning of the Data Protection Act 1998”, and
(b)for “that Act” substitute “ the data protection legislation ”.
(3)After subsection (7) insert—
“(8)In this section—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
102(1)Section 15D (permitted disclosure of information obtained under compulsory powers) is amended as follows.U.K.
(2)In subsection (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (7) insert—
“(8)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
103(1)Section 54 of the Domestic Violence, Crime and Victims Act 2004 (disclosure of information) is amended as follows.U.K.
(2)In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (8) insert—
“(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
104U.K.The Children Act 2004 is amended as follows.
105(1)Section 12 (information databases) is amended as follows.U.K.
(2)In subsection (13)(e) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (13) insert—
“(14)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
106(1)Section 29 (information databases: Wales) is amended as follows.U.K.
(2)In subsection (14)(e) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (14) insert—
“(15)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
107(1)Section 107 of the Constitutional Reform Act 2005 (disclosure of information to the Commission) is amended as follows.U.K.
(2)In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (9) insert—
“(10)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
108U.K.In section 64 of the Mental Capacity Act 2005 (interpretation), for the definition of “health record” substitute—
““health record” has the same meaning as in the Data Protection Act 2018 (see section 205 of that Act);”.
109(1)Section 34X of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information) is amended as follows.U.K.
(2)In subsection (4), for paragraph (a) substitute—
“(a)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement);”.
(3)For subsection (5) substitute—
“(5)The offences are those under—
(a)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc);
(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
110(1)Section 22 of the Commissioners for Revenue and Customs Act 2005 (data protection, etc) is amended as follows.U.K.
(2)The existing text becomes subsection (1).
(3)In that subsection, in paragraph (a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(4)After that subsection insert—
“(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
111(1)Section 352 of the Gambling Act 2005 (data protection) is amended as follows.U.K.
(2)The existing text becomes subsection (1).
(3)In that subsection, for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(4)After that subsection insert—
“(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
112(1)Section 18 of the Commissioner for Older People (Wales) Act 2006 (power to disclose information) is amended as follows.U.K.
(2)In subsection (7), for paragraph (a) substitute—
“(a)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement);”.
(3)For subsection (8) substitute—
“(8)The offences are those under—
(a)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or
(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
113U.K.The National Health Service Act 2006 is amended as follows.
114(1)Section 251 (control of patient information) is amended as follows.U.K.
(2)In subsection (7), for “made by or under the Data Protection Act 1998 (c 29)” substitute “ of the data protection legislation ”.
(3)In subsection (13), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
115(1)Section 264C (provision and disclosure of information about health service products: supplementary) is amended as follows.U.K.
(2)In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (3) insert—
“(4)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
116U.K.In paragraph 7B(3) of Schedule 1 (further provision about the Secretary of State and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “ has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
117U.K.The National Health Service (Wales) Act 2006 is amended as follows.
118(1)Section 201C (provision of information about medical supplies: supplementary) is amended as follows.U.K.
(2)In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (3) insert—
“(4)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
119U.K.In paragraph 7B(3) of Schedule 1 (further provision about the Welsh Ministers and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “ has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
120U.K.The Companies Act 2006 is amended as follows.
121U.K.In section 458(2) (disclosure of information by tax authorities)—
(a)for “within the meaning of the Data Protection Act 1998 (c. 29)” substitute “ within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act) ”, and
(b)for “that Act” substitute “ the data protection legislation ”.
122U.K.In section 461(7) (permitted disclosure of information obtained under compulsory powers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
123U.K.In section 948(9) (restrictions on disclosure) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
124U.K.In section 1173(1) (minor definitions: general), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
125U.K.In section 1224A(7) (restrictions on disclosure), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
126U.K.In section 1253D(3) (restriction on transfer of audit working papers to third countries), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
127U.K.In section 1261(1) (minor definitions: Part 42), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
128U.K.In section 1262 (index of defined expressions: Part 42), at the appropriate place insert—
“the data protection legislation | section 1261(1)”. |
129U.K.In Schedule 8 (index of defined expressions: general), at the appropriate place insert—
“the data protection legislation | section 1173(1)”. |
130U.K.The Tribunals, Courts and Enforcement Act 2007 is amended as follows.
131U.K.In section 11(5)(b) (right to appeal to Upper Tribunal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “ section 27(3) or (5), 79(5) or (7) or 111(3) or (5) of the Data Protection Act 2018 ”.
132U.K.In section 13(8)(a) (right to appeal to the Court of Appeal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “ section 27(3) or (5), 79(5) or (7) or 111(3) or (5) of the Data Protection Act 2018 ”.
133U.K.The Statistics and Registration Service Act 2007 is amended as follows.
134(1)Section 45 (information held by HMRC) is amended as follows.U.K.
(2)In subsection (4A), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
(3)In subsection (4B), for “the Data Protection Act 1998” substitute “ the Data Protection Act 2018 ”.
135(1)Section 45A (information held by other public authorities) is amended as follows.U.K.
(2)In subsection (8), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
(3)In subsection (9), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(4)In subsection (12)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(5)In subsection 12(c), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.
136(1)Section 45B(3) (access to information held by Crown bodies etc) is amended as follows.U.K.
(2)In paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In paragraph (c), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.
137(1)Section 45C(13) (power to require disclosures by other public authorities) is amended as follows.U.K.
(2)In paragraph (b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In paragraph (d), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.
138U.K.In section 45D(9)(b) (power to require disclosure by undertakings), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
139(1)Section 45E (further provision about powers in sections 45B, 45C and 45D) is amended as follows.U.K.
(2)In subsection (6), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
(3)In subsection (16), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
(4)In subsection (17), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
140(1)Section 53A (disclosure by the Statistics Board to devolved administrations) is amended as follows.U.K.
(2)In subsection (9), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
(3)In subsection (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(4)In subsection (12)(b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
141(1)Section 54 (Data Protection Act 1998 and Human Rights Act 1998) is amended as follows.U.K.
(2)In the heading, omit “Data Protection Act 1998 and”.
(3)Omit paragraph (a) (together with the final “or”).
142U.K.In section 67 (general interpretation: Part 1), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
143U.K.The Serious Crime Act 2007 is amended as follows.
144(1)Section 5A (verification and disclosure of information) is amended as follows.U.K.
(2)In subsection (6)—
(a)for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
(b)for “are” substitute “ is ”.
(3)After subsection (6) insert—
“(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
145(1)Section 68 (disclosure of information to prevent fraud) is amended as follows.U.K.
(2)In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)In subsection (8), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
146(1)Section 85 (disclosure of information by Revenue and Customs) is amended as follows.U.K.
(2)In subsection (8)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)In subsection (9), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
147(1)Section 169 of the Legal Services Act 2007 (disclosure of information to the Legal Services Board) is amended as follows.U.K.
(2)In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (8) insert—
“(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
148U.K.In section 74 of the Adoption and Children (Scotland) Act 2007 (disclosure of medical information about parents), for subsection (5) substitute—
“(5)In subsection (4)(e), “processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act).”
149U.K.The Criminal Justice and Immigration Act 2008 is amended as follows.
150U.K.Omit—
(a)section 77 (power to alter penalty for unlawfully obtaining etc personal data), and
(b)section 78 (new defence for obtaining etc for journalism and other special purposes).
151(1)Section 114 (supply of information to Secretary of State etc) is amended as follows.U.K.
(2)In subsection (5), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (6) insert—
“(6A)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
152(1)Section 70 of the Regulatory Enforcement and Sanctions Act 2008 (disclosure of information) is amended as follows.U.K.
(2)In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (5) insert—
“(6)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
153U.K.In section 20A(5) of the Health and Social Care Act 2008 (functions relating to processing of information by registered persons), in the definition of “processing”, for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act); ”.
154(1)Section 20 of the Counter-Terrorism Act 2008 (disclosure and the intelligence services: supplementary provisions) is amended as follows.U.K.
(2)In subsection (2)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (4) insert—
“(5)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
155(1)Section 117 of the Public Health etc. (Scotland) Act 2008 (disclosure of information) is amended as follows.U.K.
(2)In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (7) insert—
“(7A)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
156(1)Section 83ZY of the Banking Act 2009 (special resolution regime: publication of notices etc) is amended as follows.U.K.
(2)In subsection (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (11), after “section” insert “—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
157(1)Section 19 of the Borders, Citizenship and Immigration Act 2009 (use and disclosure of customs information: application of statutory provisions) is amended as follows.U.K.
(2)In subsection (1)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (4) insert—
“(5)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
158U.K.The Marine and Coastal Access Act 2009 is amended as follows.
159(1)Paragraph 13 of Schedule 7 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After sub-paragraph (6) insert—
“(7)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
160(1)Paragraph 9 of Schedule 10 (further provision about fixed monetary penalties: disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After sub-paragraph (6) insert—
“(7)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
161U.K.In Schedule 21 to the Coroners and Justice Act 2009 (minor and consequential amendments), omit paragraph 29(3).
162(1)Section 38 of the Broads Authority Act 2009 (provision of information) is amended as follows.U.K.
(2)In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)In subsection (6), after “section” insert “—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
163(1)Section 13 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (functions of the Regional Agency) is amended as follows.U.K.
(2)In subsection (8), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (8) insert—
“(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
164(1)Section 25 of the Terrorist Asset-Freezing etc. Act 2010 (application of provisions) is amended as follows.U.K.
(2)In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (6), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
165(1)Paragraph 12 of Schedule 2 to the Marine (Scotland) Act 2010 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After sub-paragraph (6) insert—
“(7)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
166(1)Section 59 of the Charities Act 2011 (disclosure: supplementary) is amended as follows.U.K.
(2)The existing text becomes subsection (1).
(3)In that subsection, in paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(4)After that subsection insert—
“(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
167U.K.The Welsh Language (Wales) Measure 2011 is amended as follows.
168(1)Section 22 (power to disclose information) is amended as follows.U.K.
(2)In subsection (4)—
(a)in the English language text, for paragraph (a) substitute—
“(a)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement);”, and
(b)in the Welsh language text, for paragraph (a) substitute—
“(a)adrannau 142 i 154, 160 i 164, neu 174 i 176 o Ddeddf Diogelu Data 2018 neu Atodlen 15 i'r Ddeddf honno (darpariaethau penodol yn ymwneud â gorfodi);”.
(3)For subsection (5)—
(a)in the English language text substitute—
“(5)The offences referred to under subsection (3)(b) are those under—
(a)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of exercise of warrant etc); or
(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”, and
(b)in the Welsh language text substitute—
“(5)Y tramgwyddau y cyfeirir atynt yn is-adran (3)(b) yw'r rhai—
(a)o dan ddarpariaeth yn Neddf Diogelu Data 2018 ac eithrio paragraff 15 o Atodlen 15 (rhwystro gweithredu gwarant etc); neu
(b)o dan adran 77 o Ddeddf Rhyddid Gwybodaeth 2000 (trosedd o altro etc cofnodion gyda'r bwriad o atal datgelu).”
(4)In subsection (8)—
(a)in the English language text, for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
(b)in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso'r ddeddfwriaeth diogelu data”.
(5)In subsection (9)—
(a)at the appropriate place in the English language text insert—
““the data protection legislation” (“y ddeddfwriaeth diogelu data”) has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and
(b)at the appropriate place in the Welsh language text insert—
““mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o'r Ddeddf honno);”.
169(1)Paragraph 8 of Schedule 2 (inquiries by the Commissioner: reports) is amended as follows.U.K.
(2)In sub-paragraph (7)—
(a)in the English language text, for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
(b)in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso'r ddeddfwriaeth diogelu data”.
(3)In sub-paragraph (8)—
(a)in the English language text, after “this paragraph” insert “—
“the data protection legislation” (“y ddeddfwriaeth diogelu data”) has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and
(b)in the Welsh language text, after “hwn” insert—
““mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o'r Ddeddf honno);”.
170(1)Section 10 of the Safeguarding Board Act (Northern Ireland) 2011 (duty to co-operate) is amended as follows.U.K.
(2)In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
(3)After subsection (3) insert—
“(4)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
171U.K.The Health and Social Care Act 2012 is amended as follows.
172U.K.In section 250(7) (power to publish information standards), for the definition of “processing” substitute—
““processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);”.
173(1)Section 251A (consistent identifiers) is amended as follows.U.K.
(2)In subsection (7)(a), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.
(3)After subsection (8) insert—
“(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
174(1)Section 251B (duty to share information) is amended as follows.U.K.
(2)In subsection (5)(a), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.
(3)After subsection (6) insert—
“(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
175U.K.The Protection of Freedoms Act 2012 is amended as follows.
176(1)Section 27 (exceptions and further provision about consent and notification) is amended as follows.U.K.
(2)In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (5) insert—
“(6)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
177U.K.In section 28(1) (interpretation: Chapter 2), for the definition of “processing” substitute—
““processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);”.
178U.K.In section 29(7) (code of practice for surveillance camera systems), for the definition of “processing” substitute—
““processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);”.
179(1)Section 14A of the HGV Road User Levy Act 2013 (disclosure of information by Revenue and Customs) is amended as follows.U.K.
(2)In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (5) insert—
“(6)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
180U.K.The Crime and Courts Act 2013 is amended as follows.
181(1)Section 42 (other interpretive provisions) is amended as follows.U.K.
(2)In subsection (5)(a), for “section 13 of the Data Protection Act 1998 (damage or distress suffered as a result of a contravention of a requirement of that Act)” substitute “ Article 82 of the GDPR or section 168 or 169 of the Data Protection Act 2018 (compensation for contravention of the data protection legislation) ”.
(3)After subsection (5) insert—
“(5A)In subsection (5)(a), “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
182(1)Paragraph 1 of Schedule 7 (statutory restrictions on disclosure) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)In that sub-paragraph, in paragraph (a)—
(a)for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
(b)for “are” substitute “ is ”.
(4)After that sub-paragraph, insert—
“(2)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
183(1)Paragraph 8 of Schedule 2 to the Marine Act (Northern Ireland) 2013 (further provision about fixed monetary penalties under section 35: disclosure of information) is amended as follows.U.K.
(2)In sub-paragraph (5)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After sub-paragraph (6) insert—
“(7)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
184(1)Paragraph 3 of Schedule 9 to the Local Audit and Accountability Act 2014 (data matching: voluntary provision of data) is amended as follows.U.K.
(2)In sub-paragraph (3)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After sub-paragraph (3) insert—
“(3A)“The data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
(4)In sub-paragraph (4), for “comprise or include” substitute “ comprises or includes ”.
185(1)Paragraph 7 of Schedule 4 to the Anti-social Behaviour, Crime and Policing Act 2014 (anti-social behaviour case reviews: information) is amended as follows.U.K.
(2)In sub-paragraph (4)—
(a)for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
(b)for “are” substitute “ is ”.
(3)After sub-paragraph (5) insert—
“(6)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
186(1)Paragraph 6 of Schedule 6 to the Immigration Act 2014 (information: limitation on powers) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)In that sub-paragraph, in paragraph (a)—
(a)for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
(b)for “are” substitute “ is ”.
(4)After that sub-paragraph insert—
“(2)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
187U.K.In section 67(9) of the Care Act 2014 (involvement in assessment, plans etc), for paragraph (a) substitute—
“(a)a health record (within the meaning given in section 205 of the Data Protection Act 2018),”.
188U.K.In section 18(10)(b) of the Social Services and Well-being (Wales) Act 2014 (registers of sight-impaired, hearing-impaired and other disabled people)—
(a)in the English language text, for “(within the meaning of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”, and
(b)in the Welsh language text, for “(o fewn ystyr “personal data” yn Neddf Diogelu Data 1998)” substitute “(o fewn ystyr “ personal data ” yn Rhan 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o'r Ddeddf honno))”.
189(1)Section 38 of the Counter-Terrorism and Security Act 2015 (support etc for people vulnerable to being drawn into terrorism: co-operation) is amended as follows.U.K.
(2)In subsection (4)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (4) insert—
“(4A)“The data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
190(1)Section 6 of the Small Business, Enterprise and Employment Act 2015 (application of listed provisions to designated credit reference agencies) is amended as follows.U.K.
(2)In subsection (7)—
(a)for paragraph (b) substitute—
“(b)Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers);”, and
(b)omit paragraph (c).
(3)After subsection (7) insert—
“(7A)In subsection (7) “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
191(1)Section 54A of the Modern Slavery Act 2015 (Gangmasters and Labour Abuse Authority: information gateways) is amended as follows.U.K.
(2)In subsection (5)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (9), after “section” insert “—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
192U.K.The Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 is amended as follows.
193U.K.In section 13(5) (duty to notify National Crime Agency about suspected victims of certain offences) for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
194U.K.In section 25(1) (interpretation of this Act), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
195U.K.In paragraph 18(5) of Schedule 3 (supply of information to relevant Northern Ireland departments, Secretary of State, etc) for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
196(1)Section 72 of the Justice Act (Northern Ireland) 2015 (supply of information to relevant Northern Ireland departments or Secretary of State) is amended as follows.U.K.
(2)In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (7), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
197(1)Section 7 of the Immigration Act 2016 (information gateways: supplementary) is amended as follows.U.K.
(2)In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (11), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
198U.K.The Investigatory Powers Act 2016 is amended as follows.
199U.K.In section 1(5)(b), for sub-paragraph (ii) substitute—
“(ii)in section 170 of the Data Protection Act 2018 (unlawful obtaining etc of personal data),”.
200U.K.In section 199 (bulk personal datasets: interpretation), for subsection (2) substitute—
“(2)In this Part, “personal data” means—
(a)personal data within the meaning of section 3(2) of the Data Protection Act 2018 which is subject to processing described in section 82(1) of that Act, and
(b)data relating to a deceased individual where the data would fall within paragraph (a) if it related to a living individual.”
Prospective
F91201U.K.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
202U.K.In section 206 (additional safeguards for health records), for subsection (7) substitute—
“(7)In subsection (6)—
“health professional” has the same meaning as in the Data Protection Act 2018 (see section 204(1) of that Act);
“health service body” has meaning given by section 204(4) of that Act.”
203(1)Section 237 (information gateway) is amended as follows.U.K.
(2)In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (2) insert—
“(3)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
204(1)Section 49 of the Police Services Ombudsman Act (Northern Ireland) 2016 (disclosure of information) is amended as follows.U.K.
(2)In subsection (4), for paragraph (a) substitute—
“(a)sections 142 to 154, 160 to 164 and 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),”.
(3)For subsection (5) substitute—
“(5)The offences are those under—
(a)any provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (powers of entry and inspection: offences),
(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
(4)After subsection (6) insert—
“(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
205(1)Section 1 of the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (control of information of a relevant person) is amended as follows.U.K.
(2)In subsection (8), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.
(3)After subsection (12) insert—
“(12A)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
206U.K.In section 306(1) of the Mental Capacity Act (Northern Ireland) 2016 (definitions for purposes of Act), for the definition of “health record” substitute—
““health record” has the meaning given by section 205 of the Data Protection Act 2018;”.
207U.K.The Justice Act (Northern Ireland) 2016 is amended as follows.
208(1)Section 17 (disclosure of information) is amended as follows.U.K.
(2)In subsection (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (8), after “section” insert “—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
209U.K.In section 44(3) (disclosure of information)—
(a)in paragraph (a), for “Part 5 of the Data Protection Act 1998” substitute “ sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 ”, and
(b)for paragraph (b) substitute—
“(b)the commission of an offence under—
(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or
(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).”
210(1)Section 50 of the Policing and Crime Act 2017 (Freedom of Information Act etc: Police Federation for England and Wales) is amended as follows.U.K.
(2)The existing text becomes subsection (1).
(3)In that subsection, in paragraph (b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(4)After that subsection, insert—
“(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
211U.K.In Schedule 5 to the Children and Social Work Act 2017—
(a)in Part 1 (general amendments to do with social workers etc in England), omit paragraph 6, and
(b)in Part 2 (renaming of Health and Social Work Professions Order 2001), omit paragraph 47(g).
Commencement Information
I7Sch. 19 para. 211 in force at 2.12.2019 at 00:01 by S.I. 2019/1434, reg. 2(a)
212U.K.The Higher Education and Research Act 2017 is amended as follows.
213(1)Section 63 (cooperation and information sharing by the Office for Students) is amended as follows.U.K.
(2)In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)In subsection (7), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.
214(1)Section 112 (cooperation and information sharing between the Office for Students and UKRI) is amended as follows.U.K.
(2)In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (6) insert —
“(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
215U.K.The Digital Economy Act 2017 is amended as follows.
216(1)Section 40 (further provisions about disclosures under sections 35 to 39) is amended as follows.U.K.
(2)In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (10) insert—
“(11)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
217(1)Section 43 (codes of practice) is amended as follows.U.K.
(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
(3)In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
218(1)Section 49 (further provision about disclosures under section 48) is amended as follows.U.K.
(2)In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (10) insert—
“(11)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
219(1)Section 52 (code of practice) is amended as follows.U.K.
(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
(3)In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.
220(1)Section 57 (further provision about disclosures under section 56) is amended as follows.U.K.
(2)In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (10) insert—
“(11)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
221(1)Section 60 (code of practice) is amended as follows.U.K.
(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
(3)In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.
222(1)Section 65 (supplementary provision about disclosures under section 64) is amended as follows.U.K.
(2)In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After subsection (8) insert—
“(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
223(1)Section 70 (code of practice) is amended as follows.U.K.
(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
(3)In subsection (15), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.
224U.K.Omit sections 108 to 110 (charges payable to the Information Commissioner).
225(1)Section 60 of the Landfill Disposals Tax (Wales) Act 2017 (disclosure of information to the Welsh Revenue Authority) is amended as follows.U.K.
(2)In subsection (4)(a)—
(a)in the English language text, for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”, and
(b)in the Welsh language text, for “torri Deddf Diogelu Data 1998 (p. 29)” substitute “torri'r ddeddfwriaeth diogelu data”.
(3)After subsection (7)—
(a)in the English language text insert—
“(8)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”, and
(b)in the Welsh language text insert—
“(8)Yn yr adran hon, mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o'r Ddeddf honno).”
226(1)Section 4 of the Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (additional learning needs code) is amended as follows.U.K.
(2)In the English language text—
(a)in subsection (9), omit from “and in this subsection” to the end, and
(b)after subsection (9) insert—
“(9A)In subsection (9)—
“data subject” (“testun y data”) has the meaning given by section 3(5) of the Data Protection Act 2018;
“personal data” (“data personol”) has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
(3)In the Welsh language text—
(a)in subsection (9), omit from “ac yn yr is-adran hon” to the end, and
(b)after subsection (9) insert—
“(9A)Yn is-adran (9)—
mae i “data personol” yr un ystyr ag a roddir i “personal data” yn Rhannau 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o'r Ddeddf honno);
mae i “testun y data” yr ystyr a roddir i “data subject” gan adran 3(5) o'r Ddeddf honno.”
227(1)Section 204 of this Act (meaning of “health professional” and “social work professional”) is amended as follows (to reflect the arrangements for the registration of social workers in England under Part 2 of the Children and Social Work Act 2017).U.K.
(2)In subsection (1)(g)—
(a)omit “and Social Work”, and
(b)omit “, other than the social work profession in England”.
(3)In subsection (2), for paragraph (a) substitute—
“(a)a person registered as a social worker in the register maintained by Social Work England under section 39(1) of the Children and Social Work Act 2017;”.
Commencement Information
I8Sch. 19 para. 227 in force at 2.12.2019 at 00:01 by S.I. 2019/1434, reg. 2(b)
228U.K.In the table in the Schedule to the Estate Agents (Specified Offences) (No. 2) Order 1991 (specified offences), at the end insert—
“Data Protection Act 2018 | Section 144 | False statements made in response to an information notice |
Section 148 | Destroying or falsifying information and documents etc” |
229(1)Article 4 of the Channel Tunnel (International Arrangements) Order 1993 (application of enactments) is amended as follows.U.K.
(2)In paragraph (2)—
(a)for “section 5 of the Data Protection Act 1998 (“the 1998 Act”), data which are” substitute “ section 207 of the Data Protection Act 2018 (“the 2018 Act”), data which is ”,
(b)for “data controller” substitute “ controller ”,
(c)after “in the context of” insert “ the activities of ”, and
(d)for “and the 1998 Act” substitute “ and the 2018 Act ”.
(3)In paragraph (3)—
(a)for “section 5 of the 1998 Act, data which are” substitute “ section 207 of the 2018 Act, data which is ”,
(b)for “data controller” substitute “ controller ”,
(c)after “in the context of” insert “ the activities of ”, and
(d)for “and the 1998 Act” substitute “ and the 2018 Act ”.
230U.K.The Access to Health Records (Northern Ireland) Order 1993 is amended as follows.
231U.K.In Article 4 (health professionals), for paragraph (1) substitute—
“(1)In this Order, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act).”
232U.K.In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “ made by the Department ”.
233U.K.In article 4 of the Channel Tunnel (Miscellaneous Provisions) Order 1994 (application of enactments), for paragraphs (2) and (3) substitute—
“(2)For the purposes of section 207 of the Data Protection Act 2018 (“the 2018 Act”), data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the United Kingdom is to be treated as processed by a controller established in the United Kingdom in the context of the activities of that establishment (and accordingly the 2018 Act applies in respect of such data).
(3)For the purposes of section 207 of the 2018 Act, data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the Kingdom of Belgium is to be treated as processed by a controller established in the Kingdom of Belgium in the context of the activities of that establishment (and accordingly the 2018 Act does not apply in respect of such data).”
234U.K.The European Primary and Specialist Dental Qualifications Regulations 1998 are amended as follows.
235(1)Regulation 2(1) (interpretation) is amended as follows.U.K.
(2)Omit the definition of “Directive 95/46/EC”.
(3)At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
236(1)The table in Schedule A1 (functions of the GDC under Directive 2005/36) is amended as follows.U.K.
(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
237U.K.For article 7 of the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 substitute—
7(1)The Parliamentary corporation is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2)The Parliamentary corporation is to be treated as a government department for the purposes of the following provisions—
(a)section 8(d) (lawfulness of processing under the GDPR: public interest etc),
(b)section 209 (application to the Crown),
(c)paragraph 6 of Schedule 1 (statutory etc and government purposes),
(d)paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e)paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).
(3)In the provisions mentioned in paragraph (4)—
(a)references to employment by or under the Crown are to be treated as including employment as a member of staff of the Parliamentary corporation, and
(b)references to a person in the service of the Crown are to be treated as including a person so employed.
(4)The provisions are—
(a)section 24(3) (exemption for certain data relating to employment under the Crown), and
(b)section 209(6) (application of certain provisions to a person in the service of the Crown).
(5)In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
238U.K.For article 9 of the Northern Ireland Assembly Commission (Crown Status) Order 1999 substitute—
9(1)The Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2)The Commission is to be treated as a government department for the purposes of the following provisions—
(a)section 8(d) (lawfulness of processing under the GDPR: public interest etc),
(b)section 209 (application to the Crown),
(c)paragraph 6 of Schedule 1 (statutory etc and government purposes),
(d)paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e)paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).
(3)In the provisions mentioned in paragraph (4)—
(a)references to employment by or under the Crown are to be treated as including employment as a member of staff of the Commission, and
(b)references to a person in the service of the Crown are to be treated as including a person so employed.
(4)The provisions are—
(a)section 24(3) (exemption for certain data relating to employment under the Crown), and
(b)section 209(6) (application of certain provisions to a person in the service of the Crown).
(5)In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
239U.K.The Data Protection (Corporate Finance Exemption) Order 2000 is revoked.
240U.K.The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 is revoked.
241U.K.The Data Protection (Functions of Designated Authority) Order 2000 is revoked.
242U.K.The Data Protection (International Co-operation) Order 2000 is revoked.
243U.K.The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 are revoked.
244U.K.In the Consumer Credit (Credit Reference Agency) Regulations 2000, regulation 4(1) and Schedule 1 (statement of rights under section 9(3) of the Data Protection Act 1998) are revoked.
245U.K.The Data Protection (Subject Access Modification) (Health) Order 2000 is revoked.
246U.K.The Data Protection (Subject Access Modification) (Education) Order 2000 is revoked.
247U.K.The Data Protection (Subject Access Modification) (Social Work) Order 2000 is revoked.
248U.K.The Data Protection (Crown Appointments) Order 2000 is revoked.
249U.K.The Data Protection (Processing of Sensitive Personal Data) Order 2000 is revoked.
250U.K.The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 is revoked.
251U.K.The Data Protection (Designated Codes of Practice) (No. 2) Order 2000 is revoked.
252U.K.The Representation of the People (England and Wales) Regulations 2001 are amended as follows.
253U.K.In regulation 3(1) (interpretation), at the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
254U.K.In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
255U.K.In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
256U.K.In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
257U.K.In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—
“(a)Article 89 GDPR purposes;”.
258(1)Regulation 92(2) (interpretation and application of Part VI etc) is amended as follows.U.K.
(2)After sub-paragraph (b) insert—
“(ba)“relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”
(3)Omit sub-paragraphs (c) and (d).
259U.K.In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.
260U.K.In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
261U.K.In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
262U.K.In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
263U.K.In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
264U.K.In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—
“(i)Article 89 GDPR purposes;”.
265U.K.The Representation of the People (Scotland) Regulations 2001 are amended as follows.
266U.K.In regulation 3(1) (interpretation), at the appropriate places, insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
267U.K.In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
268U.K.In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
269U.K.In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
270U.K.In regulation 61(3) (records and lists kept under Schedule 4), for paragraph (a) (but not the final “or”) substitute—
“(a)Article 89 GDPR purposes;”.
271U.K.In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—
“(a)Article 89 GDPR purposes;”.
272(1)Regulation 92(2) (interpretation of Part VI etc) is amended as follows.U.K.
(2)After sub-paragraph (b) insert—
“(ba)“relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”
(3)Omit sub-paragraphs (c) and (d).
273U.K.In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.
274U.K.In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
275U.K.In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
276U.K.In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
277U.K.In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—
“(i)Article 89 GDPR purposes;”.
278(1)Article 9 of the Financial Services and Markets 2000 (Disclosure of Confidential Information) Regulations 2001 (disclosure by regulators or regulator workers to certain other persons) is amended as follows.U.K.
(2)In paragraph (2B), for sub-paragraph (a) substitute—
“(a)the disclosure is made in accordance with Chapter V of the GDPR;”.
(3)After paragraph (5) insert—
“(6)In this article, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
279U.K.The Nursing and Midwifery Order 2001 is amended as follows.
280(1)Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.U.K.
(2)In paragraph (18), after “enactment” insert “ or the GDPR ”.
(3)After paragraph (18) insert—
“(19)In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
281(1)Article 25 (the Council's power to require disclosure of information) is amended as follows.U.K.
(2)In paragraph (3), after “enactment” insert “ or the GDPR ”.
(3)In paragraph (6)—
(a)for “paragraph (5),” substitute “ paragraph (3)— ”, and
(b)at the appropriate place insert—
““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
282U.K.In article 39B (European professional card), after paragraph (2) insert—
“(3)For the purposes of Schedule 2B, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
283U.K.In article 40(6) (Directive 2005/36/EC: designation of competent authority etc), at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
284(1)Schedule 2B (Directive 2005/36/EC: European professional card) is amended as follows.U.K.
(2)In paragraph 8(1) (access to data) for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).
285(1)The table in Schedule 3 (functions of the Council under Directive 2005/36) is amended as follows.U.K.
(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
286U.K.In Schedule 4 (interpretation), omit the definition of “Directive 95/46/EC”.
287U.K.Regulation 3 of the Electronic Commerce (EC Directive) Regulations 2002 (exclusions) is amended as follows.
288U.K.In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “ the GDPR ”.
289U.K.In paragraph (3)—
(a)omit the definitions of “Data Protection Directive” and “Telecommunications Data Protection Directive”, and
(b)at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
290U.K.The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 is revoked.
291U.K.The Privacy and Electronic Communications (EC Directive) Regulations 2003 are amended as follows.
292U.K.In regulation 2(1) (interpretation), in the definition of “the Information Commissioner” and “the Commissioner”, for “section 6 of the Data Protection Act 1998” substitute “ the Data Protection Act 2018 ”.
293(1)Regulation 4 (relationship between these Regulations and the Data Protection Act 1998) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)In that sub-paragraph, for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(4)After that sub-paragraph insert—
“(2)In this regulation—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act).
(3)Regulation 2(2) and (3) (meaning of certain expressions) do not apply for the purposes of this regulation.”
(5)In the heading of that regulation, for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
294U.K.The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 is amended as follows.
295U.K.In article 8(2) (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales)—
(a)for “The Data Protection Act 1998” substitute “ The Data Protection Act 2018 ”, and
(b)for “are” substitute “ is ”.
296U.K.In article 11(4) (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect)—
(a)for “The Data Protection Act 1998” substitute “ The Data Protection Act 2018 ”,
(b)for “are” substitute “ is ”,
(c)for “section 5” substitute “ section 207 ”,
(d)for “data controller” substitute “ controller ”, and
(e)after “in the context of” insert “ the activities of ”.
297U.K.The Pupils' Educational Records (Scotland) Regulations 2003 are amended as follows.
298(1)Regulation 2 (interpretation) is amended as follows.U.K.
(2)Omit the definition of “the 1998 Act”.
(3)At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
299(1)Regulation 6 (circumstances where information should not be disclosed) is amended as follows.U.K.
(2)After “any information” insert “ to the extent that any of the following conditions are satisfied ”.
(3)For paragraphs (a) to (c) substitute—
“(aa)the pupil to whom the information relates would have no right of access to the information under the GDPR;
(ab)the information is personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences);”.
(4)In paragraph (d), for “to the extent that its disclosure” substitute “ the disclosure of the information ”.
(5)In paragraph (e), for “that” substitute “ the information ”.
300U.K.In regulation 9 (fees), for paragraph (1) substitute—
“(1A)In complying with a request made under regulation 5(2), the responsible body may only charge a fee where Article 12(5) or Article 15(3) of the GDPR would permit the charging of a fee if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.
(1B)Where paragraph (1A) permits the charging of a fee, the responsible body may not charge a fee that—
(a)exceeds the cost of supply, or
(b)exceeds any limit in regulations made under section 12 of the Data Protection Act 2018 that would apply if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.”
301U.K.Schedule 1 to the European Parliamentary Elections (Northern Ireland) Regulations 2004 (European Parliamentary elections rules) is amended as follows.
302(1)Paragraph 74(1) (interpretation) is amended as follows.U.K.
(2)Omit the definitions of “relevant conditions” and “research purposes”.
(3)At the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
303U.K.In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “ Article 89 GDPR purposes ”.
304U.K.In regulation 3(1) of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, omit “the appropriate limit referred to in section 9A(3) and (4) of the 1998 Act and”.
305U.K.The Environmental Information Regulations 2004 are amended as follows.
306(1)Regulation 2 (interpretation) is amended as follows.U.K.
(2)In paragraph (1), at the appropriate places, insert—
““the data protection principles” means the principles set out in—
(a)Article 5(1) of the GDPR,
(b)section 34(1) of the Data Protection Act 2018, and
(c)section 85(1) of that Act;”;
““data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;
““the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”;
““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);”.
(3)For paragraph (4) substitute—
“(4A)In these Regulations, references to the Data Protection Act 2018 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—
(a)the references to an FOI public authority were references to a public authority as defined in these Regulations, and
(b)the references to personal data held by such an authority were to be interpreted in accordance with regulation 3(2).”
307(1)Regulation 13 (personal data) is amended as follows.U.K.
(2)For paragraph (1) substitute—
“(1)To the extent that the information requested includes personal data of which the applicant is not the data subject, a public authority must not disclose the personal data if—
(a)the first condition is satisfied, or
(b)the second or third condition is satisfied and, in all the circumstances of the case, the public interest in not disclosing the information outweighs the public interest in disclosing it.”
(3)For paragraph (2) substitute—
“(2A)The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(2B)The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene—
(a)Article 21 of the GDPR (general processing: right to object to processing), or
(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”
(4)For paragraph (3) substitute—
“(3A)The third condition is that—
(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or
(c)on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”
(5)Omit paragraph (4).
(6)For paragraph (5) substitute—
“(5A)For the purposes of this regulation a public authority may respond to a request by neither confirming nor denying whether such information exists and is held by the public authority, whether or not it holds such information, to the extent that—
(a)the condition in paragraph (5B)(a) is satisfied, or
(b)a condition in paragraph (5B)(b) to (e) is satisfied and in all the circumstances of the case, the public interest in not confirming or denying whether the information exists outweighs the public interest in doing so.
(5B)The conditions mentioned in paragraph (5A) are—
(a)giving a member of the public the confirmation or denial—
(i)would (apart from these Regulations) contravene any of the data protection principles, or
(ii)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded;
(b)giving a member of the public the confirmation or denial would (apart from these Regulations) contravene Article 21 of the GDPR or section 99 of the Data Protection Act 2018 (right to object to processing);
(c)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in paragraph (3A)(a);
(d)on a request under section 45(1)(a) of the Data Protection Act 2018 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section;
(e)on a request under section 94(1)(a) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”
(7)After that paragraph insert—
“(6)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
308U.K.In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “ regulation 13(1)(b) or (5A) ”.
309U.K.In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “ regulation 13(5A) ”.
310U.K.The Environmental Information (Scotland) Regulations 2004 are amended as follows.
311(1)Regulation 2 (interpretation) is amended as follows.U.K.
(2)In paragraph (1), at the appropriate places, insert—
““the data protection principles” means the principles set out in—
(a)Article 5(1) of the GDPR, and
(b)section 34(1) of the Data Protection Act 2018;”;”;
““data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;
““the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”;
““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);”.
(3)For paragraph (3) substitute—
“(3A)In these Regulations, references to the Data Protection Act 2018 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—
(a)the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and
(b)the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.”
312(1)Regulation 11 (personal data) is amended as follows.U.K.
(2)For paragraph (2) substitute—
“(2)To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if—
(a)the first condition set out in paragraph (3A) is satisfied, or
(b)the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.”
(3)For paragraph (3) substitute—
“(3A)The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(3B)The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene Article 21 of the GDPR (general processing: right to object to processing).”
(4)For paragraph (4) substitute—
“(4A)The third condition is that any of the following applies to the information—
(a)it is exempt from the obligation under Article 15(1) of the GDPR (general processing: right of access by the data subject) to provide access to, and information about, personal data by virtue of provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”
(5)Omit paragraph (5).
(6)After paragraph (6) insert—
“(7)In determining, for the purposes of this regulation, whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
313(1)Regulation 7 of the Licensing Act 2003 (Personal Licences) Regulations 2005 (application for grant of a personal licence) is amended as follows.U.K.
(2)In paragraph (1)(b)—
(a)for paragraph (iii) (but not the final “, and”) substitute—
“(iii)the results of a request made under Article 15 of the GDPR or section 45 of the Data Protection Act 2018 (rights of access by the data subject) to the National Identification Service for information contained in the Police National Computer”, and
(b)in the words following paragraph (iii), omit “search”.
(3)After paragraph (2) insert—
“(3)In this regulation, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
314U.K.The Education (Pupil Information) (England) Regulations 2005 are amended as follows.
315U.K.In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “ section 3(4) of the Data Protection Act 2018 ”.
316(1)Regulation 5 (disclosure of curricular and educational records) is amended as follows.U.K.
(2)In paragraph (4)—
(a)in sub-paragraph (a), for “the Data Protection Act 1998” substitute “ the GDPR ”, and
(b)in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “ the GDPR ”.
(3)After paragraph (6) insert—
“(7)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
317(1)Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information) is amended as follows.U.K.
(2)In paragraph (1)(d)—
(a)omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and
(b)for “(2) or (3)” substitute “ (1A), (1B) or (1C) ”.
(3)After paragraph (1) insert—
“(1A)The condition in this paragraph is that the disclosure of the information to a member of the public—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(1B)The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—
(a)Article 21 of the GDPR (general processing: right to object to processing), or
(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).
(1C)The condition in this paragraph is that—
(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or
(c)on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.
(1D)In this regulation—
“the data protection principles” means the principles set out in—
Article 5(1) of the GDPR,
section 34(1) of the Data Protection Act 2018, and
section 85(1) of that Act;
“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
(1E)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
(4)Omit paragraphs (2) to (4).
318U.K.In regulation 3 of the Register of Judgments, Orders and Fines Regulations 2005 (interpretation)—
(a)for the definition of “data protection principles” substitute—
““data protection principles” means the principles set out in Article 5(1) of the GDPR;”, and
(b)at the appropriate place insert—
““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);”.
319U.K.The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 are amended as follows.
320(1)Regulation 39 (sensitive information) is amended as follows.U.K.
(2)In paragraph (1)(d)—
(a)omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and
(b)for “(2) or (3)” substitute “ (1A), (1B) or (1C) ”.
(3)After paragraph (1) insert—
“(1A)The condition in this paragraph is that the disclosure of the information to a member of the public—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(1B)The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—
(a)Article 21 of the GDPR (general processing: right to object to processing), or
(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).
(1C)The condition in this paragraph is that—
(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or
(c)on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.
(1D)In this regulation—
“the data protection principles” means the principles set out in—
Article 5(1) of the GDPR,
section 34(1) of the Data Protection Act 2018, and
section 85(1) of that Act;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
(1E)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
(4)Omit paragraphs (2) to (4).
321U.K.The Data Protection (Processing of Sensitive Personal Data) Order 2006 is revoked.
322(1)Paragraph 14 of Schedule 1 to the National Assembly for Wales (Representation of the People) Order 2007 (absent voting at Assembly elections: conditions on the use, supply and inspection of absent vote records or lists) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)For paragraph (a) of that sub-paragraph (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.
(4)After that sub-paragraph insert—
“(2)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
323U.K.In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant's loss of capacity), for paragraph (b) substitute—
“(b)any material used consists of or includes human cells or human DNA,”.
324U.K.For article 5 of the National Assembly for Wales Commission (Crown Status) Order 2007 substitute—
5(1)The Assembly Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2)The Assembly Commission is to be treated as a government department for the purposes of the following provisions—
(a)section 8(d) (lawfulness of processing under the GDPR: public interest etc),
(b)section 209 (application to the Crown),
(c)paragraph 6 of Schedule 1 (statutory etc and government purposes),
(d)paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e)paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).
(3)In the provisions mentioned in paragraph (4)—
(a)references to employment by or under the Crown are to be treated as including employment as a member of staff of the Assembly Commission, and
(b)references to a person in the service of the Crown are to be treated as including a person so employed.
(4)The provisions are—
(a)section 24(3) (exemption for certain data relating to employment under the Crown), and
(b)section 209(6) (application of certain provisions to a person in the service of the Crown).
(5)In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
325U.K.In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant's loss of capacity) —
(a)in the English language text, for paragraph (c) substitute—
“(c)any material used consists of or includes human cells or human DNA; and”, and
(b)in the Welsh language text, for paragraph (c) substitute—
“(c)os yw unrhyw ddeunydd a ddefnyddir yn gelloedd dynol neu'n DNA dynol neu yn eu cynnwys; ac”.
326(1)Regulation 18 of the Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (conditions on the supply and inspection of absent voter records or lists) is amended as follows.U.K.
(2)In paragraph (1), for sub-paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.
(3)After paragraph (1) insert—
“(2)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
327U.K.In regulation 5 of the Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (conditions on the use, supply and disclosure of documents open to public inspection)—
(a)in paragraph (2), for sub-paragraph (i) (but not the final “or”) substitute—
“(i)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b)after paragraph (3) insert—
“(4)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
328U.K.The Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 are amended as follows.
329U.K.In regulation 2 (interpretation), at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
330U.K.In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “ information to which the pupil to whom the information relates would have no right of access under the GDPR ”.
331U.K.In regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)—
(a)in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “ purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics) ”, and
(b)after paragraph (3) insert—
“(4)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
332U.K.In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act 1998 (c 29)” substitute “ the data protection legislation ”.
333U.K.The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 are amended as follows.
334U.K.In regulation 2(1) (interpretation)—
(a)at the appropriate place in the English language text insert—
““the GDPR” (“y GDPR”) and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”, and
(b)at the appropriate place in the Welsh language text insert—
““mae i “y GDPR” a chyfeiriadau at Atodlen 2 i Ddeddf Diogelu Data 2018 yr un ystyr ag a roddir i “the GDPR” a chyfeiriadau at yr Atodlen honno yn Rhannau 5 i 7 o'r Ddeddf honno (gweler adran 3(10), (11) a (14) o'r Ddeddf honno);”.”
335(1)Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.U.K.
(2)In paragraph (7)—
(a)in the English language text, at the end insert “ or the GDPR ”, and
(b)in the Welsh language text, at the end insert “neu'r GDPR”.
(3)For paragraph (8)—
(a)in the English language text substitute—
“(8)In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b)in the Welsh language text substitute—
“(8)Wrth benderfynu at ddibenion paragraff (7) a yw datgeliad wedi'i wahardd, mae i'w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i'r Ddeddf honno (esemptiadau rhag darpariaethau penodol o'r ddeddfwriaeth diogelu data: datgeliadau sy'n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
336(1)Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.U.K.
(2)In paragraph (6)—
(a)in the English language text, at the end insert “ or the GDPR ”, and
(b)in the Welsh language text, at the end insert “neu'r GDPR”.
(3)For paragraph (7)—
(a)in the English language text substitute—
“(7)In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b)in the Welsh language text substitute—
“(7)Wrth benderfynu at ddibenion paragraff (6) a yw datgeliad wedi'i wahardd, mae i'w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i'r Ddeddf honno (esemptiadau rhag darpariaethau penodol o'r ddeddfwriaeth diogelu data: datgeliadau sy'n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
337(1)Regulation 29 (occurrence reports) is amended as follows.U.K.
(2)In paragraph (3)—
(a)in the English language text, at the end insert “ or the GDPR ”, and
(b)in the Welsh language text, at the end insert “neu'r GDPR”.
(3)For paragraph (4)—
(a)in the English language text substitute—
“(4)In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b)in the Welsh language text substitute—
“(4)Wrth benderfynu at ddibenion paragraff (3) a yw datgeliad wedi'i wahardd, mae i'w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i'r Ddeddf honno (esemptiadau rhag darpariaethau penodol o'r ddeddfwriaeth diogelu data: datgeliadau sy'n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
338(1)Regulation 5 of the Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (information whose disclosure would be affected by the application of other legislation) is amended as follows.U.K.
(2)In paragraph (3)—
(a)omit “within the meaning of section 1(1) of the Data Protection Act 1998”, and
(b)for the words from “where” to the end substitute “ if the condition in paragraph (3A) or (3B) is satisfied ”.
(3)After paragraph (3) insert—
“(3A)The condition in this paragraph is that the disclosure of the information to a member of the public—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(3B)The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—
(a)Article 21 of the GDPR (general processing: right to object to processing), or
(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”
(4)After paragraph (4) insert—
“(5)In this regulation—
“the data protection principles” means the principles set out in—
Article 5(1) of the GDPR,
section 34(1) of the Data Protection Act 2018, and
section 85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
339(1)Paragraph 6 of Schedule 2 to the Companies (Disclosure of Address) Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
“(ii)for the purposes of ensuring that it complies with its data protection obligations;”.
(4)In paragraph (c) of that sub-paragraph—
(a)omit “or” at the end of sub-paragraph (i), and
(b)at the end insert “; or
(iii)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice) or section 148 of that Act (destroying or falsifying information and documents etc);”.
(5)After paragraph (c) of that sub-paragraph insert—
“(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6)After sub-paragraph (1) insert—
“(2)In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),
(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”
340(1)Paragraph 6 of Schedule 2 to the Overseas Companies Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
“(ii)for the purposes of ensuring that it complies with its data protection obligations;”.
(4)In paragraph (c) of that sub-paragraph—
(a)omit “or” at the end of sub-paragraph (i), and
(b)at the end insert “; or
(iii)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice) or section 148 of that Act (destroying or falsifying information and documents etc);”.
(5)After paragraph (c) of that sub-paragraph insert—
“(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6)After sub-paragraph (1) insert—
“(2)In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),
(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”
341U.K.The Data Protection (Processing of Sensitive Personal Data) Order 2009 is revoked.
342U.K.In regulation 25 of the Provision of Services Regulations 2009 (derogations from the freedom to provide services), for paragraph (d) substitute—
“(d)matters covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
343(1)Regulation 9 of the INSPIRE Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.U.K.
(2)In paragraph (2)—
(a)omit “or” at the end of sub-paragraph (a),
(b)for sub-paragraph (b) substitute—
“(b)Article 21 of the GDPR (general processing: right to object to processing), or
(c)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”, and
(c)omit the words following sub-paragraph (b).
(3)After paragraph (7) insert—
“(8)In this regulation—
“the data protection principles” means the principles set out in—
Article 5(1) of the GDPR,
section 34(1) of the Data Protection Act 2018, and
section 85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
(9)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
344(1)Regulation 10 of the INSPIRE (Scotland) Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.U.K.
(2)In paragraph (2)—
(a)omit “or” at the end of sub-paragraph (a),
(b)for sub-paragraph (b) substitute—
“(b)Article 21 of the GDPR (general processing: right to object to processing), or
(c)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”, and
(c)omit the words following sub-paragraph (b).
(3)After paragraph (6) insert—
“(7)In this regulation—
“the data protection principles” means the principles set out in—
Article 5(1) of the GDPR,
section 34(1) of the Data Protection Act 2018, and
section 85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
(8)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
345U.K.The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 are amended as follows.
346U.K.In regulation 2(2) (interpretation), at the appropriate place insert—
““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”.”
347(1)Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.U.K.
(2)In paragraph (7), at the end insert “ or the GDPR ”.
(3)For paragraph (8) substitute—
“(8)In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
348(1)Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.U.K.
(2)In paragraph (6), at the end insert “ or the GDPR ”.
(3)For paragraph (7) substitute—
“(7)In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
349(1)Regulation 29 (occurrence reports) is amended as follows.U.K.
(2)In paragraph (3), at the end insert “ or the GDPR ”.
(3)For paragraph (4) substitute—
“(4)In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
350U.K.The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 are revoked.
351U.K.The Pharmacy Order 2010 is amended as follows.
352U.K.In article 3(1) (interpretation), omit the definition of “Directive 95/46/EC”.
353(1)Article 9 (inspection and enforcement) is amended as follows.U.K.
(2)For paragraph (4) substitute—
“(4)If a report that the Council proposes to publish pursuant to paragraph (3) includes personal data, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure of the personal data is required by paragraph (3) of this article.”
(3)After paragraph (4) insert—
“(5)In this article, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
354U.K.In article 33A (European professional card), after paragraph (2) insert—
“(3)In Schedule 2A, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
355(1)Article 49 (disclosure of information: general) is amended as follows.U.K.
(2)In paragraph (2)(a), after “enactment” insert “ or the GDPR ”.
(3)For paragraph (3) substitute—
“(3)In determining for the purposes of paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (1) of this article.”
(4)After paragraph (5) insert—
“(6)In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
356(1)Article 55 (professional performance assessments) is amended as follows.U.K.
(2)In paragraph (5)(a), after “enactment” insert “ or the GDPR ”.
(3)For paragraph (6) substitute—
“(6)In determining for the purposes of paragraph (5)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (4) of this article.”
(4)After paragraph (8) insert—
“(9)In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
357U.K.In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.), after sub-paragraph (a) insert—
“(aa)“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
358(1)Schedule 2A (Directive 2005/36/EC: European professional card) is amended as follows.U.K.
(2)In paragraph 8(1) (access to data), for “Directive 95/46/EC)” substitute “ the GDPR ”.
(3)In paragraph 9 (processing data)—
(a)omit sub-paragraph (2) (deeming the Council to be the controller for the purposes of Directive 95/46/EC), and
(b)after sub-paragraph (2) insert—
“(3)In this paragraph, “personal data” has the same meaning as in the Data Protection Act 2018 (see section 3(2) of that Act).”
359(1)The table in Schedule 3 (Directive 2005/36/EC: designation of competent authority etc.) is amended as follows.U.K.
(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.
360U.K.The Data Protection (Monetary Penalties) Order 2010 is revoked.
361U.K.The National Employment Savings Trust Order 2010 is amended as follows.
362U.K.In article 2 (interpretation)—
(a)omit the definition of “data” and “personal data”, and
(b)at the appropriate place insert—
““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
363(1)Article 10 (disclosure of requested data to the Secretary of State) is amended as follows.U.K.
(2)In paragraph (1)—
(a)for “disclosure of data” substitute “ disclosure of information ”, and
(b)for “requested data” substitute “ requested information ”.
(3)In paragraph (2)—
(a)for “requested data” substitute “ requested information ”,
(b)for “those data are” substitute “ the information is ”, and
(c)for “receive those data” substitute “ receive that information ”.
(4)In paragraph (3), for “requested data” substitute “ requested information ”.
(5)In paragraph (4), for “requested data” substitute “ requested information ”.
364(1)Schedule 3 to the Local Elections (Northern Ireland) Order 2010 (access to marked registers and other documents open to public inspection after an election) is amended as follows.U.K.
(2)In paragraph 1(1) (interpretation and general)—
(a)omit the definition of “research purposes”, and
(b)at the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
(3)In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “ Article 89 GDPR purposes ”.
365(1)Regulation 5 of the Pupil Information (Wales) Regulations 2011 (duties of head teacher - educational records) is amended as follows.U.K.
(2)In paragraph (5)—
(a)in the English language text, for “documents which are subject to any order under section 30(2) of the Data Protection Act 1998” substitute “information—
(a)which the head teacher could not lawfully disclose to the pupil under the GDPR, or
(b)to which the pupil would have no right of access under the GDPR.”, and
(b)in the Welsh language text, for “ddogfennau sy'n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute “wybodaeth—
(a)na allai'r pennaeth ei datgelu'n gyfreithlon i'r disgybl o dan y GDPR, neu
(b)na fyddai gan y disgybl hawl mynediad ati o dan y GDPR.”
(3)After paragraph (5)—
(a)in the English language text insert—
“(6)In this regulation, “the GDPR” (“y GDPR”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”, and
(b)in the Welsh language text insert—
“(6)Yn y rheoliad hwn, ystyr “y GDPR” (“the GDPR”) yw Rheoliad (EU) 2016/679 Senedd Ewrop a'r Cyngor dyddiedig 27 Ebrill 2016 ar ddiogelu personau naturiol o ran prosesu data personol a rhyddid symud data o'r fath (y Rheoliad Diogelu Data Cyffredinol), fel y'i darllenir ynghyd â Phennod 2 o Ran 2 o Ddeddf Diogelu Data 2018.”
366U.K.In Schedule 4 to the Debt Arrangement Scheme (Scotland) Regulations 2011 (payments distributors), omit paragraph 2.
367U.K.The Police and Crime Commissioner Elections Order 2012 is amended as follows.
368(1)Schedule 2 (absent voting in Police and Crime Commissioner elections) is amended as follows.U.K.
(2)In paragraph 20 (absent voter lists: supply of copies etc)—
(a)in sub-paragraph (8), for paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b)after sub-paragraph (10) insert—
“(11)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
(3)In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—
(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and
(b)after that sub-paragraph insert—
“(4)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
369(1)Schedule 10 (access to marked registers and other documents open to public inspection after an election) is amended as follows.U.K.
(2)In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).
(3)In paragraph 5 (restriction on use of documents or of information contained in them)—
(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and
(b)after sub-paragraph (4) insert—
“(5)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
370U.K.The Data Protection (Processing of Sensitive Personal Data) Order 2012 is revoked.
371U.K.Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (registering to vote in a business referendum) is amended as follows.
372(1)Paragraph 29(1) (interpretation of Part 8) is amended as follows.U.K.
(2)At the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
(3)For the definition of “relevant conditions” substitute—
““relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards;”.
(4)Omit the definition of “research purposes”.
373U.K.In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.
374U.K.In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
375U.K.In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
376U.K.In paragraph 39(8) and (97) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
377U.K.In paragraph 45(2) (conditions on the use, supply and disclosure of documents open to public inspection), for paragraph (a) (but not the final “or”) substitute—
“(a)Article 89 GDPR purposes (as defined in paragraph 29),”.
378(1)Regulation 20 of the Controlled Drugs (Supervision of Management and Use) Regulations 2013 (information management) is amended as follows.U.K.
(2)For paragraph (4) substitute—
“(4)Where a CDAO, a responsible body or someone acting on their behalf is permitted to share information which includes personal data by virtue of a function under these Regulations, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
(3)In paragraph (5), after “enactment” insert “ or the GDPR ”.
(4)After paragraph (6) insert—
“(7)In this regulation, “the GDPR”, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (10), (11) and (14) of that Act).”
379(1)Article 3 of the Communications Act 2003 (Disclosure of Information) Order 2014 (specification of relevant functions) is amended as follows.U.K.
(2)The existing text becomes paragraph (1).
(3)In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(4)After that paragraph insert—
“(2)In this article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
380U.K.In the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014, omit Part 4 (data protection in relation to police and judicial co-operation in criminal matters).
381U.K.The Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 is revoked.
382U.K.In regulation 6 of the Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (applications)—
(a)in paragraph (9), omit sub-paragraph (b) and the word “and” before it, and
(b)in paragraph (11), omit the definition of “processing” and “sensitive personal data” and the word “and” before it.
383U.K.In regulation 3 of the Control of Poisons and Explosives Precursors Regulations 2015 (applications in relation to licences under section 4A of the Poisons Act 1972)—
(a)in paragraph (7), omit sub-paragraph (b) and the word “and” before it, and
(b)omit paragraph (8).
384(1)Paragraph 6 of Schedule 2 to the Companies (Disclosure of Date of Birth Information) Regulations 2015 (conditions for permitted disclosure to a credit reference agency) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
“(ii)for the purposes of ensuring that it complies with its data protection obligations;”.
(4)In paragraph (c) of that sub-paragraph—
(a)omit “or” at the end of sub-paragraph (i), and
(b)at the end insert “; or
(iii)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice) or section 148 of that Act (destroying or falsifying information and documents etc);”.
(5)After paragraph (c) of that sub-paragraph insert—
“(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6)After sub-paragraph (1) insert—
“(2)In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),
(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”
385U.K.The Small and Medium Sized Business (Credit Information) Regulations 2015 are amended as follows.
386(1)Regulation 12 (criteria for the designation of a credit reference agency) is amended as follows.U.K.
(2)In paragraph (1)(b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)After paragraph (2) insert—
“(3)In this regulation, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
387(1)Regulation 15 (access to and correction of information for individuals and small firms) is amended as follows.U.K.
(2)For paragraph (1) substitute—
“(1)Section 13 of the Data Protection Act 2018 (rights of the data subject under the GDPR: obligations of credit reference agencies) applies in respect of a designated credit reference agency which is not a credit reference agency within the meaning of section 145(8) of the Consumer Credit Act 1974 as if it were such an agency.”
(3)After paragraph (3) insert—
“(4)In this regulation, the reference to section 13 of the Data Protection Act 2018 has the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
388U.K.The European Union (Recognition of Professional Qualifications) Regulations 2015 are amended as follows.
389(1)Regulation 2(1) (interpretation) is amended as follows.U.K.
(2)Omit the definition of “Directive 95/46/EC”.
(3)At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
390U.K.In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives 95/46/EC” substitute “ the GDPR and Directive ”.
391U.K.In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “ the GDPR ”.
392U.K.In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “ the GDPR ”.
393U.K.In regulation 48(2) (processing and access to data regarding the European Professional Card), omit paragraph (2) (deeming the relevant designated competent authorities to be controllers for the purposes of Directive 95/46/EC).
394U.K.In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute “ the GDPR and Directive ”.
395U.K.The Scottish Parliament (Elections etc) Order 2015 is amended as follows.
396(1)Schedule 3 (absent voting) is amended as follows.U.K.
(2)In paragraph 16 (absent voting lists: supply of copies etc)—
(a)in sub-paragraph (4), for paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b)after sub-paragraph (10) insert—
“(11)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
(3)In paragraph 20 (restriction on use of absent voting lists)—
(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b)after that sub-paragraph insert—
“(4)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
397(1)Schedule 8 (access to marked registers and other documents open to public inspection after an election) is amended as follows.U.K.
(2)In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).
(3)In paragraph 5 (restriction on use of documents or of information contained in them)—
(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b)after sub-paragraph (4) insert—
“(5)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
398U.K.In paragraph 1(3) of Schedule 3 to the Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (access to marked registers after a petition), omit the definition of “relevant conditions”.
399U.K.Schedule 4 to the Register of People with Significant Control Regulations 2016 (conditions for permitted disclosure) is amended as follows.
400(1)Paragraph 6 (disclosure to a credit reference agency) is amended as follows.U.K.
(2)In sub-paragraph (b), for paragraph (ii) (together with the final “; and”) substitute—
“(ii)for the purposes of ensuring that it complies with its data protection obligations;”.
(3)In sub-paragraph (c)—
(a)omit “or” at the end of paragraph (ii), and
(b)at the end insert—
“(iv)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice); or
(v)section 148 of that Act (destroying or falsifying information and documents etc);”
(4)After sub-paragraph (c) insert—
“(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in sub-paragraph (c)(iii), other than a penalty notice that has been cancelled.”
401U.K.In paragraph 12A (disclosure to a credit institution or a financial institution), for sub-paragraph (b) substitute—
“(b)for the purposes of ensuring that it complies with its data protection obligations.”
402U.K.In Part 3 (interpretation), after paragraph 13 insert—
“14In this Schedule, “data protection obligations”, in relation to a credit reference agency, a credit institution or a financial institution, means—
(a)where the agency or institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b)where the agency or institution carries on business in a EEA State other than the United Kingdom, obligations under—
(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),
(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”
403U.K.The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 are amended as follows.
404U.K.In regulation 2(1) (interpretation), omit the definition of “the 1998 Act”.
405U.K.In regulation 3(3) (supervision), omit “under the 1998 Act”.
406U.K.For Schedule 2 substitute—
1For the purposes of enforcing these Regulations and the eIDAS Regulation, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 26—
(a)section 140 (publication by the Commissioner);
(b)section 141 (notices from the Commissioner);
(c)section 142 (information notices);
(d)section 143 (information notices: restrictions);
(e)section 144 (false statements made in response to an information notice);
(f)section 145 (information orders);
(g)section 146 (assessment notices);
(h)section 147 (assessment notices: restrictions);
(i)section 148 (destroying or falsifying information and documents etc);
(j)section 149 (enforcement notices);
(k)section 150 (enforcement notices: supplementary);
(l)section 152 (enforcement notices: restrictions);
(m)section 153 (enforcement notices: cancellation and variation);
(n)section 154 and Schedule 15 (powers of entry and inspection);
(o)section 155 and Schedule 16 (penalty notices);
(p)section 156(4)(a) (penalty notices: restrictions);
(q)section 157 (maximum amount of penalty);
(r)section 159 (amount of penalties: supplementary);
(s)section 160 (guidance about regulatory action);
(t)section 161 (approval of first guidance about regulatory action);
(u)section 162 (rights of appeal);
(v)section 163 (determination of appeals);
(w)section 164 (applications in respect of urgent notices);
(x)section 180 (jurisdiction);
(y)section 182(1), (2), (5), (7) and (13) (regulations and consultation);
(z)section 196 (penalties for offences);
(z1)section 197 (prosecution);
(z2)section 202 (proceedings in the First-tier Tribunal: contempt);
(z3)section 203 (Tribunal Procedure Rules).
2The provisions listed in paragraph 1 have effect as if—
(a)references to the Data Protection Act 2018 were references to the provisions of that Act as applied by these Regulations;
(b)references to a particular provision of that Act were references to that provision as applied by these Regulations.
3(1)Section 142 has effect as if subsections (9) and (10) were omitted.
(2)In that section, subsection (1) has effect as if—
(a)in paragraph (a)—
(i)for “controller or processor” there were substituted “ trust service provider ”;
(ii)for “the data protection legislation” there were substituted “ the eIDAS Regulation and the EITSET Regulations ”;
(b)paragraph (b) were omitted.
(3)In that section, subsection (2) has effect as if paragraph (a) were omitted.
4(1)Section 143 has effect as if subsections (1) and (9) were omitted.
(2)In that section—
(a)subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”;
(b)subsection (7)(a) has effect as if for “this Act” there were substituted “ section 144 or 148 or paragraph 15 of Schedule 15 ”;
(c)subsection (8) has effect as if for “this Act (other than an offence under section 144)” there were substituted “ section 148 or paragraph 15 of Schedule 15 ”.
5Section 145(2)(b) has effect as if for “section 142(2)(b)” there were substituted “ section 142(2) ”.
6(1)Section 146 has effect as if subsection (11) were omitted.
(2)In that section—
(a)subsection (1) has effect as if—
(i)for “controller or processor” (in both places) there were substituted “ trust service provider ”;
(ii)for “the data protection legislation” there were substituted “ the eIDAS requirements ”;
(b)subsection (2) has effect as if paragraphs (h) and (i) were omitted;
(c)subsections (7), (8), (9) and (10) have effect as if for “controller or processor” (in each place) there were substituted “trust service provider.
(d)subsection (9)(a) has effect as if for “as described in section 149(2) or that an offence under this Act” there were substituted “ to comply with the eIDAS requirements or that an offence under section 144 or 148 or paragraph 15 of Schedule 15 ”.
7(1)Section 147 has effect as if subsections (5) and (6) were omitted.
(2)In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”.
8(1)Section 149 has effect as if subsections (2) to (5) and (7) to (9) were omitted.
(2)In that section—
(a)subsection (1) has effect as if—
(i)for “as described in subsection (2), (3), (4) or (5)” there were substituted “ to comply with the eIDAS requirements ”;
(ii)for “sections 150 and 151” there were substituted “ section 150 ”;
(b)subsection (6) has effect as if the words “given in reliance on subsection (2), (3) or (5)” were omitted.
9(1)Section 150 has effect as if subsection (3) were omitted.
(2)In that section, subsection (2) has effect as if the words “in reliance on section 149(2)” and “or distress” were omitted.
10Section 152 has effect as if subsections (1), (2) and (4) were omitted.
11The provisions listed in paragraph 1 have effect as if after section 153 there were inserted—
(1)The Commissioner may, by written notice (a “withdrawal notice”), withdraw the qualified status from a trust service provider, or the qualified status of a service provided by a trust service provider, if—
(a)the Commissioner is satisfied that the trust service provider has failed to comply with an information notice or an enforcement notice, and
(b)the condition in subsection (2) or (3) is met.
(2)The condition in this subsection is met if the period for the trust service provider to appeal against the information notice or enforcement notice has ended without an appeal having been brought.
(3)The condition in this subsection is met if an appeal against the information notice or enforcement notice has been brought and—
(a)the appeal and any further appeal in relation to the notice has been decided or has otherwise ended, and
(b)the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.
(4)A withdrawal notice must—
(a)state when the withdrawal takes effect, and
(b)provide information about the rights of appeal under section 162.”
12(1)Schedule 15 has effect as if paragraph 3 were omitted.
(2)Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—
“(a)there are reasonable grounds for suspecting that—
(i)a trust service provider has failed or is failing to comply with the eIDAS requirements, or
(ii)an offence under section 144 or 148 or paragraph 15 of Schedule 15 has been or is being committed,”.
(3)Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—
(a)in sub-paragraphs (1) and (2), for “controller or processor” there were substituted “ trust service provider ”;
(b)in sub-paragraph (2), for “the data protection legislation” there were substituted “ the eIDAS requirements ”.
(4)Paragraph 5 of that Schedule (content of warrants) has effect as if—
(a)in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “ the provision of trust services ”;
(b)in sub-paragraph (2)(d)—
(i)for “controller or processor” there were substituted “ trust service provider ”;
(ii)for “as described in section 149(2)” there were substituted “ to comply with the eIDAS requirements ”;
(c)in sub-paragraph (3)(a) and (d)—
(i)for “controller or processor” there were substituted “ trust service provider ”;
(ii)for “the data protection legislation” there were substituted “ the eIDAS requirements ”.
(5)Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”.
13(1)Section 155 has effect as if subsections (1)(a), (2)(a), (3)(g), (4) and (6) to (8) were omitted.
(2)Subsection (2) of that section has effect as if—
(a)the words “Subject to subsection (4),” were omitted;
(b)in paragraph (b), the words “to the extent that the notice concerns another matter,” were omitted.
(3)Subsection (3) of that section has effect as if—
(a)for “controller or processor”, in each place, there were substituted “ trust services provider ”;
(b)in paragraph (c), the words “or distress” were omitted;
(c)in paragraph (c), for “data subjects” there were substituted “ relying parties ”;
(d)in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “ Article 19(1) of the eIDAS Regulation ”.
14Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.
15Section 157 has effect as if subsections (1) to (3) and (6) were omitted.
16Section 159 has effect as if—
(a)in subsection (1), the words “Article 83 of the GDPR and” were omitted;
(b)in subsection (2), the words “Article 83 of the GDPR” and “and section 158” were omitted.
17(1)Section 160 has effect as if subsections (5) and (12) were omitted.
(2)In that section, subsection (4)(f) has effect as if for “controllers and processors” there were substituted “ trust service providers ”.
18(1)Section 162 has effect as if subsection (4) were omitted.
(2)In that section, subsection (1) has effect as if, after paragraph (c), there were inserted—
“(ca)a withdrawal notice;”.
19Section 163 has effect as if subsection (6) were omitted.
20(1)Section 180 has effect as if subsections (2)(d) and (e) and (3) were omitted.
(2)Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “ subsection (4) ”.
21Section 182 has effect as if subsections (3), (4), (6), (8) to (11) and (14) were omitted.
22(1)Section 196 has effect as if subsections (3) to (5) were omitted.
(2)In that section—
(a)subsection (1) has effect as if the words “section 119 or 173 or” were omitted;
(b)subsection (2) has effect as if for “section 132, 144, 148, 170, 171 or 184” there were substituted “ section 144 or 148 ”.
23Section 197 has effect as if subsections (3) to (6) were omitted.
24Section 202 has effect as if in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “ on an appeal under section 162 ”.
25Section 203 has effect as if—
(a)in subsection (1), for paragraphs (a) and (b) there were substituted “ the exercise of the rights of appeal conferred by section 162 ”;
(b)in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “ the provision of trust services ”.
26(1)This paragraph applies if the first guidance produced under section 160(1) of the Data Protection Act 2018 and the first guidance produced under that provision as applied by this Schedule are laid before Parliament as a single document (“the combined guidance”).
(2)Section 161 of that Act (including that section as applied by this Schedule) has effect as if the references to “the guidance” were references to the combined guidance, except in subsections (2)(b) and (4).
(3)Nothing in subsection (2)(a) of that section (including as applied by this Schedule) prevents another version of the combined guidance being laid before Parliament.
(4)Any duty under subsection (2)(b) of that section (including as applied by this Schedule) may be satisfied by producing another version of the combined guidance.
27In this Schedule—
“the eIDAS requirements” means the requirements of Chapter III of the eIDAS Regulation;
“the EITSET Regulations” means these Regulations;
“withdrawal notice” has the meaning given in section 153A of the Data Protection Act 2018 (as inserted in that Act by this Schedule).”
407U.K.The Court Files Privileged Access Rules (Northern Ireland) 2016 are amended as follows.
408U.K.In rule 5 (information that may released) for “Schedule 1 of the Data Protection Act 1998” substitute “—
(a)Article 5(1) of the GDPR, and
(b)section 34(1) of the Data Protection Act 2018.”
409U.K.In rule 7(2) (provision of information) for “Schedule 1 of the Data Protection Act 1998” substitute “—
(a)Article 5(1) of the GDPR, and
(b)section 34(1) of the Data Protection Act 2018.”
410U.K.The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are amended as follows.
411U.K.In regulation 3(1) (interpretation), at the appropriate places insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;
““the GDPR” and references to provisions of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”.
412U.K.In regulation 16(8) (risk assessment by the Treasury and Home Office), for “the Data Protection Act 1998 or any other enactment” substitute “—
(a)the Data Protection Act 2018 or any other enactment, or
(b)the GDPR.”
413U.K.In regulation 17(9) (risk assessment by supervisory authorities), for “the Data Protection Act 1998 or any other enactment” substitute “—
(a)the Data Protection Act 2018 or any other enactment, or
(b)the GDPR.”
414U.K.For regulation 40(9)(c) (record keeping) substitute—
“(c)“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
(d)“personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
415(1)Regulation 41 (data protection) is amended as follows.U.K.
(2)Omit paragraph (2).
(3)In paragraph (3)(a), after “Regulations” insert “ or the GDPR ”.
(4)Omit paragraphs (4) and (5).
(5)After those paragraphs insert—
“(6)Before establishing a business relationship or entering into an occasional transaction with a new customer, as well as providing the customer with the information required under Article 13 of the GDPR (information to be provided where personal data are collected from the data subject), relevant persons must provide the customer with a statement that any personal data received from the customer will be processed only—
(a)for the purposes of preventing money laundering or terrorist financing, or
(b)as permitted under paragraph (3).
(7)In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest includes processing of personal data in accordance with these Regulations that is necessary for the prevention of money laundering or terrorist financing.
(8)In the case of sensitive processing of personal data for the purposes of the prevention of money laundering or terrorist financing, section 10 of, and Schedule 1 to, the Data Protection Act 2018 make provision about when the processing meets a requirement in Article 9(2) or 10 of the GDPR for authorisation under the law of the United Kingdom (see, for example, paragraphs 10, 11 and 12 of that Schedule).
(9)In this regulation—
“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act);
“sensitive processing” means the processing of personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences etc).”
416(1)Regulation 84 (publication: the Financial Conduct Authority) is amended as follows.U.K.
(2)In paragraph (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)For paragraph (11) substitute—
“(11)For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
417(1)Regulation 85 (publication: the Commissioners) is amended as follows.U.K.
(2)In paragraph (9), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)For paragraph (10) substitute—
“(10)For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
418U.K.For regulation 106(a) (general restrictions) substitute—
“(a)a disclosure in contravention of the data protection legislation; or”.
419U.K.After paragraph 27 of Schedule 3 (relevant offences) insert—
“27AAn offence under the Data Protection Act 2018, apart from an offence under section 173 of that Act.”
420(1)Paragraph 6 of Schedule 5 to the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (conditions for permitted disclosure to a credit institution or a financial institution) is amended as follows.U.K.
(2)The existing text becomes sub-paragraph (1).
(3)For paragraph (b) of that sub-paragraph substitute—
“(b)for the purposes of ensuring that it complies with its data protection obligations.”
(4)After sub-paragraph (1) insert—
“(2)In this paragraph, “data protection obligations”, in relation to a relevant institution, means—
(a)where the institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b)where the institution carries on business in a EEA State other than the United Kingdom, obligations under—
(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),
(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”
421U.K.In regulation 1(2) of the Data Protection (Charges and Information) Regulations 2018 (interpretation), at the appropriate places insert—
““data controller” means a person who is a controller for the purposes of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);”;
““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);”.
422U.K.The National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 are amended as follows.
423(1)Regulation 1 (citation and commencement) is amended as follows.U.K.
(2)In paragraph (2), omit “Subject to paragraph (3),”.
(3)Omit paragraph (3).
424U.K.In regulation 3(1) (interpretation)—
(a)omit the definition of “the 1998 Act”,
(b)at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and
(c)omit the definition of “GDPR”.
425(1)Schedule 6 (other contractual terms) is amended as follows.U.K.
(2)In paragraph 63(2) (interpretation: general), for “the 1998 Act or any directly applicable EU instrument relating to data protection” substitute “—
(a)the data protection legislation, or
(b)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”
(3)For paragraph 64 (meaning of data controller etc.) substitute—
64AFor the purposes of this Part—
“controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);
“data protection officer” means a person designated as a data protection officer under the data protection legislation;
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).”
(4)In paragraph 65(2)(b) (roles, responsibilities and obligations: general), for “data controllers” substitute “ controllers ”.
(5)In paragraph 69(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—
(i)the data protection legislation, and
(ii)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
(6)In paragraph 94(4) (variation of a contract: general)—
(a)omit paragraph (b), and
(b)after paragraph (d) (but before the final “and”) insert—
“(da)the data protection legislation;
(db)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
426U.K.The National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 are amended as follows.
427(1)Regulation 1 (citation and commencement) is amended as follows.U.K.
(2)In paragraph (2), omit “Subject to paragraph (3),”.
(3)Omit paragraph (3).
428U.K.In regulation 3(1) (interpretation)—
(a)omit the definition of “the 1998 Act”, and
(b)at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and
(c)omit the definition of “GDPR”.
429(1)Schedule 1 (content of agreements) is amended as follows.U.K.
(2)In paragraph 34 (interpretation)—
(a)in sub-paragraph (1)—
(i)omit “Subject to sub-paragraph (3),”,
(ii)before paragraph (a) insert—
“(za)“controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);
(zb)“data protection officer” means a person designated as a data protection officer under the data protection legislation;”, and
(iii)for paragraph (d) substitute—
“(e)“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).”,
(b)omit sub-paragraphs (2) and (3),
(c)in sub-paragraph (4), for “the 1998 Act and any directly applicable EU instrument relating to data protection” substitute “—
(a)the data protection legislation, or
(b)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”, and
(d)in sub-paragraph (6)(b), for “data controllers” substitute “ controllers ”.
(3)In paragraph 37(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—
(i)the data protection legislation, and
(ii)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
(4)In paragraph 61(3) (variation of agreement: general)—
(a)omit paragraph (b), and
(b)after paragraph (d) (but before the final “and”) insert—
“(da)the data protection legislation;
(db)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
430(1)Unless the context otherwise requires, legislation described in sub-paragraph (2) has effect on and after the day on which this Part of this Schedule comes into force as if it were modified in accordance with this Part of this Schedule.U.K.
(2)That legislation is—
(a)subordinate legislation made before the day on which this Part of this Schedule comes into force;
(b)primary legislation that is passed or made before the end of the Session in which this Act is passed.
(3)In this Part of this Schedule—
“primary legislation” has the meaning given in section 211(7);
“references” includes any references, however expressed.
431(1)References to a particular provision of, or made under, the Data Protection Act 1998 have effect as references to the equivalent provision or provisions of, or made under, the data protection legislation.U.K.
(2)Other references to the Data Protection Act 1998 have effect as references to the data protection legislation.
(3)References to disclosure, use or other processing of information that is prohibited or restricted by an enactment which include disclosure, use or other processing of information that is prohibited or restricted by the Data Protection Act 1998 have effect as if they included disclosure, use or other processing of information that is prohibited or restricted by [F92the UK GDPR].
Textual Amendments
F92Words in Sch. 19 para. 431(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 100(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
432(1)References to personal data, and to the processing of such data, as defined in the Data Protection Act 1998, have effect as references to personal data, and to the processing of such data, as defined for the purposes of Parts 5 to 7 of this Act (see section 3(2), (4) and (14)).U.K.
(2)References to processing as defined in the Data Protection Act 1998, in relation to information, have effect as references to processing as defined in section 3(4).
(3)References to a data subject as defined in the Data Protection Act 1998 have effect as references to a data subject as defined in section 3(5).
(4)References to a data controller as defined in the Data Protection Act 1998 have effect as references to a controller as defined for the purposes of Parts 5 to 7 of this Act (see section 3(6) and (14)).
(5)References to the data protection principles set out in the Data Protection Act 1998 have effect as references to the principles set out in—
(a)Article 5(1) of [F93the UK GDPR], and
(b)sections 34(1) and 85(1) of this Act.
(6)References to direct marketing as defined in section 11 of the Data Protection Act 1998 have effect as references to direct marketing as defined in section 122 of this Act.
(7)References to a health professional within the meaning of section 69(1) of the Data Protection Act 1998 have effect as references to a health professional within the meaning of section 204 of this Act.
(8)References to a health record within the meaning of section 68(2) of the Data Protection Act 1998 have effect as references to a health record within the meaning of section 205 of this Act.
Textual Amendments
F93Words in Sch. 19 para. 432(5)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 100(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
433U.K.Section 3(14) does not apply to this Schedule.
434U.K.Provision inserted into subordinate legislation by this Schedule may be amended or revoked as if it had been inserted using the power under which the subordinate legislation was originally made.
Commencement Information
I9Sch. 19 para. 434 in force at Royal Assent for specified purposes, see s. 212(2)(f)
Section 213
1(1)In this Schedule—U.K.
“the 1984 Act” means the Data Protection Act 1984;
“the 1998 Act” means the Data Protection Act 1998;
“the 2014 Regulations” means the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141);
“data controller” has the same meaning as in the 1998 Act (see section 1 of that Act);
“the old data protection principles” means the principles set out in—
Part 1 of Schedule 1 to the 1998 Act, and
regulation 30 of the 2014 Regulations.
(2)A provision of the 1998 Act that has effect by virtue of this Schedule is not, by virtue of that, part of the data protection legislation (as defined in section 3).
2(1)The repeal of sections 7 to 9A of the 1998 Act (right of access to personal data) does not affect the application of those sections after the relevant time in a case in which a data controller received a request under section 7 of that Act (right of access to personal data) before the relevant time.U.K.
(2)The repeal of sections 7 and 8 of the 1998 Act and the revocation of regulation 44 of the 2014 Regulations (which applies those sections with modifications) do not affect the application of those sections and that regulation after the relevant time in a case in which a UK competent authority received a request under section 7 of the 1998 Act (as applied by that regulation) before the relevant time.
(3)The revocation of the relevant regulations, or their amendment by Schedule 19 to this Act, and the repeals and revocation mentioned in sub-paragraphs (1) and (2), do not affect the application of the relevant regulations after the relevant time in a case described in those sub-paragraphs.
(4)In this paragraph—
“the relevant regulations” means—
the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (S.I. 2000/191);
regulation 4 of, and Schedule 1 to, the Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290);
regulation 3 of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244);
“the relevant time” means the time when the repeal of section 7 of the 1998 Act comes into force;
“UK competent authority” has the same meaning as in Part 4 of the 2014 Regulations (see regulation 27 of those Regulations).
3(1)The repeal of section 10 of the 1998 Act (right to prevent processing likely to cause damage or distress) does not affect the application of that section after the relevant time in a case in which an individual gave notice in writing to a data controller under that section before the relevant time.U.K.
(2)In this paragraph, “the relevant time” means the time when the repeal of section 10 of the 1998 Act comes into force.
4(1)The repeal of section 11 of the 1998 Act (right to prevent processing for purposes of direct marketing) does not affect the application of that section after the relevant time in a case in which an individual gave notice in writing to a data controller under that section before the relevant time.U.K.
(2)In this paragraph, “the relevant time” means the time when the repeal of section 11 of the 1998 Act comes into force.
5(1)The repeal of section 12 of the 1998 Act (rights in relation to automated decision-taking) does not affect the application of that section after the relevant time in relation to a decision taken by a person before that time if—U.K.
(a)in taking the decision the person failed to comply with section 12(1) of the 1998 Act, or
(b)at the relevant time—
(i)the person had not taken all of the steps required under section 12(2) or (3) of the 1998 Act, or
(ii)the period specified in section 12(2)(b) of the 1998 Act (for an individual to require a person to reconsider a decision) had not expired.
(2)In this paragraph, “the relevant time” means the time when the repeal of section 12 of the 1998 Act comes into force.
6(1)The repeal of section 13 of the 1998 Act (compensation for failure to comply with certain requirements) does not affect the application of that section after the relevant time in relation to damage or distress suffered at any time by reason of an act or omission before the relevant time.U.K.
(2)The revocation of regulation 45 of the 2014 Regulations (right to compensation) does not affect the application of that regulation after the relevant time in relation to damage or distress suffered at any time by reason of an act or omission before the relevant time.
(3)“The relevant time” means—
(a)in sub-paragraph (1), the time when the repeal of section 13 of the 1998 Act comes into force;
(b)in sub-paragraph (2), the time when the revocation of regulation 45 of the 2014 Regulation comes into force.
7(1)The repeal of section 14(1) to (3) and (6) of the 1998 Act (rectification, blocking, erasure and destruction of inaccurate personal data) does not affect the application of those provisions after the relevant time in a case in which an application was made under subsection (1) of that section before the relevant time.U.K.
(2)The repeal of section 14(4) to (6) of the 1998 Act (rectification, blocking, erasure and destruction: risk of further contravention in circumstances entitling data subject to compensation under section 13 of the 1998 Act) does not affect the application of those provisions after the relevant time in a case in which an application was made under subsection (4) of that section before the relevant time.
(3)In this paragraph, “the relevant time” means the time when the repeal of section 14 of the 1998 Act comes into force.
8U.K.The repeal of section 15 of the 1998 Act (jurisdiction and procedure) does not affect the application of that section in connection with sections 7 to 14 of the 1998 Act as they have effect by virtue of this Schedule.
9(1)The repeal of Part 4 of the 1998 Act (exemptions) does not affect the application of that Part after the relevant time in connection with a provision of Part 2 of the 1998 Act as it has effect after that time by virtue of paragraphs 2 to 7 of this Schedule.U.K.
(2)The revocation of the relevant Orders, and the repeal mentioned in sub-paragraph (1), do not affect the application of the relevant Orders after the relevant time in connection with a provision of Part 2 of the 1998 Act as it has effect as described in sub-paragraph (1).
(3)In this paragraph—
“the relevant Orders” means—
the Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184);
the Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413);
the Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414);
the Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415);
the Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416);
Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419);
Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864);
“the relevant time” means the time when the repeal of the provision of Part 2 of the 1998 Act in question comes into force.
(4)As regards certificates issued under section 28(2) of the 1998 Act, see Part 5 of this Schedule.
10(1)In Schedule 18 to this Act, references to a record obtained in the exercise of a data subject access right include a record obtained at any time in the exercise of a right under section 7 of the 1998 Act.U.K.
(2)In section 184 of this Act, references to a “relevant record” include a record which does not fall within the definition in Schedule 18 to this Act (read with sub-paragraph (1)) but which, immediately before the relevant time, was a “relevant record” for the purposes of section 56 of the 1998 Act.
(3)In this paragraph, “the relevant time” means the time when the repeal of section 56 of the 1998 Act comes into force.
11U.K.In section 185 of this Act, references to a record obtained in the exercise of a data subject access right include a record obtained at any time in the exercise of a right under section 7 of the 1998 Act.
Textual Amendments
F94Words in Sch. 20 Pt. 3 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 101(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F95Words in Sch. 20 para. 12 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 101(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
12U.K.In paragraph 20(2) of Schedule 2 to this Act (self-incrimination), the reference to an offence under this Act includes an offence under the 1998 Act or the 1984 Act.
13U.K.Until the first regulations under section 24(8) of this Act come into force, “the appropriate maximum” for the purposes of that section is—
(a)where the controller is a public authority listed in Part 1 of Schedule 1 to the Freedom of Information Act 2000, £600, and
(b)otherwise, £450.
14(1)In relation to an automated processing system set up before 6 May 2016, subsections (1) to (3) of section 62 of this Act do not apply if and to the extent that compliance with them would involve disproportionate effort.U.K.
(2)Sub-paragraph (1) ceases to have effect at the beginning of 6 May 2023.
15U.K.Nothing in this Schedule, read with the revocation of regulation 50 of the 2014 Regulations, has the effect of applying a provision of the 1998 Act to the processing of personal data to which Part 4 of the 2014 Regulations applies in a case in which that provision did not apply before the revocation of that regulation.
16U.K.Until the first regulations under section 94(4)(b) of this Act come into force, the maximum amount of a fee that may be required by a controller under that section is £10.
17(1)The repeal of section 28(2) to (12) of the 1998 Act does not affect the application of those provisions after the relevant time with respect to the processing of personal data to which the 1998 Act (including as it has effect by virtue of this Schedule) applies.U.K.
(2)A certificate issued under section 28(2) of the 1998 Act continues to have effect after the relevant time with respect to the processing of personal data to which the 1998 Act (including as it has effect by virtue of this Schedule) applies.
(3)Where a certificate continues to have effect under sub-paragraph (2) after the relevant time, it may be revoked or quashed in accordance with section 28 of the 1998 Act after the relevant time.
(4)In this paragraph, “the relevant time” means the time when the repeal of section 28 of the 1998 Act comes into force.
18(1)This paragraph applies to a certificate issued under section 28(2) of the 1998 Act (an “old certificate”) which has effect immediately before the relevant time.U.K.
(2)If and to the extent that the old certificate provides protection with respect to personal data which corresponds to protection that could be provided by a certificate issued under section 27, 79 or 111 of this Act, the old certificate also has effect to that extent after the relevant time as if—
(a)it were a certificate issued under one or more of sections 27, 79 and 111 (as the case may be),
(b)it provided protection in respect of that personal data in relation to the corresponding provisions of this Act or the [F96UK GDPR], and
(c)where it has effect as a certificate issued under section 79, it certified that each restriction in question is a necessary and proportionate measure to protect national security.
(3)Where an old certificate also has effect as if it were a certificate issued under one or more of sections 27, 79 and 111, that section has, or those sections have, effect accordingly in relation to the certificate.
(4)Where an old certificate has an extended effect because of sub-paragraph (2), section 130 of this Act does not apply in relation to it.
(5)An old certificate that has an extended effect because of sub-paragraph (2) provides protection only with respect to the processing of personal data that occurs during the period of 1 year beginning with the relevant time (and a Minister of the Crown may curtail that protection by wholly or partly revoking the old certificate).
(6)For the purposes of this paragraph—
(a)a reference to the protection provided by a certificate issued under—
(i)section 28(2) of the 1998 Act, or
(ii)section 27, 79 or 111 of this Act,
is a reference to the effect of the evidence that is provided by the certificate;
(b)protection provided by a certificate under section 28(2) of the 1998 Act is to be regarded as corresponding to protection that could be provided by a certificate under section 27, 79 or 111 of this Act where, in respect of provision in the 1998 Act to which the certificate under section 28(2) relates, there is corresponding provision in this Act or the [F97UK GDPR] to which a certificate under section 27, 79 or 111 could relate.
(7)In this paragraph, “the relevant time” means the time when the repeal of section 28 of the 1998 Act comes into force.
[F98(8)In this paragraph, references to the UK GDPR do not include the EU GDPR as it was directly applicable to the United Kingdom before IP completion day (see paragraph 2 of Schedule 21).]
Textual Amendments
F96Words in Sch. 20 para. 18(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 101(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F97Words in Sch. 20 para. 18(6)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 101(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F98Sch. 20 para. 18(8) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 101(4)(b) (with reg. 5) (as amended by S.I. 2020/1586, regs. 1(2), 5(3)); 2020 c. 1, Sch. 5 para. 1(1)
19(1)On and after the relevant day, the individual who was the Commissioner immediately before that day—U.K.
(a)continues to be the Commissioner,
(b)is to be treated as having been appointed under Schedule 12 to this Act, and
(c)holds office for the period—
(i)beginning with the relevant day, and
(ii)lasting for 7 years less a period equal to the individual's pre-commencement term.
(2)On and after the relevant day, a resolution passed by the House of Commons for the purposes of paragraph 3 of Schedule 5 to the 1998 Act (salary and pension of Commissioner), and not superseded before that day, is to be treated as having been passed for the purposes of paragraph 4 of Schedule 12 to this Act.
(3)In this paragraph—
“pre-commencement term”, in relation to an individual, means the period during which the individual was the Commissioner before the relevant day;
“the relevant day” means the day on which Schedule 12 to this Act comes into force.
20(1)The repeal of paragraph 10 of Schedule 5 to the 1998 Act does not affect the duties of the Commissioner and the Comptroller and Auditor General under that paragraph in respect of the Commissioner's statement of account for the financial year beginning with 1 April 2017.U.K.
(2)The Commissioner's duty under paragraph 11 of Schedule 12 to this Act to prepare a statement of account for each financial year includes a duty to do so for the financial year beginning with 1 April 2018.
21(1)The repeal of section 52(1) of the 1998 Act (annual report) does not affect the Commissioner's duty under that subsection to produce a general report on the exercise of the Commissioner's functions under the 1998 Act during the period of 1 year beginning with 1 April 2017 and to lay it before Parliament.U.K.
(2)The repeal of section 49 of the Freedom of Information Act 2000 (annual report) does not affect the Commissioner's duty under that section to produce a general report on the exercise of the Commissioner's functions under that Act during the period of 1 year beginning with 1 April 2017 and to lay it before Parliament.
(3)The first report produced by the Commissioner under section 139 of this Act must relate to the period of 1 year beginning with 1 April 2018.
22(1)The repeal of Schedule 5 to the 1998 Act (Information Commissioner) does not affect the application of paragraph 9 of that Schedule after the relevant time to amounts received by the Commissioner before the relevant time.U.K.
(2)In this paragraph, “the relevant time” means the time when the repeal of Schedule 5 to the 1998 Act comes into force.
23U.K.Paragraph 10 of Schedule 12 to this Act applies only to amounts received by the Commissioner after the time when that Schedule comes into force.
24(1)The repeal of section 54(2) of the 1998 Act (functions to be discharged by the Commissioner for the purposes of Article 13 of the Data Protection Convention), and the revocation of the Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186), do not affect the application of articles 1 to 5 of that Order after the relevant time in relation to a request described in those articles which was made before that time.U.K.
(2)The references in paragraph 9 of Schedule 14 to this Act (Data Protection Convention: restrictions on use of information) to requests made or received by the Commissioner under paragraph 6 or 7 of that Schedule include a request made or received by the Commissioner under article 3 or 4 of the Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186).
(3)The repeal of section 54(7) of the 1998 Act (duty to notify the European Commission of certain approvals and authorisations) does not affect the application of that provision after the relevant time in relation to an approval or authorisation granted before the relevant time.
(4)In this paragraph, “the relevant time” means the time when the repeal of section 54 of the 1998 Act comes into force.
25(1)The repeal of section 54(3) of the 1998 Act (co-operation by the Commissioner with the European Commission etc), and the revocation of the Data Protection (International Co-operation) Order 2000 (S.I. 2000/190), do not affect the application of articles 1 to 4 of that Order after the relevant time in relation to transfers that took place before the relevant time.U.K.
(2)In this paragraph—
“the relevant time” means the time when the repeal of section 54 of the 1998 Act comes into force;
“transfer” has the meaning given in article 2 of the Data Protection (International Co-operation) Order 2000 (S.I. 2000/190).
26(1)The Data Protection (Charges and Information) Regulations 2018 (S.I. 2018/480) have effect after the relevant time (until revoked) as if they were made under section 137 of this Act.U.K.
(2)In this paragraph, “the relevant time” means the time when section 137 of this Act comes into force.
27(1)The repeal of section 42 of the 1998 Act (requests for assessment) does not affect the application of that section after the relevant time in a case in which the Commissioner received a request under that section before the relevant time, subject to sub-paragraph (2).U.K.
(2)The Commissioner is only required to make an assessment of acts and omissions that took place before the relevant time.
(3)In this paragraph, “the relevant time” means the time when the repeal of section 42 of the 1998 Act comes into force.
28(1)The repeal of section 52E of the 1998 Act (effect of codes of practice) does not affect the application of that section after the relevant time in relation to legal proceedings or to the exercise of the Commissioner's functions under the 1998 Act as it has effect by virtue of this Schedule.U.K.
(2)In section 52E of the 1998 Act, as it has effect by virtue of this paragraph, the references to the 1998 Act include that Act as it has effect by virtue of this Schedule.
(3)For the purposes of subsection (3) of that section, as it has effect by virtue of this paragraph, the data-sharing code and direct marketing code in force immediately before the relevant time are to be treated as having continued in force after that time.
(4)In this paragraph—
“the data-sharing code” and “the direct marketing code” mean the codes respectively prepared under sections 52A and 52AA of the 1998 Act and issued under section 52B(5) of that Act;
“the relevant time” means the time when the repeal of section 52E of the 1998 Act comes into force.
29(1)In this Part of this Schedule, references to contravention of the sixth data protection principle sections are to relevant contravention of any of sections 7, 10, 11 or 12 of the 1998 Act, as they continue to have effect by virtue of this Schedule after their repeal (and references to compliance with the sixth data protection principle sections are to be read accordingly).U.K.
(2)In sub-paragraph (1), “relevant contravention” means contravention in a manner described in paragraph 8 of Part 2 of Schedule 1 to the 1998 Act (sixth data protection principle).
30(1)The repeal of section 43 of the 1998 Act (information notices) does not affect the application of that section after the relevant time in a case in which—U.K.
(a)the Commissioner served a notice under that section before the relevant time (and did not cancel it before that time), or
(b)the Commissioner requires information after the relevant time for the purposes of—
(i)responding to a request made under section 42 of the 1998 Act before that time,
(ii)determining whether a data controller complied with the old data protection principles before that time, or
(iii)determining whether a data controller complied with the sixth data protection principle sections after that time.
(2)In section 43 of the 1998 Act, as it has effect by virtue of this paragraph—
(a)the reference to an offence under section 47 of the 1998 Act includes an offence under section 144 of this Act, and
(b)the references to an offence under the 1998 Act include an offence under this Act.
(3)In this paragraph, “the relevant time” means the time when the repeal of section 43 of the 1998 Act comes into force.
31(1)The repeal of section 44 of the 1998 Act (special information notices) does not affect the application of that section after the relevant time in a case in which—U.K.
(a)the Commissioner served a notice under that section before the relevant time (and did not cancel it before that time), or
(b)the Commissioner requires information after the relevant time for the purposes of—
(i)responding to a request made under section 42 of the 1998 Act before that time, or
(ii)ascertaining whether section 44(2)(a) or (b) of the 1998 Act was satisfied before that time.
(2)In section 44 of the 1998 Act, as it has effect by virtue of this paragraph—
(a)the reference to an offence under section 47 of the 1998 Act includes an offence under section 144 of this Act, and
(b)the references to an offence under the 1998 Act include an offence under this Act.
(3)In this paragraph, “the relevant time” means the time when the repeal of section 44 of the 1998 Act comes into force.
32(1)The repeal of sections 41A and 41B of the 1998 Act (assessment notices) does not affect the application of those sections after the relevant time in a case in which—U.K.
(a)the Commissioner served a notice under section 41A of the 1998 Act before the relevant time (and did not cancel it before that time), or
(b)the Commissioner considers it appropriate, after the relevant time, to investigate—
(i)whether a data controller complied with the old data protection principles before that time, or
(ii)whether a data controller complied with the sixth data protection principle sections after that time.
(2)The revocation of the Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 (S.I. 2014/3282), and the repeals mentioned in sub-paragraph (1), do not affect the application of that Order in a case described in sub-paragraph (1).
(3)Sub-paragraph (1) does not enable the Secretary of State, after the relevant time, to make an order under section 41A(2)(b) or (c) of the 1998 Act (data controllers on whom an assessment notice may be served) designating a public authority or person for the purposes of that section.
(4)Section 41A of the 1998 Act, as it has effect by virtue of sub-paragraph (1), has effect as if subsections (8) and (11) (duty to review designation orders) were omitted.
(5)The repeal of section 41C of the 1998 Act (code of practice about assessment notice) does not affect the application, after the relevant time, of the code issued under that section and in force immediately before the relevant time in relation to the exercise of the Commissioner's functions under and in connection with section 41A of the 1998 Act, as it has effect by virtue of sub-paragraph (1).
(6)In this paragraph, “the relevant time” means the time when the repeal of section 41A of the 1998 Act comes into force.
33(1)The repeal of sections 40 and 41 of the 1998 Act (enforcement notices) does not affect the application of those sections after the relevant time in a case in which—U.K.
(a)the Commissioner served a notice under section 40 of the 1998 Act before the relevant time (and did not cancel it before that time), or
(b)the Commissioner is satisfied, after that time, that a data controller —
(i)contravened the old data protection principles before that time, or
(ii)contravened the sixth data protection principle sections after that time.
(2)In this paragraph, “the relevant time” means the time when the repeal of section 40 of the 1998 Act comes into force.
34(1)The repeal of section 45 of the 1998 Act (determination by Commissioner as to the special purposes) does not affect the application of that section after the relevant time in a case in which—U.K.
(a)the Commissioner made a determination under that section before the relevant time, or
(b)the Commissioner considers it appropriate, after the relevant time, to make a determination under that section.
(2)In this paragraph, “the relevant time” means the time when the repeal of section 45 of the 1998 Act comes into force.
35(1)The repeal of section 46 of the 1998 Act (restriction on enforcement in case of processing for the special purposes) does not affect the application of that section after the relevant time in relation to an enforcement notice or information notice served under the 1998 Act—U.K.
(a)before the relevant time, or
(b)after the relevant time in reliance on this Schedule.
(2)In this paragraph, “the relevant time” means the time when the repeal of section 46 of the 1998 Act comes into force.
36(1)The repeal of sections 47, 60 and 61 of the 1998 Act (offences of failing to comply with certain notices and of providing false information etc in response to a notice) does not affect the application of those sections after the relevant time in connection with an information notice, special information notice or enforcement notice served under Part 5 of the 1998 Act—U.K.
(a)before the relevant time, or
(b)after that time in reliance on this Schedule.
(2)In this paragraph, “the relevant time” means the time when the repeal of section 47 of the 1998 Act comes into force.
37(1)The repeal of sections 50, 60 and 61 of, and Schedule 9 to, the 1998 Act (powers of entry) does not affect the application of those provisions after the relevant time in a case in which—U.K.
(a)a warrant issued under that Schedule was in force immediately before the relevant time,
(b)before the relevant time, the Commissioner supplied information on oath for the purposes of obtaining a warrant under that Schedule but that had not been considered by a circuit judge or a District Judge (Magistrates' Courts), or
(c)after the relevant time, the Commissioner supplies information on oath to a circuit judge or a District Judge (Magistrates' Courts) in respect of—
(i)a contravention of the old data protection principles before the relevant time;
(ii)a contravention of the sixth data protection principle sections after the relevant time;
(iii)the commission of an offence under a provision of the 1998 Act (including as the provision has effect by virtue of this Schedule);
(iv)a failure to comply with a requirement imposed by an assessment notice issued under section 41A the 1998 Act (including as it has effect by virtue of this Schedule).
(2)In paragraph 16 of Schedule 9 to the 1998 Act, as it has effect by virtue of this paragraph, the reference to an offence under paragraph 12 of that Schedule includes an offence under paragraph 15 of Schedule 15 to this Act.
(3)In this paragraph, “the relevant time” means the time when the repeal of Schedule 9 to the 1998 Act comes into force.
(4)Paragraphs 14 and 15 of Schedule 9 to the 1998 Act (application of that Schedule to Scotland and Northern Ireland) apply for the purposes of this paragraph as they apply for the purposes of that Schedule.
38(1)The repeal of sections 55A, 55B, 55D and 55E of the 1998 Act (monetary penalties) does not affect the application of those provisions after the relevant time in a case in which—U.K.
(a)the Commissioner served a monetary penalty notice under section 55A of the 1998 Act before the relevant time,
(b)the Commissioner served a notice of intent under section 55B of the 1998 Act before the relevant time, or
(c)the Commissioner considers it appropriate, after the relevant time, to serve a notice mentioned in paragraph (a) or (b) in respect of—
(i)a contravention of section 4(4) of the 1998 Act before the relevant time, or
(ii)a contravention of the sixth data protection principle sections after the relevant time.
(2)The revocation of the relevant subordinate legislation, and the repeals mentioned in sub-paragraph (1), do not affect the application of the relevant subordinate legislation (or of provisions of the 1998 Act applied by them) after the relevant time in a case described in sub-paragraph (1).
(3)Guidance issued under section 55C of the 1998 Act (guidance about monetary penalty notices) which is in force immediately before the relevant time continues in force after that time for the purposes of the Commissioner's exercise of functions under sections 55A and 55B of the 1998 Act as they have effect by virtue of this paragraph.
(4)In this paragraph—
“the relevant subordinate legislation” means—
the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31);
the Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910);
“the relevant time” means the time when the repeal of section 55A of the 1998 Act comes into force.
39(1)The repeal of sections 48 and 49 of the 1998 Act (appeals) does not affect the application of those sections after the relevant time in relation to a notice served under the 1998 Act or a determination made under section 45 of that Act—U.K.
(a)before the relevant time, or
(b)after that time in reliance on this Schedule.
(2)In this paragraph, “the relevant time” means the time when the repeal of section 48 of the 1998 Act comes into force.
40(1)The repeal of section 28 of the 1998 Act (national security) does not affect the application of that section after the relevant time for the purposes of a provision of Part 5 of the 1998 Act as it has effect after that time by virtue of the preceding paragraphs of this Part of this Schedule.U.K.
(2)In this paragraph, “the relevant time” means the time when the repeal of the provision of Part 5 of the 1998 Act in question comes into force.
(3)As regards certificates issued under section 28(2) of the 1998 Act, see Part 5 of this Schedule.
41(1)The repeal of paragraph 7 of Schedule 6 to the 1998 Act (Tribunal Procedure Rules) does not affect the application of that paragraph, or of rules made under that paragraph, after the relevant time in relation to the exercise of rights of appeal conferred by section 28 or 48 of the 1998 Act, as they have effect by virtue of this Schedule.U.K.
(2)Part 3 of Schedule 19 to this Act does not apply for the purposes of Tribunal Procedure Rules made under paragraph 7(1)(a) of Schedule 6 to the 1998 Act as they apply, after the relevant time, in relation to the exercise of rights of appeal described in sub-paragraph (1).
(3)In this paragraph, “the relevant time” means the time when the repeal of paragraph 7 of Schedule 6 to the 1998 Act comes into force.
42(1)The repeal of paragraph 8 of Schedule 6 to the 1998 Act (obstruction etc in proceedings before the Tribunal) does not affect the application of that paragraph after the relevant time in relation to an act or omission in relation to proceedings under the 1998 Act (including as it has effect by virtue of this Schedule).U.K.
(2)In this paragraph, “the relevant time” means the time when the repeal of paragraph 8 of Schedule 6 to the 1998 Act comes into force.
43(1)The references in the preceding paragraphs of this Part of this Schedule to provisions of the 1998 Act include those provisions as applied, with modifications, by regulation 51 of the 2014 Regulations (other functions of the Commissioner).U.K.
(2)The revocation of regulation 51 of the 2014 Regulations does not affect the application of those provisions of the 1998 Act (as so applied) as described in those paragraphs.
44U.K.In section 143 of this Act—
(a)the reference to an offence under section 144 of this Act includes an offence under section 47 of the 1998 Act (including as it has effect by virtue of this Schedule), and
(b)the references to an offence under this Act include an offence under the 1998 Act (including as it has effect by virtue of this Schedule) or the 1984 Act.
45U.K.In paragraph 16 of Schedule 15 to this Act (powers of entry: self-incrimination), the reference to an offence under paragraph 15 of that Schedule includes an offence under paragraph 12 of Schedule 9 to the 1998 Act (including as it has effect by virtue of this Schedule).
46(1)Tribunal Procedure Rules made under paragraph 7(1)(a) of Schedule 6 to the 1998 Act (appeal rights under the 1998 Act) and in force immediately before the relevant time have effect after that time as if they were also made under section 203 of this Act.U.K.
(2)In this paragraph, “the relevant time” means the time when the repeal of paragraph 7(1)(a) of Schedule 6 to the 1998 Act comes into force.
47(1)The following provisions (as amended by Schedule 19 to this Act) have effect after the relevant time as if the matters they refer to included a matter in respect of which the Commissioner could exercise a power conferred by a provision of Part 5 of the 1998 Act, as it has effect by virtue of this Schedule—U.K.
(a)section 11AA(1)(a) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner);
(b)sections 33A(1)(a) and 34O(1)(a) of the Local Government Act 1974 (disclosure of information by Local Commissioner);
(c)section 18A(1)(a) of the Health Service Commissioners Act 1993 (disclosure of information by Health Service Commissioner);
(d)paragraph 1 of the entry for the Information Commissioner in Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (asp 11) (disclosure of information by the Ombudsman);
(e)section 34X(3)(a) of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information by the Ombudsman);
(f)section 18(6)(a) of the Commissioner for Older People (Wales) Act 2006 (disclosure of information by the Commissioner);
(g)section 22(3)(a) of the Welsh Language (Wales) Measure 2011 (nawm 1) (disclosure of information by the Welsh Language Commissioner);
(h)section 49(3)(a) of the Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))(disclosure of information by the Ombudsman);
(i)section 44(3)(a) of the Justice Act (Northern Ireland) 2016 (c. 21 (N.I.)) (disclosure of information by the Prison Ombudsman for Northern Ireland).
(2)The following provisions (as amended by Schedule 19 to this Act) have effect after the relevant time as if the offences they refer to included an offence under any provision of the 1998 Act other than paragraph 12 of Schedule 9 to that Act (obstruction of execution of warrant)—
(a)section 11AA(1)(b) of the Parliamentary Commissioner Act 1967;
(b)sections 33A(1)(b) and 34O(1)(b) of the Local Government Act 1974;
(c)section 18A(1)(b) of the Health Service Commissioners Act 1993;
(d)paragraph 2 of the entry for the Information Commissioner in Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (asp 11);
(e)section 34X(5) of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information by the Ombudsman);
(f)section 18(8) of the Commissioner for Older People (Wales) Act 2006;
(g)section 22(5) of the Welsh Language (Wales) Measure 2011 (nawm 1);
(h)section 49(5) of the Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.));
(i)section 44(3)(b) of the Justice Act (Northern Ireland) 2016 (c. 21 (N.I.)).
(3)In this paragraph, “the relevant time”, in relation to a provision of a section or Schedule listed in sub-paragraph (1) or (2), means the time when the amendment of the section or Schedule by Schedule 19 to this Act comes into force.
48(1)This paragraph applies in relation to the code of practice issued under each of the following provisions—U.K.
(a)section 19AC of the Registration Service Act 1953 (code of practice about disclosure of information by civil registration officials);
(b)section 43 of the Digital Economy Act 2017 (code of practice about disclosure of information to improve public service delivery);
(c)section 52 of that Act (code of practice about disclosure of information to reduce debt owed to the public sector);
(d)section 60 of that Act (code of practice about disclosure of information to combat fraud against the public sector);
(e)section 70 of that Act (code of practice about disclosure of information for research purposes).
(2)During the relevant period, the code of practice does not have effect to the extent that it is inconsistent with the code of practice prepared under section 121 of this Act (data-sharing code) and issued under section 125(4) of this Act (as altered or replaced from time to time).
(3)In this paragraph, “the relevant period”, in relation to a code issued under a section mentioned in sub-paragraph (1), means the period—
(a)beginning when the amendments of that section in Schedule 19 to this Act come into force, and
(b)ending when the code is first reissued under that section.
49(1)This paragraph applies in relation to the original statement published under section 45E of the Statistics and Registration Service Act 2007 (statement of principles and procedures in connection with access to information by the Statistics Board).U.K.
(2)During the relevant period, the statement does not have effect to the extent that it is inconsistent with the code of practice prepared under section 121 of this Act (data-sharing code) and issued under section 125(4) of this Act (as altered or replaced from time to time).
(3)In this paragraph, “the relevant period” means the period—
(a)beginning when the amendments of section 45E of the Statistics and Registration Service Act 2007 in Schedule 19 to this Act come into force, and
(b)ending when the first revised statement is published under that section.
50U.K.In section 159(1)(a) of the Consumer Credit Act 1974 (correction of wrong information) (as amended by Schedule 19 to this Act), the reference to information given under Article 15(1) to (3) of the [F99UK GDPR] includes information given at any time under section 7 of the 1998 Act.
Textual Amendments
F99Words in Sch. 20 para. 50 substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 101(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
51U.K.Paragraphs 52 to 55 make provision about the Freedom of Information Act 2000 (“the 2000 Act”).
52(1)This paragraph applies where a request for information was made to a public authority under the 2000 Act before the relevant time.U.K.
(2)To the extent that the request is dealt with after the relevant time, the amendments of sections 2 and 40 of the 2000 Act in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2000 Act.
(3)To the extent that the request was dealt with before the relevant time—
(a)the amendments of sections 2 and 40 of the 2000 Act in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with Part 1 of the 2000 Act, but
(b)the powers of the Commissioner and the Tribunal, on an application or appeal under the 2000 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2000 Act as amended by Schedule 19 to this Act.
(4)In this paragraph—
“public authority” has the same meaning as in the 2000 Act;
“the relevant time” means the time when the amendments of sections 2 and 40 of the 2000 Act in Schedule 19 to this Act come into force.
53(1)Tribunal Procedure Rules made under paragraph 7(1)(b) of Schedule 6 to the 1998 Act (appeal rights under the 2000 Act) and in force immediately before the relevant time have effect after that time as if they were also made under section 61 of the 2000 Act (as inserted by Schedule 19 to this Act).U.K.
(2)In this paragraph, “the relevant time” means the time when the repeal of paragraph 7(1)(b) of Schedule 6 to the 1998 Act comes into force.
54(1)The repeal of paragraph 8 of Schedule 6 to the 1998 Act (obstruction etc in proceedings before the Tribunal) does not affect the application of that paragraph after the relevant time in relation to an act or omission before that time in relation to an appeal under the 2000 Act.U.K.
(2)In this paragraph, “the relevant time” means the time when the repeal of paragraph 8 of Schedule 6 to the 1998 Act comes into force.
55(1)The amendment of section 77 of the 2000 Act in Schedule 19 to this Act (offence of altering etc record with intent to prevent disclosure: omission of reference to section 7 of the 1998 Act) does not affect the application of that section after the relevant time in relation to a case in which—U.K.
(a)the request for information mentioned in section 77(1) of the 2000 Act was made before the relevant time, and
(b)when the request was made, section 77(1)(b) of the 2000 Act was satisfied by virtue of section 7 of the 1998 Act.
(2)In this paragraph, “the relevant time” means the time when the repeal of section 7 of the 1998 Act comes into force.
56(1)This paragraph applies where a request for information was made to a Scottish public authority under the Freedom of Information (Scotland) Act 2002 (“the 2002 Act”) before the relevant time.U.K.
(2)To the extent that the request is dealt with after the relevant time, the amendments of the 2002 Act in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act.
(3)To the extent that the request was dealt with before the relevant time—
(a)the amendments of the 2002 Act in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with Part 1 of the 2002 Act, but
(b)the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2002 Act as amended by Schedule 19 to this Act.
(4)In this paragraph—
“Scottish public authority” has the same meaning as in the 2002 Act;
“the relevant time” means the time when the amendments of the 2002 Act in Schedule 19 to this Act come into force.
57U.K.Until the first regulations under Article 5(4)(a) of the Access to Health Records (Northern Ireland) Order 1993 (as amended by Schedule 19 to this Act) come into force, the maximum amount of a fee that may be required for giving access under that Article is £10.
58(1)The repeal of a provision of the 1998 Act does not affect its operation for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the PECR 2003”) (see regulations 2, 31 and 31B of, and Schedule 1 to, those Regulations).U.K.
(2)Where subordinate legislation made under a provision of the 1998 Act is in force immediately before the repeal of that provision, neither the revocation of the subordinate legislation nor the repeal of the provision of the 1998 Act affect the application of the subordinate legislation for the purposes of the PECR 2003 after that time.
(3)Part 3 of Schedule 19 to this Act (modifications) does not have effect in relation to the PECR 2003.
(4)Part 7 of this Schedule does not have effect in relation to the provisions of the 1998 Act as applied by the PECR 2003.
59U.K.Part 3 of Schedule 19 to this Act (modifications) does not have effect in relation to the reference to an accessible record within the meaning of section 68 of the 1998 Act in Article 43 of the Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland) Order 2003.
60(1)This paragraph applies where a request for information was made to a public authority under the Environmental Information Regulations 2004 (“the 2004 Regulations”) before the relevant time.U.K.
(2)To the extent that the request is dealt with after the relevant time, the amendments of the 2004 Regulations in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Parts 2 and 3 of those Regulations.
(3)To the extent that the request was dealt with before the relevant time—
(a)the amendments of the 2004 Regulations in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with Parts 2 and 3 of those Regulations, but
(b)the powers of the Commissioner and the Tribunal, on an application or appeal under the 2000 Act (as applied by the 2004 Regulations), do not include power to require the authority to take steps which it would not be required to take in order to comply with Parts 2 and 3 of those Regulations as amended by Schedule 19 to this Act.
(4)In this paragraph—
“public authority” has the same meaning as in the 2004 Regulations;
“the relevant time” means the time when the amendments of the 2004 Regulations in Schedule 19 to this Act come into force.
61(1)This paragraph applies where a request for information was made to a Scottish public authority under the Environmental Information (Scotland) Regulations 2004 (“the 2004 Regulations”) before the relevant time.U.K.
(2)To the extent that the request is dealt with after the relevant time, the amendments of the 2004 Regulations in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with those Regulations.
(3)To the extent that the request was dealt with before the relevant time—
(a)the amendments of the 2004 Regulations in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with those Regulations, but
(b)the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act (as applied by the 2004 Regulations), do not include power to require the authority to take steps which it would not be required to take in order to comply with those Regulations as amended by Schedule 19 to this Act.
(4)In this paragraph—
“Scottish public authority” has the same meaning as in the 2004 Regulations;
“the relevant time” means the time when the amendments of the 2004 Regulations in Schedule 19 to this Act come into force.
Section 213
Textual Amendments
F100Sch. 21 inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 102 (with reg. 5, Sch. 3 para. 111(6)) (as amended by S.I. 2020/1586, regs. 1(2), 5(4)); 2020 c. 1, Sch. 5 para. 1(1)
1In this Schedule, “the applied GDPR” means the EU GDPR as applied by Chapter 3 of Part 2 before IP completion day.
2(1)On and after IP completion day, references in an enactment to the UK GDPR (including the reference in the definition of “the data protection legislation” in section 3(9)) include—
(a)the EU GDPR as it was directly applicable to the United Kingdom before IP completion day, read with Chapter 2 of Part 2 of this Act as it had effect before IP completion day, and
(b)the applied GDPR, read with Chapter 3 of Part 2 of this Act as it had effect before IP completion day.
(2)On and after IP completion day, references in an enactment to, or to a provision of, Chapter 2 of Part 2 of this Act (including general references to this Act or to Part 2 of this Act) include that Chapter or that provision as applied by Chapter 3 of Part 2 of this Act as it had effect before IP completion day.
(3)Sub-paragraphs (1) and (2) have effect—
(a)in relation to references in this Act, except as otherwise provided;
(b)in relation to references in other enactments, unless the context otherwise requires.
3(1)Anything done in connection with the EU GDPR as it was directly applicable to the United Kingdom before IP completion day, the applied GDPR or this Act—U.K.
(a)if in force or effective immediately before IP completion day, continues to be in force or effective on and after IP completion day, and
(b)if in the process of being done immediately before IP completion day, continues to be done on and after IP completion day.
(2)References in this paragraph to anything done include references to anything omitted to be done.
4(1)On and after IP completion day, for the purposes of the UK GDPR and Part 2 of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, paragraph 5 specifies, or specifies a description which includes—
(a)in the case of a third country, the country or a relevant territory or sector within the country, or
(b)in the case of an international organisation, the organisation.
(2)Sub-paragraph (1) has effect subject to provision in paragraph 5 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 5 for the purposes of sub-paragraph (1).
(3)The Secretary of State may by regulations—
(a)repeal sub-paragraphs (1) and (2) and paragraph 5;
(b)amend paragraph 5 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;
(c)amend paragraph 5 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and making provision described in sub-paragraph (2).
(4)Regulations under this paragraph may, among other things——
(a)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;
(b)confer a discretion on a person.
(5)Regulations under this paragraph are subject to the negative resolution procedure.
(6)Sub-paragraphs (1) and (2) have effect in addition to section 17A(2) and (3).
5(1)The following are specified for the purposes of paragraph 4(1)—U.K.
(a)an EEA state;
(b)Gibraltar;
(c)a Union institution, body, office or agency set up by, or on the basis of, the Treaty on the European Union, the Treaty on the Functioning of the European Union or the Euratom Treaty;
(d)an equivalent institution, body, office or agency set up by, or on the basis of, the Treaties establishing the European Economic Area;
(e)a third country which is the subject of a decision listed in sub-paragraph (2), other than a decision that, immediately before IP completion day, had been repealed or was suspended;
(f)a third country, territory or sector within a third country or international organisation which is the subject of an adequacy decision made by the European Commission before IP completion day on the basis of Article 45(3) of the EU GDPR, other than a decision that, immediately before IP completion day, had been repealed or was suspended.
(2)The decisions mentioned in sub-paragraph (1)(e) are the following—
(a)Commission Decision 2000/518/EC of 26th July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland;
(b)Commission Decision 2002/2/EC of 20th December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act;
(c)Commission Decision 2003/490/EC of 30th June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina;
(d)Commission Decision 2003/821/EC of 21st November 2003 on the adequate protection of personal data in Guernsey;
(e)Commission Decision 2004/411/EC of 28th April 2004 on the adequate protection of personal data in the Isle of Man;
(f)Commission Decision 2008/393/EC of 8th May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey;
(g)Commission Decision 2010/146/EU of 5th March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data;
(h)Commission Decision 2010/625/EU of 19th October 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Andorra;
(i)Commission Decision 2011/61/EU of 31st January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data;
(j)Commission Implementing Decision 2012/484/EU of 21st August 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data;
(k)Commission Implementing Decision 2013/65/EU of 19th December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand;
(m)Commission Implementing Decision (EU) 2019/419 of 23rd January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information.
(3)Where a decision described in sub-paragraph (1)(e) or (f) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 4(1).
(4)The references to a decision in sub-paragraphs (1)(e) and (f) and (2) are to the decision as it had effect in EU law immediately before IP completion day, subject to sub-paragraphs (5) and (6).
(5)For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(e) or (f) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.
(6)For the purposes of this paragraph, where a decision described in sub-paragraph (1)(e) or (f) relates to—
(a)transfers from the European Union (or the European Community) or the European Economic Area, or
(b)transfers to which the EU GDPR applies,
it is to be treated as relating to equivalent transfers to or from the United Kingdom or transfers to which the UK GDPR applies (as appropriate).
6(1)In the provisions listed in sub-paragraph (2)—U.K.
(a)references to regulations made under section 17A (other than references to making such regulations) include the provision made in paragraph 5;
(b)references to the revocation of such regulations include the repeal of all or part of paragraph 5.
(2)Those provisions are—
(a)Articles 13(1)(f), 14(1)(f), 45(1) and (7), 46(1) and 49(1) of the UK GDPR;
(b)sections 17B(1), (3), (6) and (7) and 18(2) of this Act.
7(1)Subject to paragraph 8, the appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after IP completion day as described in this paragraph.
(2)The safeguards may be provided for by any standard data protection clauses included in an arrangement which, if the arrangement had been entered into immediately before IP completion day, would have provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(2)(c) or (d) or (5) of the EU GDPR.
(3)The safeguards may be provided for by a version of standard data protection clauses described in sub-paragraph (2) incorporating changes where—
(a)all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and
(b)none of the changes alters the effect of the clauses.
(4)The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—
(a)changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;
(b)changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.
(5)In the case of a transfer of personal data made under arrangements entered into before IP completion day, the safeguards may be provided for on and after IP completion day by standard data protection clauses not falling within sub-paragraph (2) which—
(a)formed part of the arrangements immediately before IP completion day, and
(b)at that time, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(2)(c) or (d) or (5) of the EU GDPR.
(6)The Secretary of State and the Commissioner must keep the operation of this paragraph under review.
(7)In this paragraph, “adequacy decision” means a decision made on the basis of—
(a)Article 45(3) of the EU GDPR, or
(b)Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
(8)This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.
8(1)Paragraph 7 does not apply to the extent that it has been disapplied by—U.K.
(a)regulations made by the Secretary of State, or
(b)a document issued by the Commissioner.
(2)Regulations under this paragraph are subject to the negative resolution procedure.
(3)Subsections (3) to (8) and (10) to (12) of section 119A apply in relation to a document issued by the Commissioner under this paragraph as they apply to a document issued by the Commissioner under section 119A(2).
9(1)The appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after IP completion day as described sub-paragraphs (2) to (4), subject to sub-paragraph (5).
(2)The safeguards may be provided for by any binding corporate rules authorised by the Commissioner which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR.
(3)The safeguards may be provided for by a version of binding corporate rules described in sub-paragraph (2) incorporating changes where—
(a)all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and
(b)none of the changes alters the effect of the rules.
(4)The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—
(a)changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;
(b)changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.
(5)Sub-paragraphs (2) to (4) cease to apply in relation to binding corporate rules if, on or after IP completion day, the Commissioner withdraws the authorisation of the rules (or, where sub-paragraph (3) is relied on, the authorisation of the rules mentioned in sub-paragraph (2)).
(5A)For the purposes of sub-paragraph (2), binding corporate rules which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR but which were authorised other than by the Commissioner are to be treated as authorised by the Commissioner where—
(a)a valid notification of the rules has been made to the Commissioner,
(b)the Commissioner has approved them, and
(c)that approval has not been withdrawn.
(5B)A notification is valid if it—
(a)is made by a controller or processor established in the United Kingdom,
(b)is made to the Commissioner before the end of the period of 6 months beginning with IP completion day, and
(c)includes—
(i)the name and contact details of the data protection officer or other contact point for the controller or processor, and
(ii)such other information as the Commissioner may reasonably require.
(5C)Where a valid notification is made the Commissioner must, without undue delay—
(a)decide whether or not to approve the rules, and
(b)notify the controller or processor of that decision.
(6)The Commissioner must keep the operation of this paragraph under review.
(7)In this paragraph—
“adequacy decision” means a decision made on the basis of—
Article 45(3) of the EU GDPR, or
Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
“binding corporate rules” has the meaning given in Article 4(20) of the UK GDPR.
(8)This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.
10(1)On and after IP completion day, for the purposes of Part 3 of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, paragraph 11 specifies, or specifies a description which includes—
(a)in the case of a third country, the country or a relevant territory or sector within the country, or
(b)in the case of an international organisation, the organisation.
(2)Sub-paragraph (1) has effect subject to provision in paragraph 11 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 11 for the purposes of sub-paragraph (1).
(3)The Secretary of State may by regulations—
(a)repeal sub-paragraphs (1) and (2) and paragraph 11;
(b)amend paragraph 11 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;
(c)amend paragraph 11 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and by making provision described in sub-paragraph (2).
(4)Regulations under this paragraph may, among other things—
(a)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;
(b)confer a discretion on a person.
(5)Regulations under this paragraph are subject to the negative resolution procedure.
(6)Sub-paragraphs (1) and (2) have effect in addition to section 74A(2) and (3).
11(1)The following are specified for the purposes of paragraph 10(1)—U.K.
(a) an EEA state;
(aa)Switzerland;
(b)Gibraltar;
(c)a third country, a territory or sector within a third country or an international organisation which is the subject of an adequacy decision made by the European Commission before IP completion day on the basis of Article 36(3) of the Law Enforcement Directive, other than a decision that, immediately before IP completion day, had been repealed or was suspended.
(2)Where a decision described in sub-paragraph (1)(c) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 10(1).
(3)The reference to a decision in sub-paragraph (1)(c) is to the decision as it had effect in EU law immediately before IP completion day, subject to sub-paragraphs (4) and (5).
(4)For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(c) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.
(5)For the purposes of this paragraph, where a decision described in sub-paragraph (1)(c) relates to—
(a)transfers from the European Union (or the European Community) or the European Economic Area, or
(b)transfers to which the Law Enforcement Directive applies,
it is to be treated as relating to equivalent transfers from the United Kingdom or transfers to which Part 3 of this Act applies (as appropriate).
12U.K.In section 74B(1), (3), (6) and (7)—
(a)references to regulations made under section 74A (other than references to making such regulations) include the provision made in paragraph 11;
(b)references to the revocation of such regulations include the repeal of all or part of paragraph 11.
13(1)Regulations made under section 23 before IP completion day continue in force until they are revoked, despite the repeal of that section by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
(2)The provisions listed in section 186(3) include regulations made under section 23 before IP completion day (and not revoked).
(3)Sub-paragraphs (1) and (2) do not have effect so far as otherwise provided by the law of England and Wales, Scotland or Northern Ireland.
14(1)This paragraph applies to a certificate issued under section 27 of this Act which has effect immediately before IP completion day.
(2)A reference in the certificate to a provision of the applied GDPR has effect, on and after IP completion day, as it if were a reference to the corresponding provision of the UK GDPR or this Act.
15The repeal of section 132(2)(d) by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 has effect only in relation to a disclosure of information made on or after IP completion day.
16In relation to an infringement, before IP completion day, of a provision of the EU GDPR (as it was directly applicable to the United Kingdom) or the applied GDPR—
(a)Article 83(5) and (6) of the UK GDPR and section 157(5)(a) and (b) of this Act have effect as if for “£17,500,000” there were substituted “ 20 million Euros ”;
(b)Article 83(4) of the UK GDPR and section 157(6)(a) and (b) of this Act have effect as if for “£8,700,000” there were substituted “ 10 million Euros ”;
(c)the maximum amount of a penalty in sterling must be determined by applying the spot rate of exchange set by the Bank of England on the day on which the penalty notice is given under section 155 of this Act.
17(1)This paragraph applies where—
(a)proceedings are brought against a decision made by the Commissioner before IP completion day, and
(b)the Commissioner's decision was preceded by an opinion or decision of the European Data Protection Board in accordance with the consistency mechanism referred to in Article 63 of the EU GDPR.
(2)The Commissioner must forward the Board's opinion or decision to the court or tribunal dealing with the proceedings.]
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Point in Time: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: