LegalizeReform history
Data Protection Act 2018
32 versions
· 2018-05-23
2026-04-07
Data Protection Act 2018
2026-03-31
Data Protection Act 2018
2026-03-10
Data Protection Act 2018
2026-01-29
Data Protection Act 2018
2025-08-19
Data Protection Act 2018
2025-06-19
Data Protection Act 2018
2025-04-01
Data Protection Act 2018
2024-12-13
Data Protection Act 2018
2024-03-08
Data Protection Act 2018
2024-01-01
Data Protection Act 2018
2023-12-31
Data Protection Act 2018
2023-12-26
Data Protection Act 2018
2023-05-05
Data Protection Act 2018
2023-02-01
Data Protection Act 2018
2022-11-30
Data Protection Act 2018
2022-07-30
Data Protection Act 2018
2022-03-18
Data Protection Act 2018
2022-01-31
Data Protection Act 2018
2021-12-17
Data Protection Act 2018
2021-12-15
Data Protection Act 2018
2021-01-28
Data Protection Act 2018
2020-12-31
Data Protection Act 2018
2020-09-30
Data Protection Act 2018
2020-02-14
Data Protection Act 2018
2019-12-02
Data Protection Act 2018
2019-09-16
Data Protection Act 2018
2019-07-21
Data Protection Act 2018
2019-05-23
Data Protection Act 2018
2019-03-29
Data Protection Act 2018
2018-07-23
Data Protection Act 2018
2018-05-25
Data Protection Act 2018
Changes on 2018-05-25
@@ -28,7 +28,7 @@
- (1) The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—
- (a) requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis,
- (a) requiring personal data to be processed lawfully and fairly, on the basis of the data subject's consent or another specified basis,
- (b) conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and
@@ -86,11 +86,11 @@
- (e) regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or the Law Enforcement Directive.
- (10) “*The GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
- (10) “*The GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
- (11) “*The applied GDPR*” means the GDPR as applied by Chapter 3 of Part 2.
- (12) “*The Law Enforcement Directive*” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
- (12) “*The Law Enforcement Directive*” means [Directive (EU) 2016/680](https://www.legislation.gov.uk/european/directive/2016/0680) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
- (13) “*The Data Protection Convention*” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28 January 1981, as amended up to the day on which this Act is passed.
@@ -134,13 +134,13 @@
- (1) Terms used in Chapter 2 of this Part and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR.
- (2) In subsection (1), the reference to a term’s meaning in the GDPR is to its meaning in the GDPR read with any provision of Chapter 2 which modifies the term’s meaning for the purposes of the GDPR.
- (2) In subsection (1), the reference to a term's meaning in the GDPR is to its meaning in the GDPR read with any provision of Chapter 2 which modifies the term's meaning for the purposes of the GDPR.
- (3) Subsection (1) is subject to any provision in Chapter 2 which provides expressly for the term to have a different meaning and to section 204.
- (4) Terms used in Chapter 3 of this Part and in the applied GDPR have the same meaning in Chapter 3 as they have in the applied GDPR.
- (5) In subsection (4), the reference to a term’s meaning in the applied GDPR is to its meaning in the GDPR read with any provision of Chapter 2 (as applied by Chapter 3 ) or Chapter 3 which modifies the term’s meaning for the purposes of the applied GDPR.
- (5) In subsection (4), the reference to a term's meaning in the applied GDPR is to its meaning in the GDPR read with any provision of Chapter 2 (as applied by Chapter 3 ) or Chapter 3 which modifies the term's meaning for the purposes of the applied GDPR.
- (6) Subsection (4) is subject to any provision in Chapter 2 (as applied by Chapter 3 ) or Chapter 3 which provides expressly for the term to have a different meaning.
@@ -180,7 +180,7 @@
- (a) a public authority as defined by the Freedom of Information Act 2000,
- (b) a Scottish public authority as defined by the Freedom of Information (Scotland) Act [2002 (asp 13)](https://www.legislation.gov.uk/asp/2002/13), and
- (b) a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13), and
- (c) an authority or body specified or described by the Secretary of State in regulations,
@@ -188,7 +188,7 @@
- (2) An authority or body that falls within subsection (1) is only a “public authority” or “*public body*” for the purposes of the GDPR when performing a task carried out in the public interest or in the exercise of official authority vested in it.
- (3) The references in subsection (1)(a) and (b) to public authorities and Scottish public authorities as defined by the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act [2002 (asp 13)](https://www.legislation.gov.uk/asp/2002/13) do not include any of the following that fall within those definitions—
- (3) The references in subsection (1)(a) and (b) to public authorities and Scottish public authorities as defined by the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 (asp 13) do not include any of the following that fall within those definitions—
- (a) a parish council in England;
@@ -206,7 +206,7 @@
- (ii) under Part 1 of the Local Government and Public Involvement in Health Act 2007, or
- (iii) by the Charter Trustees Regulations 1996 ([S.I. 1996/263](https://www.legislation.gov.uk/uksi/1996/263)).
- (iii) by the Charter Trustees Regulations 1996 (S.I. 1996/263).
- (4) The Secretary of State may by regulations provide that a person specified or described in the regulations that is a public authority described in subsection (1)(a) or (b) is not a “public authority” or “*public body*” for the purposes of the GDPR.
@@ -218,7 +218,7 @@
##### 8
In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for—
In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller's official authority includes processing of personal data that is necessary for—
- (a) the administration of justice,
@@ -234,7 +234,7 @@
##### 9
In Article 8(1) of the GDPR (conditions applicable to child’s consent in relation to information society services)—
In Article 8(1) of the GDPR (conditions applicable to child's consent in relation to information society services)—
- (a) references to “16 years” are to be read as references to “13 years”, and
@@ -320,15 +320,15 @@
- (1) This section applies where a controller is a credit reference agency (within the meaning of section 145(8) of the Consumer Credit Act 1974).
- (2) The controller’s obligations under Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) are taken to apply only to personal data relating to the data subject’s financial standing, unless the data subject has indicated a contrary intention.
- (3) Where the controller discloses personal data in pursuance of Article 15(1) to (3) of the GDPR, the disclosure must be accompanied by a statement informing the data subject of the data subject’s rights under section 159 of the Consumer Credit Act 1974 (correction of wrong information).
- (2) The controller's obligations under Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) are taken to apply only to personal data relating to the data subject's financial standing, unless the data subject has indicated a contrary intention.
- (3) Where the controller discloses personal data in pursuance of Article 15(1) to (3) of the GDPR, the disclosure must be accompanied by a statement informing the data subject of the data subject's rights under section 159 of the Consumer Credit Act 1974 (correction of wrong information).
#### Automated decision-making authorised by law: safeguards
##### 14
- (1) This section makes provision for the purposes of Article 22(2)(b) of the GDPR (exception from Article 22(1) of the GDPR for significant decisions based solely on automated processing that are authorised by law and subject to safeguards for the data subject’s rights, freedoms and legitimate interests).
- (1) This section makes provision for the purposes of Article 22(2)(b) of the GDPR (exception from Article 22(1) of the GDPR for significant decisions based solely on automated processing that are authorised by law and subject to safeguards for the data subject's rights, freedoms and legitimate interests).
- (2) A decision is a “*significant decision*” for the purposes of this section if, in relation to a data subject, it—
@@ -342,7 +342,7 @@
- (b) it is required or authorised by law, and
- (c) it does not fall within Article 22(2)(a) or (c) of the GDPR (decisions necessary to a contract or made with the data subject’s consent).
- (c) it does not fall within Article 22(2)(a) or (c) of the GDPR (decisions necessary to a contract or made with the data subject's consent).
- (4) Where a controller takes a qualifying significant decision in relation to a data subject based solely on automated processing—
@@ -368,7 +368,7 @@
- (6) In connection with this section, a controller has the powers and obligations under Article 12 of the GDPR (transparency, procedure for extending time for acting on request, fees, manifestly unfounded or excessive requests etc) that apply in connection with Article 22 of the GDPR.
- (7) The Secretary of State may by regulations make such further provision as the Secretary of State considers appropriate to provide suitable measures to safeguard a data subject’s rights, freedoms and legitimate interests in connection with the taking of qualifying significant decisions based solely on automated processing.
- (7) The Secretary of State may by regulations make such further provision as the Secretary of State considers appropriate to provide suitable measures to safeguard a data subject's rights, freedoms and legitimate interests in connection with the taking of qualifying significant decisions based solely on automated processing.
- (8) Regulations under subsection (7)—
@@ -456,7 +456,7 @@
- (5) Schedule 5 makes provision about reviews of, and appeals from, a decision relating to accreditation of a person as a certification provider.
- (6) The national accreditation body may charge a reasonable fee in connection with, or incidental to, the carrying out of the body’s functions under this section, Schedule 5 and Article 43 of the GDPR.
- (6) The national accreditation body may charge a reasonable fee in connection with, or incidental to, the carrying out of the body's functions under this section, Schedule 5 and Article 43 of the GDPR.
- (7) The national accreditation body must provide the Secretary of State with such information relating to its functions under this section, Schedule 5 and Article 43 of the GDPR as the Secretary of State may reasonably require.
@@ -512,9 +512,9 @@
- (4) In this section—
- “*approved medical research*” means medical research carried out by a person who has approval to carry out that research from— a research ethics committee recognised or established by the Health Research Authority under Chapter 2 of Part 3 of the Care Act 2014, or a body appointed by any of the following for the purpose of assessing the ethics of research involving individuals— the Secretary of State, the Scottish Ministers, the Welsh Ministers, or a Northern Ireland department; a relevant NHS body; United Kingdom Research and Innovation or a body that is a Research Council for the purposes of the Science and Technology Act 1965; an institution that is a research institution for the purposes of Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003 (see section 457 of that Act);
- “*relevant NHS body*” means— an NHS trust or NHS foundation trust in England, an NHS trust or Local Health Board in Wales, a Health Board or Special Health Board constituted under section 2 of the National Health Service (Scotland) Act 1978, the Common Services Agency for the Scottish Health Service, or any of the health and social care bodies in Northern Ireland falling within paragraphs (a) to (e) of section 1(5) of the [Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))](https://www.legislation.gov.uk/nia/2009/1).
- “*approved medical research*” means medical research carried out by a person who has approval to carry out that research from—a research ethics committee recognised or established by the Health Research Authority under Chapter 2 of Part 3 of the Care Act 2014, ora body appointed by any of the following for the purpose of assessing the ethics of research involving individuals—the Secretary of State, the Scottish Ministers, the Welsh Ministers, or a Northern Ireland department;a relevant NHS body;United Kingdom Research and Innovation or a body that is a Research Council for the purposes of the Science and Technology Act 1965;an institution that is a research institution for the purposes of Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003 (see section 457 of that Act);
- “*relevant NHS body*” means—an NHS trust or NHS foundation trust in England,an NHS trust or Local Health Board in Wales,a Health Board or Special Health Board constituted under section 2 of the National Health Service (Scotland) Act 1978,the Common Services Agency for the Scottish Health Service, orany of the health and social care bodies in Northern Ireland falling within paragraphs (a) to (e) of section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)).
- (5) The Secretary of State may by regulations change the meaning of “*approved medical research*” for the purposes of this section, including by amending subsection (4).
@@ -550,7 +550,7 @@
- (4) In this section—
- “*the automated or structured processing of personal data*” means— the processing of personal data wholly or partly by automated means, and the processing otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system;
- “*the automated or structured processing of personal data*” means—the processing of personal data wholly or partly by automated means, andthe processing otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system;
- “*the manual unstructured processing of personal data*” means the processing of personal data which is not the automated or structured processing of personal data.
@@ -558,13 +558,13 @@
- (a) a public authority as defined in the Freedom of Information Act 2000, or
- (b) a Scottish public authority as defined in the Freedom of Information (Scotland) Act [2002 (asp 13)](https://www.legislation.gov.uk/asp/2002/13).
- (b) a Scottish public authority as defined in the Freedom of Information (Scotland) Act 2002 (asp 13).
- (6) References in this Chapter to personal data “held” by an FOI public authority are to be interpreted—
- (a) in relation to England and Wales and Northern Ireland, in accordance with section 3(2) of the Freedom of Information Act 2000, and
- (b) in relation to Scotland, in accordance with section 3(2), (4) and (5) of the Freedom of Information (Scotland) Act [2002 (asp 13)](https://www.legislation.gov.uk/asp/2002/13),
- (b) in relation to Scotland, in accordance with section 3(2), (4) and (5) of the Freedom of Information (Scotland) Act 2002 (asp 13),
but such references do not include information held by an intelligence service (as defined in section 82) on behalf of an FOI public authority.
@@ -572,7 +572,7 @@
- (a) section 7 of the Freedom of Information Act 2000 prevents Parts 1 to 5 of that Act from applying to the personal data, or
- (b) section 7(1) of the Freedom of Information (Scotland) Act [2002 (asp 13)](https://www.legislation.gov.uk/asp/2002/13) prevents that Act from applying to the personal data.
- (b) section 7(1) of the Freedom of Information (Scotland) Act 2002 (asp 13) prevents that Act from applying to the personal data.
### Application of the GDPR
@@ -632,7 +632,7 @@
- (iii) Article 7 (conditions for consent),
- (iv) Article 8(1) and (2) (child’s consent),
- (iv) Article 8(1) and (2) (child's consent),
- (v) Article 9 (processing of special categories of personal data),
@@ -690,7 +690,7 @@
- (b) the controller estimates that the cost of complying with the request so far as relating to the personal data would exceed the appropriate maximum.
- (6) Subsection (5)(b) does not remove the controller’s obligation to confirm whether or not personal data concerning the data subject is being processed unless the estimated cost of complying with that obligation alone in relation to the personal data would exceed the appropriate maximum.
- (6) Subsection (5)(b) does not remove the controller's obligation to confirm whether or not personal data concerning the data subject is being processed unless the estimated cost of complying with that obligation alone in relation to the personal data would exceed the appropriate maximum.
- (7) An estimate for the purposes of this section must be made in accordance with regulations under section 12(5) of the Freedom of Information Act 2000.
@@ -760,7 +760,7 @@
- (e) in Chapter VI of the applied GDPR—
- (i) Article 57(1)(a) and (h) (Commissioner’s duties to monitor and enforce the applied GDPR and to conduct investigations);
- (i) Article 57(1)(a) and (h) (Commissioner's duties to monitor and enforce the applied GDPR and to conduct investigations);
- (ii) Article 58 (investigative, corrective, authorisation and advisory powers of Commissioner);
@@ -780,7 +780,7 @@
- (h) in Part 6 of this Act—
- (i) sections 142 to 154 and Schedule 15 (Commissioner’s notices and powers of entry and inspection);
- (i) sections 142 to 154 and Schedule 15 (Commissioner's notices and powers of entry and inspection);
- (ii) sections 170 to 173 (offences relating to personal data);
@@ -906,7 +906,7 @@
- (7) In this section—
- “*intelligence service*” means— the Security Service; the Secret Intelligence Service; the Government Communications Headquarters;
- “*intelligence service*” means—the Security Service;the Secret Intelligence Service;the Government Communications Headquarters;
- “*statutory function*” means a function under or by virtue of an enactment.
@@ -946,7 +946,7 @@
- (3) “*Personal data breach*” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- (4) “*Profiling*” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- (4) “*Profiling*” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- (5) “*Recipient*”, in relation to any personal data, means any person to whom the data is disclosed, whether a third party or not, but it does not include a public authority to whom disclosure is or may be made in the framework of a particular inquiry in accordance with the law.
@@ -1028,7 +1028,7 @@
- (c) the processing of data concerning health;
- (d) the processing of data concerning an individual’s sex life or sexual orientation.
- (d) the processing of data concerning an individual's sex life or sexual orientation.
#### The second data protection principle
@@ -1128,9 +1128,9 @@
- (2) The controller has an appropriate policy document in place in relation to the sensitive processing if the controller has produced a document which—
- (a) explains the controller’s procedures for securing compliance with the data protection principles (see section 34(1)) in connection with sensitive processing in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, and
- (b) explains the controller’s policies as regards the retention and erasure of personal data processed in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, giving an indication of how long such personal data is likely to be retained.
- (a) explains the controller's procedures for securing compliance with the data protection principles (see section 34(1)) in connection with sensitive processing in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, and
- (b) explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, giving an indication of how long such personal data is likely to be retained.
- (3) Where personal data is processed on the basis that an appropriate policy document is in place, the controller must during the relevant period—
@@ -1150,7 +1150,7 @@
- (5) In this section, “*relevant period*”, in relation to sensitive processing in reliance on the consent of the data subject or in reliance on a condition specified in Schedule 8, means a period which—
- (a) begins when the controller starts to carry out the sensitive processing in reliance on the data subject’s consent or (as the case may be) in reliance on that condition, and
- (a) begins when the controller starts to carry out the sensitive processing in reliance on the data subject's consent or (as the case may be) in reliance on that condition, and
- (b) ends at the end of the period of 6 months beginning when the controller ceases to carry out the processing.
@@ -1206,7 +1206,7 @@
- (e) the existence of the right to lodge a complaint with the Commissioner and the contact details of the Commissioner.
- (2) The controller must also, in specific cases for the purpose of enabling the exercise of a data subject’s rights under this Part, give the data subject the following—
- (2) The controller must also, in specific cases for the purpose of enabling the exercise of a data subject's rights under this Part, give the data subject the following—
- (a) information about the legal basis for the processing;
@@ -1214,7 +1214,7 @@
- (c) where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations);
- (d) such further information as is necessary to enable the exercise of the data subject’s rights under this Part.
- (d) such further information as is necessary to enable the exercise of the data subject's rights under this Part.
- (3) An example of where further information may be necessary as mentioned in subsection (2)(d) is where the personal data being processed was collected without the knowledge of the data subject.
@@ -1236,11 +1236,11 @@
- (b) of the reasons for the restriction,
- (c) of the data subject’s right to make a request to the Commissioner under section 51,
- (d) of the data subject’s right to lodge a complaint with the Commissioner, and
- (e) of the data subject’s right to apply to a court under section 167.
- (c) of the data subject's right to make a request to the Commissioner under section 51,
- (d) of the data subject's right to lodge a complaint with the Commissioner, and
- (e) of the data subject's right to apply to a court under section 167.
- (6) Subsection (5)(a) and (b) do not apply to the extent that complying with them would undermine the purpose of the restriction.
@@ -1272,13 +1272,13 @@
- (d) the period for which it is envisaged that the personal data will be stored or, where that is not possible, the criteria used to determine that period;
- (e) the existence of the data subject’s rights to request from the controller—
- (e) the existence of the data subject's rights to request from the controller—
- (i) rectification of personal data (see section 46), and
- (ii) erasure of personal data or the restriction of its processing (see section 47);
- (f) the existence of the data subject’s right to lodge a complaint with the Commissioner and the contact details of the Commissioner;
- (f) the existence of the data subject's right to lodge a complaint with the Commissioner and the contact details of the Commissioner;
- (g) communication of the personal data undergoing processing and of any available information as to its origin.
@@ -1306,11 +1306,11 @@
- (b) of the reasons for the restriction,
- (c) of the data subject’s right to make a request to the Commissioner under section 51,
- (d) of the data subject’s right to lodge a complaint with the Commissioner, and
- (e) of the data subject’s right to apply to a court under section 167.
- (c) of the data subject's right to make a request to the Commissioner under section 51,
- (d) of the data subject's right to lodge a complaint with the Commissioner, and
- (e) of the data subject's right to apply to a court under section 167.
- (6) Subsection (5)(a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.
@@ -1362,11 +1362,11 @@
- (i) of the reasons for the refusal,
- (ii) of the data subject’s right to make a request to the Commissioner under section 51,
- (iii) of the data subject’s right to lodge a complaint with the Commissioner, and
- (iv) of the data subject’s right to apply to a court under section 167.
- (ii) of the data subject's right to make a request to the Commissioner under section 51,
- (iii) of the data subject's right to lodge a complaint with the Commissioner, and
- (iv) of the data subject's right to apply to a court under section 167.
- (2) The controller must comply with the duty under subsection (1)—
@@ -1392,9 +1392,9 @@
- (b) of the reasons for the restriction,
- (c) of the data subject’s right to lodge a complaint with the Commissioner, and
- (d) of the data subject’s right to apply to a court under section 167.
- (c) of the data subject's right to lodge a complaint with the Commissioner, and
- (d) of the data subject's right to apply to a court under section 167.
- (5) Subsection (4)(a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.
@@ -1462,7 +1462,7 @@
- (ii) the outcome of complying with the request.
- (4) The Secretary of State may by regulations make such further provision as the Secretary of State considers appropriate to provide suitable measures to safeguard a data subject’s rights, freedoms and legitimate interests in connection with the taking of qualifying significant decisions based solely on automated processing.
- (4) The Secretary of State may by regulations make such further provision as the Secretary of State considers appropriate to provide suitable measures to safeguard a data subject's rights, freedoms and legitimate interests in connection with the taking of qualifying significant decisions based solely on automated processing.
- (5) Regulations under subsection (4)—
@@ -1482,7 +1482,7 @@
- (a) restricts under section 44(4) the information provided to the data subject under section 44(2) (duty of the controller to give the data subject additional information),
- (b) restricts under section 45(4) the data subject’s rights under section 45(1) (right of access), or
- (b) restricts under section 45(4) the data subject's rights under section 45(1) (right of access), or
- (c) refuses a request by the data subject for rectification under section 46 or for erasure or restriction of processing under section 47.
@@ -1490,7 +1490,7 @@
- (a) where subsection (1)(a) or (b) applies, request the Commissioner to check that the restriction imposed by the controller was lawful;
- (b) where subsection (1)(c) applies, request the Commissioner to check that the refusal of the data subject’s request was lawful.
- (b) where subsection (1)(c) applies, request the Commissioner to check that the refusal of the data subject's request was lawful.
- (3) The Commissioner must take such steps as appear to the Commissioner to be appropriate to respond to a request under subsection (2) (which may include the exercise of any of the powers conferred by sections 142 and 146).
@@ -1498,9 +1498,9 @@
- (a) where subsection (1)(a) or (b) applies, whether the Commissioner is satisfied that the restriction imposed by the controller was lawful;
- (b) where subsection (1)(c) applies, whether the Commissioner is satisfied that the controller’s refusal of the data subject’s request was lawful.
- (5) The Commissioner must also inform the data subject of the data subject’s right to apply to a court under section 167.
- (b) where subsection (1)(c) applies, whether the Commissioner is satisfied that the controller's refusal of the data subject's request was lawful.
- (5) The Commissioner must also inform the data subject of the data subject's right to apply to a court under section 167.
- (6) Where the Commissioner is not satisfied as mentioned in subsection (4)(a) or (b), the Commissioner may also inform the data subject of any further steps that the Commissioner is considering taking under Part 6 .
@@ -1630,7 +1630,7 @@
- (d) its accessibility.
- (5) In particular, the measures implemented to comply with the duty under subsection (3) must ensure that, by default, personal data is not made accessible to an indefinite number of people without an individual’s intervention.
- (5) In particular, the measures implemented to comply with the duty under subsection (3) must ensure that, by default, personal data is not made accessible to an indefinite number of people without an individual's intervention.
#### Joint controllers
@@ -1706,7 +1706,7 @@
- (1) Each controller must maintain a record of all categories of processing activities for which the controller is responsible.
- (2) The controller’s record must contain the following information—
- (2) The controller's record must contain the following information—
- (a) the name and contact details of the controller;
@@ -1736,7 +1736,7 @@
- (3) Each processor must maintain a record of all categories of processing activities carried out on behalf of a controller.
- (4) The processor’s record must contain the following information—
- (4) The processor's record must contain the following information—
- (a) the name and contact details of the processor and of any other processors engaged by the processor in accordance with section 59(3);
@@ -1802,7 +1802,7 @@
##### 63
Each controller and each processor must co-operate, on request, with the Commissioner in the performance of the Commissioner’s tasks.
Each controller and each processor must co-operate, on request, with the Commissioner in the performance of the Commissioner's tasks.
#### Data protection impact assessment
@@ -1956,7 +1956,7 @@
- (e) protect the rights and freedoms of others.
- (8) Subsection (6) does not apply where the controller’s decision not to inform the data subject of the breach was made in reliance on subsection (7).
- (8) Subsection (6) does not apply where the controller's decision not to inform the data subject of the breach was made in reliance on subsection (7).
- (9) The duties in section 52(1) and (2) apply in relation to information that the controller is required to provide to the data subject under this section as they apply in relation to information that the controller is required to provide to the data subject under Chapter 3 .
@@ -1970,7 +1970,7 @@
- (2) When designating a data protection officer, the controller must have regard to the professional qualities of the proposed officer, in particular—
- (a) the proposed officer’s expert knowledge of data protection law and practice, and
- (a) the proposed officer's expert knowledge of data protection law and practice, and
- (b) the ability of the proposed officer to perform the tasks mentioned in section 71.
@@ -2000,9 +2000,9 @@
- (4) A data subject may contact the data protection officer with regard to all issues relating to—
- (a) the processing of that data subject’s personal data, or
- (b) the exercise of that data subject’s rights under this Part.
- (a) the processing of that data subject's personal data, or
- (b) the exercise of that data subject's rights under this Part.
- (5) The data protection officer, in the performance of this role, must report to the highest management level of the controller.
@@ -2012,7 +2012,7 @@
- (1) The controller must entrust the data protection officer with at least the following tasks—
- (a) informing and advising the controller, any processor engaged by the controller, and any employee of the controller who carries out processing of personal data, of that person’s obligations under this Part,
- (a) informing and advising the controller, any processor engaged by the controller, and any employee of the controller who carries out processing of personal data, of that person's obligations under this Part,
- (b) providing advice on the carrying out of a data protection impact assessment under section 64 and monitoring compliance with that section,
@@ -2024,7 +2024,7 @@
- (f) monitoring compliance by the controller with this Part.
- (2) In relation to the policies mentioned in subsection (1)(e), the data protection officer’s tasks include—
- (2) In relation to the policies mentioned in subsection (1)(e), the data protection officer's tasks include—
- (a) assigning responsibilities under those policies,
@@ -2300,9 +2300,9 @@
- (2) In this section—
- “*EU recipient*” means— a recipient in a member State other than the United Kingdom, or an agency, office or body established pursuant to Chapters 4 and 5 of Title V of the Treaty on the Functioning of the European Union;
- “*non-EU recipient*” means— a recipient in a third country, or an international organisation.
- “*EU recipient*” means—a recipient in a member State other than the United Kingdom, oran agency, office or body established pursuant to Chapters 4 and 5 of Title V of the Treaty on the Functioning of the European Union;
- “*non-EU recipient*” means—a recipient in a third country, oran international organisation.
- (3) The controller must consider whether, if the personal data had instead been transmitted or otherwise made available within the United Kingdom to another competent authority, processing of the data by the other competent authority would have been subject to any restrictions by virtue of any enactment or rule of law.
@@ -2332,7 +2332,7 @@
- (3) The mechanisms implemented under subsection (1) must include—
- (a) raising awareness of the protections provided by Part 4A of the Employment Rights Act 1996 and Part 5A of the Employment Rights (Northern Ireland) Order 1996 ([S.I. 1996/1919 (N.I. 16)](https://www.legislation.gov.uk/nisi/1996/1919)), and
- (a) raising awareness of the protections provided by Part 4A of the Employment Rights Act 1996 and Part 5A of the Employment Rights (Northern Ireland) Order 1996 (S.I. 1996/1919 (N.I. 16)), and
- (b) such other protections for a person who reports an infringement of this Part as the controller considers appropriate.
@@ -2400,7 +2400,7 @@
- (1) This section defines other expressions used in this Part.
- (2) “*Consent*”, in relation to the processing of personal data relating to an individual, means a freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data.
- (2) “*Consent*”, in relation to the processing of personal data relating to an individual, means a freely given, specific, informed and unambiguous indication of the individual's wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data.
- (3) “*Employee*”, in relation to any person, includes an individual who holds a position (whether paid or unpaid) under the direction and control of that person.
@@ -2480,7 +2480,7 @@
- (d) the processing of data concerning health;
- (e) the processing of data concerning an individual’s sex life or sexual orientation;
- (e) the processing of data concerning an individual's sex life or sexual orientation;
- (f) the processing of personal data as to—
@@ -2624,7 +2624,7 @@
- (d) the period for which the personal data is to be preserved;
- (e) the existence of a data subject’s rights to rectification and erasure of personal data (see section 100);
- (e) the existence of a data subject's rights to rectification and erasure of personal data (see section 100);
- (f) the right to lodge a complaint with the Commissioner and the contact details of the Commissioner;
@@ -2684,9 +2684,9 @@
- (14) In this section—
- “*the applicable time period*” means— the period of 1 month, or such longer period, not exceeding 3 months, as may be specified in regulations made by the Secretary of State, beginning with the relevant time;
- “*the relevant time*”, in relation to a request under subsection (1), means the latest of the following— when the controller receives the request, when the fee (if any) is paid, and when the controller receives the information (if any) required under subsection (5) in connection with the request.
- “*the applicable time period*” means—the period of 1 month, orsuch longer period, not exceeding 3 months, as may be specified in regulations made by the Secretary of State,beginning with the relevant time;
- “*the relevant time*”, in relation to a request under subsection (1), means the latest of the following—when the controller receives the request,when the fee (if any) is paid, andwhen the controller receives the information (if any) required under subsection (5) in connection with the request.
- (15) Regulations under this section are subject to the negative resolution procedure.
@@ -2822,7 +2822,7 @@
- (a) stating that the controller has complied or intends to comply with the notice under subsection (1), or
- (b) stating the controller’s reasons for not complying with the notice to any extent and the extent (if any) to which the controller has complied or intends to comply with the notice under subsection (1).
- (b) stating the controller's reasons for not complying with the notice to any extent and the extent (if any) to which the controller has complied or intends to comply with the notice under subsection (1).
- (4) If the controller does not comply with a notice under subsection (1) to any extent, the data subject may apply to a court for an order that the controller take steps for complying with the notice.
@@ -2998,7 +2998,7 @@
- (2) A transfer of personal data falls within this subsection if the transfer is a necessary and proportionate measure carried out—
- (a) for the purposes of the controller’s statutory functions, or
- (a) for the purposes of the controller's statutory functions, or
- (b) for other purposes provided for, in relation to the controller, in section 2(2)(a) of the Security Service Act 1989 or section 2(2)(a) or 4(2)(a) of the Intelligence Services Act 1994.
@@ -3026,7 +3026,7 @@
- (e) in Part 6—
- (i) sections 142 to 154 and Schedule 15 (Commissioner’s notices and powers of entry and inspection);
- (i) sections 142 to 154 and Schedule 15 (Commissioner's notices and powers of entry and inspection);
- (ii) sections 170 to 173 (offences relating to personal data);
@@ -3120,21 +3120,21 @@
- (b) Article 58 of the GDPR (powers),
(and see also the Commissioner’s duty under section 2).
- (3) The Commissioner’s functions in relation to the processing of personal data to which the GDPR applies include—
- (a) a duty to advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data, and
- (b) a power to issue, on the Commissioner’s own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.
- (4) The Commissioner’s functions under Article 58 of the GDPR are subject to the safeguards in subsections (5) to (9).
- (5) The Commissioner’s power under Article 58(1)(a) of the GDPR (power to require a controller or processor to provide information that the Commissioner requires for the performance of the Commissioner’s tasks under the GDPR) is exercisable only by giving an information notice under section 142.
- (6) The Commissioner’s power under Article 58(1)(b) of the GDPR (power to carry out data protection audits) is exercisable only in accordance with section 146.
- (7) The Commissioner’s powers under Article 58(1)(e) and (f) of the GDPR (power to obtain information from controllers and processors and access to their premises) are exercisable only—
(and see also the Commissioner's duty under section 2).
- (3) The Commissioner's functions in relation to the processing of personal data to which the GDPR applies include—
- (a) a duty to advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to the processing of personal data, and
- (b) a power to issue, on the Commissioner's own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.
- (4) The Commissioner's functions under Article 58 of the GDPR are subject to the safeguards in subsections (5) to (9).
- (5) The Commissioner's power under Article 58(1)(a) of the GDPR (power to require a controller or processor to provide information that the Commissioner requires for the performance of the Commissioner's tasks under the GDPR) is exercisable only by giving an information notice under section 142.
- (6) The Commissioner's power under Article 58(1)(b) of the GDPR (power to carry out data protection audits) is exercisable only in accordance with section 146.
- (7) The Commissioner's powers under Article 58(1)(e) and (f) of the GDPR (power to obtain information from controllers and processors and access to their premises) are exercisable only—
- (a) in accordance with Schedule 15 (see section 154), or
@@ -3142,11 +3142,11 @@
- (8) The following powers are exercisable only by giving an enforcement notice under section 149—
- (a) the Commissioner’s powers under Article 58(2)(c) to (g) and (j) of the GDPR (certain corrective powers);
- (b) the Commissioner’s powers under Article 58(2)(h) to order a certification body to withdraw, or not to issue, a certification under Articles 42 and 43 of the GDPR.
- (9) The Commissioner’s powers under Articles 58(2)(i) and 83 of the GDPR (administrative fines) are exercisable only by giving a penalty notice under section 155.
- (a) the Commissioner's powers under Article 58(2)(c) to (g) and (j) of the GDPR (certain corrective powers);
- (b) the Commissioner's powers under Article 58(2)(h) to order a certification body to withdraw, or not to issue, a certification under Articles 42 and 43 of the GDPR.
- (9) The Commissioner's powers under Articles 58(2)(i) and 83 of the GDPR (administrative fines) are exercisable only by giving a penalty notice under section 155.
- (10) This section is without prejudice to other functions conferred on the Commissioner, whether by the GDPR, this Act or otherwise.
@@ -3160,7 +3160,7 @@
- (b) is to continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Data Protection Convention.
- (2) Schedule 13 confers general functions on the Commissioner in connection with processing to which the GDPR does not apply (and see also the Commissioner’s duty under section 2).
- (2) Schedule 13 confers general functions on the Commissioner in connection with processing to which the GDPR does not apply (and see also the Commissioner's duty under section 2).
- (3) This section and Schedule 13 are without prejudice to other functions conferred on the Commissioner, whether by this Act or otherwise.
@@ -3234,7 +3234,7 @@
- (2) Subsection (1) applies only in connection with the processing of personal data to which the GDPR does not apply; for the equivalent duty in connection with the processing of personal data to which the GDPR applies, see Article 50 of the GDPR (international co-operation for the protection of personal data).
- (3) The Commissioner must carry out data protection functions which the Secretary of State directs the Commissioner to carry out for the purpose of enabling Her Majesty’s Government in the United Kingdom to give effect to an international obligation of the United Kingdom.
- (3) The Commissioner must carry out data protection functions which the Secretary of State directs the Commissioner to carry out for the purpose of enabling Her Majesty's Government in the United Kingdom to give effect to an international obligation of the United Kingdom.
- (4) The Commissioner may provide an authority carrying out data protection functions under the law of a British overseas territory with assistance in carrying out those functions.
@@ -3288,7 +3288,7 @@
- (1) The Commissioner must prepare a code of practice which contains—
- (a) practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ([S.I. 2003/2426](https://www.legislation.gov.uk/uksi/2003/2426)), and
- (a) practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426), and
- (b) such other guidance as the Commissioner considers appropriate to promote good practice in direct marketing.
@@ -3336,7 +3336,7 @@
- (a) to the fact that children have different needs at different ages, and
- (b) to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child.
- (b) to the United Kingdom's obligations under the United Nations Convention on the Rights of the Child.
- (5) A code under this section may include transitional provision or savings.
@@ -3380,7 +3380,7 @@
- (5) In this section—
- “*good practice in the processing of personal data for the purposes of journalism*” means such practice in the processing of personal data for those purposes as appears to the Commissioner to be desirable having regard to— the interests of data subjects and others, including compliance with the requirements of the data protection legislation, and the special importance of the public interest in the freedom of expression and information;
- “*good practice in the processing of personal data for the purposes of journalism*” means such practice in the processing of personal data for those purposes as appears to the Commissioner to be desirable having regard to—the interests of data subjects and others, including compliance with the requirements of the data protection legislation, andthe special importance of the public interest in the freedom of expression and information;
- “*trade association*” includes a body representing controllers or processors.
@@ -3462,7 +3462,7 @@
- (a) the data protection legislation, or
- (b) the Privacy and Electronic Communications (EC Directive) Regulations 2003 ([S.I. 2003/2426](https://www.legislation.gov.uk/uksi/2003/2426)).
- (b) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426).
#### Other codes of practice
@@ -3502,7 +3502,7 @@
##### 129
- (1) The Commissioner’s functions under Article 58(1) of the GDPR and paragraph 1 of Schedule 13 include power, with the consent of a controller or processor, to carry out an assessment of whether the controller or processor is complying with good practice in the processing of personal data.
- (1) The Commissioner's functions under Article 58(1) of the GDPR and paragraph 1 of Schedule 13 include power, with the consent of a controller or processor, to carry out an assessment of whether the controller or processor is complying with good practice in the processing of personal data.
- (2) The Commissioner must inform the controller or processor of the results of such an assessment.
@@ -3548,7 +3548,7 @@
##### 131
- (1) No enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the Commissioner with information necessary for the discharge of the Commissioner’s functions.
- (1) No enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the Commissioner with information necessary for the discharge of the Commissioner's functions.
- (2) But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
@@ -3558,9 +3558,9 @@
##### 132
- (1) A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which—
- (a) has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions,
- (1) A person who is or has been the Commissioner, or a member of the Commissioner's staff or an agent of the Commissioner, must not disclose information which—
- (a) has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner's functions,
- (b) relates to an identified or identifiable individual or business, and
@@ -3574,7 +3574,7 @@
- (b) the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),
- (c) the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions,
- (c) the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner's functions,
- (d) the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,
@@ -3590,7 +3590,7 @@
- (1) The Commissioner must produce and publish guidance about—
- (a) how the Commissioner proposes to secure that privileged communications which the Commissioner obtains or has access to in the course of carrying out the Commissioner’s functions are used or disclosed only so far as necessary for carrying out those functions, and
- (a) how the Commissioner proposes to secure that privileged communications which the Commissioner obtains or has access to in the course of carrying out the Commissioner's functions are used or disclosed only so far as necessary for carrying out those functions, and
- (b) how the Commissioner proposes to comply with restrictions and prohibitions on obtaining or having access to privileged communications which are imposed by an enactment.
@@ -3608,13 +3608,13 @@
- (a) communications made—
- (i) between a professional legal adviser and the adviser’s client, and
- (i) between a professional legal adviser and the adviser's client, and
- (ii) in connection with the giving of legal advice to the client with respect to legal obligations, liabilities or rights, and
- (b) communications made—
- (i) between a professional legal adviser and the adviser’s client or between such an adviser or client and another person,
- (i) between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
- (ii) in connection with or in contemplation of legal proceedings, and
@@ -3636,7 +3636,7 @@
##### 134
The Commissioner may require a person other than a data subject or a data protection officer to pay a reasonable fee for a service provided to the person, or at the person’s request, which the Commissioner is required or authorised to provide under the data protection legislation.
The Commissioner may require a person other than a data subject or a data protection officer to pay a reasonable fee for a service provided to the person, or at the person's request, which the Commissioner is required or authorised to provide under the data protection legislation.
#### Manifestly unfounded or excessive requests by data subjects etc
@@ -3688,7 +3688,7 @@
- (4) In making regulations under subsection (1), the Secretary of State must have regard to the desirability of securing that the charges payable to the Commissioner under such regulations are sufficient to offset—
- (a) expenses incurred by the Commissioner in discharging the Commissioner’s functions—
- (a) expenses incurred by the Commissioner in discharging the Commissioner's functions—
- (i) under the data protection legislation,
@@ -3696,7 +3696,7 @@
- (iii) under or by virtue of sections 108 and 109 of the Digital Economy Act 2017, and
- (iv) under or by virtue of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ([S.I. 2003/2426](https://www.legislation.gov.uk/uksi/2003/2426)),
- (iv) under or by virtue of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426),
- (b) any expenses of the Secretary of State in respect of the Commissioner so far as attributable to those functions,
@@ -3720,7 +3720,7 @@
- (b) determining the amount of a charge payable by the controller.
- (8) The provision that may be made under subsection (6)(a) includes provision requiring a controller to notify the Commissioner of a change in the controller’s circumstances of a kind specified in the regulations.
- (8) The provision that may be made under subsection (6)(a) includes provision requiring a controller to notify the Commissioner of a change in the controller's circumstances of a kind specified in the regulations.
#### Regulations under section 137: supplementary
@@ -3770,7 +3770,7 @@
- (1) The Commissioner must—
- (a) produce a general report on the carrying out of the Commissioner’s functions annually,
- (a) produce a general report on the carrying out of the Commissioner's functions annually,
- (b) arrange for it to be laid before Parliament, and
@@ -3778,7 +3778,7 @@
- (2) The report must include the annual report required under Article 59 of the GDPR.
- (3) The Commissioner may produce other reports relating to the carrying out of the Commissioner’s functions and arrange for them to be laid before Parliament.
- (3) The Commissioner may produce other reports relating to the carrying out of the Commissioner's functions and arrange for them to be laid before Parliament.
#### Publication by the Commissioner
@@ -3812,7 +3812,7 @@
- (b) by addressing it to that partnership and leaving it at that office.
- (5) The notice may be given to the person by other means, including by electronic means, with the person’s consent.
- (5) The notice may be given to the person by other means, including by electronic means, with the person's consent.
- (6) In this section—
@@ -3834,7 +3834,7 @@
- (1) The Commissioner may, by written notice (an “information notice”)—
- (a) require a controller or processor to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of carrying out the Commissioner’s functions under the data protection legislation, or
- (a) require a controller or processor to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of carrying out the Commissioner's functions under the data protection legislation, or
- (b) require any person to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of—
@@ -3872,9 +3872,9 @@
- (7) If an information notice—
- (a) states that, in the Commissioner’s opinion, the information is required urgently, and
- (b) gives the Commissioner’s reasons for reaching that opinion,
- (a) states that, in the Commissioner's opinion, the information is required urgently, and
- (b) gives the Commissioner's reasons for reaching that opinion,
subsections (5) and (6) do not apply but the notice must not require the information to be provided before the end of the period of 24 hours beginning when the notice is given.
@@ -3902,13 +3902,13 @@
- (3) An information notice does not require a person to give the Commissioner information in respect of a communication which is made—
- (a) between a professional legal adviser and the adviser’s client, and
- (a) between a professional legal adviser and the adviser's client, and
- (b) in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
- (4) An information notice does not require a person to give the Commissioner information in respect of a communication which is made—
- (a) between a professional legal adviser and the adviser’s client or between such an adviser or client and another person,
- (a) between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
- (b) in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
@@ -3926,13 +3926,13 @@
- (c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath);
- (d) Article 10 of the Perjury (Northern Ireland) Order 1979 ([S.I. 1979/1714 (N.I. 19)](https://www.legislation.gov.uk/nisi/1979/1714)) (false statutory declarations and other false unsworn statements).
- (d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
- (8) An oral or written statement provided by a person in response to an information notice may not be used in evidence against that person on a prosecution for an offence under this Act (other than an offence under section 144) unless in the proceedings—
- (a) in giving evidence the person provides information inconsistent with the statement, and
- (b) evidence relating to the statement is adduced, or a question relating to it is asked, by that person or on that person’s behalf.
- (b) evidence relating to the statement is adduced, or a question relating to it is asked, by that person or on that person's behalf.
- (9) In subsection (6), in relation to an information notice given to a representative of a controller or processor designated under Article 27 of the GDPR, the reference to the person providing the information being exposed to proceedings for an offence includes a reference to the controller or processor being exposed to such proceedings.
@@ -3998,7 +3998,7 @@
- (i) make available for interview by the Commissioner a specified number of people of a specified description who process personal data on behalf of the controller, not exceeding the number who are willing to be interviewed.
- (3) In subsection (2), references to the Commissioner include references to the Commissioner’s officers and staff.
- (3) In subsection (2), references to the Commissioner include references to the Commissioner's officers and staff.
- (4) An assessment notice must, in relation to each requirement imposed by the notice, specify the time or times at which, or period or periods within which, the requirement must be complied with (but see the restrictions in subsections (6) to (9)).
@@ -4014,9 +4014,9 @@
- (8) If an assessment notice—
- (a) states that, in the Commissioner’s opinion, it is necessary for the controller or processor to comply with a requirement in the notice urgently,
- (b) gives the Commissioner’s reasons for reaching that opinion, and
- (a) states that, in the Commissioner's opinion, it is necessary for the controller or processor to comply with a requirement in the notice urgently,
- (b) gives the Commissioner's reasons for reaching that opinion, and
- (c) does not meet the conditions in subsection (9)(a) to (d),
@@ -4024,15 +4024,15 @@
- (9) If an assessment notice—
- (a) states that, in the Commissioner’s opinion, there are reasonable grounds for suspecting that a controller or processor has failed or is failing as described in section 149(2) or that an offence under this Act has been or is being committed,
- (a) states that, in the Commissioner's opinion, there are reasonable grounds for suspecting that a controller or processor has failed or is failing as described in section 149(2) or that an offence under this Act has been or is being committed,
- (b) indicates the nature of the suspected failure or offence,
- (c) does not specify domestic premises,
- (d) states that, in the Commissioner’s opinion, it is necessary for the controller or processor to comply with a requirement in the notice in less than 7 days, and
- (e) gives the Commissioner’s reasons for reaching that opinion,
- (d) states that, in the Commissioner's opinion, it is necessary for the controller or processor to comply with a requirement in the notice in less than 7 days, and
- (e) gives the Commissioner's reasons for reaching that opinion,
subsections (6) and (7) do not apply.
@@ -4054,13 +4054,13 @@
- (2) An assessment notice does not have effect so far as compliance would result in the disclosure of a communication which is made—
- (a) between a professional legal adviser and the adviser’s client, and
- (a) between a professional legal adviser and the adviser's client, and
- (b) in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
- (3) An assessment notice does not have effect so far as compliance would result in the disclosure of a communication which is made—
- (a) between a professional legal adviser and the adviser’s client or between such an adviser or client and another person,
- (a) between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
- (b) in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
@@ -4082,7 +4082,7 @@
- (a) a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters), or
- (b) the Office for Standards in Education, Children’s Services and Skills in so far as it is a controller or processor in respect of information processed for the purposes of functions exercisable by Her Majesty’s Chief Inspector of Education, Children’s Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000.
- (b) the Office for Standards in Education, Children's Services and Skills in so far as it is a controller or processor in respect of information processed for the purposes of functions exercisable by Her Majesty's Chief Inspector of Education, Children's Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000.
### Information notices and assessment notices: destruction of documents etc
@@ -4112,7 +4112,7 @@
##### 149
- (1) Where the Commissioner is satisfied that a person has failed, or is failing, as described in subsection (2), (3), (4) or (5), the Commissioner may give the person a written notice (an “*enforcement notice*”) which requires the person—
- (1) Where the Commissioner is satisfied that a person has failed, or is failing, as described in subsection (2), (3), (4) or (5), the Commissioner may give the person a written notice (an “enforcement notice”) which requires the person—
- (a) to take steps specified in the notice, or
@@ -4140,7 +4140,7 @@
- (b) has failed, or is failing, to comply with an obligation under Article 42 or 43 of the GDPR (certification of controllers and processors), or
- (c) has failed, or is failing, to comply with any other provision of the GDPR (whether in the person’s capacity as a certification provider or otherwise).
- (c) has failed, or is failing, to comply with any other provision of the GDPR (whether in the person's capacity as a certification provider or otherwise).
- (5) The fourth type of failure is where a controller has failed, or is failing, to comply with regulations under section 137.
@@ -4166,11 +4166,11 @@
- (a) state what the person has failed or is failing to do, and
- (b) give the Commissioner’s reasons for reaching that opinion.
- (b) give the Commissioner's reasons for reaching that opinion.
- (2) In deciding whether to give an enforcement notice in reliance on section 149(2), the Commissioner must consider whether the failure has caused or is likely to cause any person damage or distress.
- (3) In relation to an enforcement notice given in reliance on section 149(2), the Commissioner’s power under section 149(1)(b) to require a person to refrain from taking specified steps includes power—
- (3) In relation to an enforcement notice given in reliance on section 149(2), the Commissioner's power under section 149(1)(b) to require a person to refrain from taking specified steps includes power—
- (a) to impose a ban relating to all processing of personal data, or
@@ -4196,9 +4196,9 @@
- (8) If an enforcement notice—
- (a) states that, in the Commissioner’s opinion, it is necessary for a requirement to be complied with urgently, and
- (b) gives the Commissioner’s reasons for reaching that opinion,
- (a) states that, in the Commissioner's opinion, it is necessary for a requirement to be complied with urgently, and
- (b) gives the Commissioner's reasons for reaching that opinion,
subsections (6) and (7) do not apply but the notice must not require the requirement to be complied with before the end of the period of 24 hours beginning when the notice is given.
@@ -4212,7 +4212,7 @@
- (a) to comply with a data protection principle relating to accuracy, or
- (b) to comply with a data subject’s request to exercise rights under Article 16, 17 or 18 of the GDPR (right to rectification, erasure or restriction on processing) or section 46, 47 or 100 of this Act.
- (b) to comply with a data subject's request to exercise rights under Article 16, 17 or 18 of the GDPR (right to rectification, erasure or restriction on processing) or section 46, 47 or 100 of this Act.
- (2) If the enforcement notice requires the controller or processor to rectify or erase inaccurate personal data, it may also require the controller or processor to rectify or erase any other data which—
@@ -4224,7 +4224,7 @@
- (a) to take steps specified in the notice to ensure the accuracy of the data,
- (b) if relevant, to secure that the data indicates the data subject’s view that the data is inaccurate, and
- (b) if relevant, to secure that the data indicates the data subject's view that the data is inaccurate, and
- (c) to supplement the data with a statement of the true facts relating to the matters dealt with by the data that is approved by the Commissioner,
@@ -4410,13 +4410,13 @@
- (5) The “higher maximum amount” is—
- (a) in the case of an undertaking, 20 million Euros or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher, or
- (a) in the case of an undertaking, 20 million Euros or 4% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher, or
- (b) in any other case, 20 million Euros.
- (6) The “standard maximum amount” is—
- (a) in the case of an undertaking, 10 million Euros or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher, or
- (a) in the case of an undertaking, 10 million Euros or 2% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher, or
- (b) in any other case, 10 million Euros.
@@ -4454,7 +4454,7 @@
- (a) provide that a person of a description specified in the regulations is or is not an undertaking, and
- (b) make provision about how an undertaking’s turnover is to be determined.
- (b) make provision about how an undertaking's turnover is to be determined.
- (2) For the purposes of Article 83 of the GDPR, section 157 and section 158, the Secretary of State may by regulations provide that a period is or is not a financial year.
@@ -4466,7 +4466,7 @@
##### 160
- (1) The Commissioner must produce and publish guidance about how the Commissioner proposes to exercise the Commissioner’s functions in connection with—
- (1) The Commissioner must produce and publish guidance about how the Commissioner proposes to exercise the Commissioner's functions in connection with—
- (a) information notices,
@@ -4476,7 +4476,7 @@
- (d) penalty notices.
- (2) The Commissioner may produce and publish guidance about how the Commissioner proposes to exercise the Commissioner’s other functions under this Part.
- (2) The Commissioner may produce and publish guidance about how the Commissioner proposes to exercise the Commissioner's other functions under this Part.
- (3) In relation to information notices, the guidance must include—
@@ -4508,7 +4508,7 @@
- (5) The guidance produced in accordance with subsection (4)(c) must include provisions that relate to—
- (a) documents and information concerning an individual’s physical or mental health;
- (a) documents and information concerning an individual's physical or mental health;
- (b) documents and information concerning the provision of social care for an individual.
@@ -4524,7 +4524,7 @@
- (a) provision about the circumstances in which the Commissioner would consider it appropriate to issue a penalty notice;
- (b) provision about the circumstances in which the Commissioner would consider it appropriate to allow a person to make oral representations about the Commissioner’s intention to give the person a penalty notice;
- (b) provision about the circumstances in which the Commissioner would consider it appropriate to allow a person to make oral representations about the Commissioner's intention to give the person a penalty notice;
- (c) provision explaining how the Commissioner will determine the amount of penalties;
@@ -4624,7 +4624,7 @@
- (5) On an appeal under section 162(2), if the Tribunal considers that the enforcement notice ought to be cancelled or varied by reason of a change in circumstances, the Tribunal must cancel or vary the notice.
- (6) On an appeal under section 162(4), the Tribunal may cancel the Commissioner’s determination.
- (6) On an appeal under section 162(4), the Tribunal may cancel the Commissioner's determination.
#### Applications in respect of urgent notices
@@ -4664,7 +4664,7 @@
##### 165
- (1) Articles 57(1)(f) and (2) and 77 of the GDPR (data subject’s right to lodge a complaint) confer rights on data subjects to complain to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of the GDPR.
- (1) Articles 57(1)(f) and (2) and 77 of the GDPR (data subject's right to lodge a complaint) confer rights on data subjects to complain to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of the GDPR.
- (2) A data subject may make a complaint to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of Part 3 or 4 of this Act.
@@ -4686,7 +4686,7 @@
- (b) informing the complainant about progress on the complaint, including about whether further investigation or co-ordination with another supervisory authority or foreign designated authority is necessary.
- (6) If the Commissioner receives a complaint relating to the infringement of a data subject’s rights under provisions adopted by a member State other than the United Kingdom pursuant to the Law Enforcement Directive, the Commissioner must—
- (6) If the Commissioner receives a complaint relating to the infringement of a data subject's rights under provisions adopted by a member State other than the United Kingdom pursuant to the Law Enforcement Directive, the Commissioner must—
- (a) send the complaint to the relevant supervisory authority for the purposes of that Directive,
@@ -4710,7 +4710,7 @@
- (b) fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or
- (c) if the Commissioner’s consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months.
- (c) if the Commissioner's consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months.
- (2) The Tribunal may, on an application by the data subject, make an order requiring the Commissioner—
@@ -4732,7 +4732,7 @@
##### 167
- (1) This section applies if, on an application by a data subject, a court is satisfied that there has been an infringement of the data subject’s rights under the data protection legislation in contravention of that legislation.
- (1) This section applies if, on an application by a data subject, a court is satisfied that there has been an infringement of the data subject's rights under the data protection legislation in contravention of that legislation.
- (2) A court may make an order for the purposes of securing compliance with the data protection legislation which requires the controller in respect of the processing, or a processor acting on behalf of that controller—
@@ -4782,7 +4782,7 @@
- (i) has not complied with an obligation under the data protection legislation specifically directed at processors, or
- (ii) has acted outside, or contrary to, the controller’s lawful instructions.
- (ii) has acted outside, or contrary to, the controller's lawful instructions.
- (3) A controller or processor is not liable as described in subsection (2) if the controller or processor proves that the controller or processor is not in any way responsible for the event giving rise to the damage.
@@ -5034,7 +5034,7 @@
- (2) As soon as reasonably practicable after receiving an application under subsection (1), the Commissioner must decide whether, and to what extent, to grant it.
- (3) The Commissioner must not grant the application unless, in the Commissioner’s opinion, the case involves a matter of substantial public importance.
- (3) The Commissioner must not grant the application unless, in the Commissioner's opinion, the case involves a matter of substantial public importance.
- (4) If the Commissioner decides not to provide assistance, the Commissioner must, as soon as reasonably practicable, notify the applicant of the decision, giving reasons for the decision.
@@ -5112,7 +5112,7 @@
- (d) the rights of bodies and other organisations to make complaints and claims on behalf of data subjects, and
- (e) the Commissioner’s power to provide assistance in special purpose proceedings.
- (e) the Commissioner's power to provide assistance in special purpose proceedings.
- (6) The Commissioner—
@@ -5142,7 +5142,7 @@
- “*good practice in the processing of personal data for the purposes of journalism*” has the same meaning as in section 124;
- “*review period*” means— the period of 4 years beginning with the day on which Chapter 2 of Part 2 of this Act comes into force, and each subsequent period of 5 years beginning with the day after the day on which the previous review period ended.
- “*review period*” means—the period of 4 years beginning with the day on which Chapter 2 of Part 2 of this Act comes into force, andeach subsequent period of 5 years beginning with the day after the day on which the previous review period ended.
- (3) The Commissioner must start a review under this section, in respect of a review period, within the period of 6 months beginning when the review period ends.
@@ -5186,7 +5186,7 @@
- “*relevant media organisation*” means a body or other organisation whose activities consist of or include journalism, other than a broadcaster;
- “*review period*” means— the period of 3 years beginning when this Act is passed, and each subsequent period of 3 years.
- “*review period*” means—the period of 3 years beginning when this Act is passed, andeach subsequent period of 3 years.
- (3) The Secretary of State must send a copy of the report to—
@@ -5250,7 +5250,7 @@
- “*penalty variation notice*” has the meaning given in Schedule 16;
- “*representative*”, in relation to a controller or processor, means a person designated by the controller or processor under Article 27 of the GDPR to represent the controller or processor with regard to the controller’s or processor’s obligations under the GDPR.
- “*representative*”, in relation to a controller or processor, means a person designated by the controller or processor under Article 27 of the GDPR to represent the controller or processor with regard to the controller's or processor's obligations under the GDPR.
## PART 7 — Supplementary and final provision
@@ -5384,9 +5384,9 @@
- (6) In this section—
- “*employment*” means any employment, including— work under a contract for services or as an office-holder, work under an apprenticeship, work experience as part of a training course or in the course of training for employment, and voluntary work, and “employee” is to be interpreted accordingly;
- “*relevant record*” has the meaning given in Schedule 18 and references to a relevant record include— a part of such a record, and a copy of, or of part of, such a record.
- “*employment*” means any employment, including—work under a contract for services or as an office-holder,work under an apprenticeship,work experience as part of a training course or in the course of training for employment, andvoluntary work,and “employee” is to be interpreted accordingly;
- “*relevant record*” has the meaning given in Schedule 18 and references to a relevant record include—a part of such a record, anda copy of, or of part of, such a record.
#### Avoidance of certain contractual terms relating to health records
@@ -5444,11 +5444,11 @@
- (1) In relation to the processing of personal data to which the GDPR applies—
- (a) Article 80(1) of the GDPR (representation of data subjects) enables a data subject to authorise a body or other organisation which meets the conditions set out in that Article to exercise the data subject’s rights under Articles 77, 78 and 79 of the GDPR (rights to lodge complaints and to an effective judicial remedy) on the data subject’s behalf, and
- (b) a data subject may also authorise such a body or organisation to exercise the data subject’s rights under Article 82 of the GDPR (right to compensation).
- (2) In relation to the processing of personal data to which the GDPR does not apply, a body or other organisation which meets the conditions in subsections (3) and (4), if authorised to do so by a data subject, may exercise some or all of the following rights of a data subject on the data subject’s behalf—
- (a) Article 80(1) of the GDPR (representation of data subjects) enables a data subject to authorise a body or other organisation which meets the conditions set out in that Article to exercise the data subject's rights under Articles 77, 78 and 79 of the GDPR (rights to lodge complaints and to an effective judicial remedy) on the data subject's behalf, and
- (b) a data subject may also authorise such a body or organisation to exercise the data subject's rights under Article 82 of the GDPR (right to compensation).
- (2) In relation to the processing of personal data to which the GDPR does not apply, a body or other organisation which meets the conditions in subsections (3) and (4), if authorised to do so by a data subject, may exercise some or all of the following rights of a data subject on the data subject's behalf—
- (a) rights under section 165(2), (4)(d) and (6)(c) (complaints to the Commissioner);
@@ -5466,9 +5466,9 @@
- (c) has objectives which are in the public interest.
- (4) The second condition is that the body or organisation is active in the field of protection of data subjects’ rights and freedoms with regard to the protection of their personal data.
- (5) In this Act, references to a “*representative body*”, in relation to a right of a data subject, are to a body or other organisation authorised to exercise the right on the data subject’s behalf under Article 80 of the GDPR or this section.
- (4) The second condition is that the body or organisation is active in the field of protection of data subjects' rights and freedoms with regard to the protection of their personal data.
- (5) In this Act, references to a “*representative body*”, in relation to a right of a data subject, are to a body or other organisation authorised to exercise the right on the data subject's behalf under Article 80 of the GDPR or this section.
#### Representation of data subjects with their authority: collective proceedings
@@ -5476,7 +5476,7 @@
- (1) The Secretary of State may by regulations make provision for representative bodies to bring proceedings before a court or tribunal in England and Wales or Northern Ireland combining two or more relevant claims.
- (2) In this section, “*relevant claim*”, in relation to a representative body, means a claim in respect of a right of a data subject which the representative body is authorised to exercise on the data subject’s behalf under Article 80(1) of the GDPR or section 187.
- (2) In this section, “*relevant claim*”, in relation to a representative body, means a claim in respect of a right of a data subject which the representative body is authorised to exercise on the data subject's behalf under Article 80(1) of the GDPR or section 187.
- (3) The power under subsection (1) includes power—
@@ -5518,11 +5518,11 @@
- (b) the operation of section 187,
- (c) the merits of exercising the power under Article 80(2) of the GDPR (power to enable a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise some or all of a data subject’s rights under Articles 77, 78 and 79 of the GDPR without being authorised to do so by the data subject),
- (d) the merits of making equivalent provision in relation to data subjects’ rights under Article 82 of the GDPR (right to compensation), and
- (e) the merits of making provision for a children’s rights organisation to exercise some or all of a data subject’s rights under Articles 77, 78, 79 and 82 of the GDPR on behalf of a data subject who is a child, with or without being authorised to do so by the data subject.
- (c) the merits of exercising the power under Article 80(2) of the GDPR (power to enable a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise some or all of a data subject's rights under Articles 77, 78 and 79 of the GDPR without being authorised to do so by the data subject),
- (d) the merits of making equivalent provision in relation to data subjects' rights under Article 82 of the GDPR (right to compensation), and
- (e) the merits of making provision for a children's rights organisation to exercise some or all of a data subject's rights under Articles 77, 78, 79 and 82 of the GDPR on behalf of a data subject who is a child, with or without being authorised to do so by the data subject.
- (3) “The review period” is the period of 30 months beginning when section 187 comes into force.
@@ -5536,15 +5536,15 @@
- (d) consider the support and advice available to children in connection with the exercise of their rights under Articles 77, 78, 79 and 82 of the GDPR by another person on their behalf and the merits of making available other support or advice, and
- (e) have regard to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child.
- (e) have regard to the United Kingdom's obligations under the United Nations Convention on the Rights of the Child.
- (5) Before preparing the report under subsection (1), the Secretary of State must consult the Commissioner and such other persons as the Secretary of State considers appropriate, including—
- (a) persons active in the field of protection of data subjects’ rights and freedoms with regard to the protection of their personal data,
- (a) persons active in the field of protection of data subjects' rights and freedoms with regard to the protection of their personal data,
- (b) children and parents,
- (c) children’s rights organisations and other persons who appear to the Secretary of State to represent the interests of children,
- (c) children's rights organisations and other persons who appear to the Secretary of State to represent the interests of children,
- (d) child development experts, and
@@ -5552,7 +5552,7 @@
- (6) In this section—
- “*children’s rights organisation*” means a body or other organisation which— is active in representing the interests of children, and has objectives which are in the public interest;
- “*children's rights organisation*” means a body or other organisation which—is active in representing the interests of children, andhas objectives which are in the public interest;
- “*trade association*” includes a body representing controllers or processors;
@@ -5566,15 +5566,15 @@
- (a) exercise the powers under Article 80(2) of the GDPR in relation to England and Wales and Northern Ireland,
- (b) make provision enabling a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise a data subject’s rights under Article 82 of the GDPR in England and Wales and Northern Ireland without being authorised to do so by the data subject, and
- (b) make provision enabling a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise a data subject's rights under Article 82 of the GDPR in England and Wales and Northern Ireland without being authorised to do so by the data subject, and
- (c) make provision described in section 189(2)(e) in relation to the exercise in England and Wales and Northern Ireland of the rights of a data subject who is a child.
- (2) The powers under subsection (1) include power—
- (a) to make provision enabling a data subject to prevent a body or other organisation from exercising, or continuing to exercise, the data subject’s rights;
- (b) to make provision about proceedings before a court or tribunal where a body or organisation exercises a data subject’s rights;
- (a) to make provision enabling a data subject to prevent a body or other organisation from exercising, or continuing to exercise, the data subject's rights;
- (b) to make provision about proceedings before a court or tribunal where a body or organisation exercises a data subject's rights;
- (c) to make provision for bodies or other organisations to bring proceedings before a court or tribunal combining two or more claims in respect of a right of a data subject;
@@ -5688,7 +5688,7 @@
- (b) the provision appears to the court or tribunal to be relevant to the question.
- (5) In determining a question arising in connection with the carrying out of any of the Commissioner’s functions, the Commissioner must take into account a provision of a document issued under section 192(3) if—
- (5) In determining a question arising in connection with the carrying out of any of the Commissioner's functions, the Commissioner must take into account a provision of a document issued under section 192(3) if—
- (a) the question relates to a time when the provision was in force, and
@@ -5710,12 +5710,12 @@
> (b) a person to whom section 66 (officers and former servicemen liable to recall) applies,
> which are held by HMRC in connection with a function of HMRC.
> (2) HMRC may supply contact details to which subsection (1) applies to the Secretary of State for the purpose of enabling the Secretary of State—
> (a) to contact a member of an ex-regular reserve force in connection with the person’s liability, or potential liability, to be called out for service under Part 6;
> (b) to contact a person to whom section 66 applies in connection with the person’s liability, or potential liability, to be recalled for service under Part 7.
> (3) Where a person’s contact details are supplied under subsection (2) for a purpose described in that subsection, they may also be used for defence purposes connected with the person’s service (whether past, present or future) in the reserve forces or regular services.
> (4) In this section, “*HMRC*” means Her Majesty’s Revenue and Customs.
> (a) to contact a member of an ex-regular reserve force in connection with the person's liability, or potential liability, to be called out for service under Part 6;
> (b) to contact a person to whom section 66 applies in connection with the person's liability, or potential liability, to be recalled for service under Part 7.
> (3) Where a person's contact details are supplied under subsection (2) for a purpose described in that subsection, they may also be used for defence purposes connected with the person's service (whether past, present or future) in the reserve forces or regular services.
> (4) In this section, “*HMRC*” means Her Majesty's Revenue and Customs.
> (125B)
> (1) A person who receives information supplied under section 125A may not disclose it except with the consent of the Commissioners for Her Majesty’s Revenue and Customs (which may be general or specific).
> (1) A person who receives information supplied under section 125A may not disclose it except with the consent of the Commissioners for Her Majesty's Revenue and Customs (which may be general or specific).
> (2) A person who contravenes subsection (1) is guilty of an offence.
> (3) It is a defence for a person charged with an offence under this section to prove that the person reasonably believed—
> (a) that the disclosure was lawful, or
@@ -5774,7 +5774,7 @@
- (b) by or with the consent of the Director of Public Prosecutions for Northern Ireland.
- (3) Subject to subsection (4), summary proceedings for an offence under section 173 (alteration etc of personal data to prevent disclosure) may be brought within the period of 6 months beginning with the day on which the prosecutor first knew of evidence that, in the prosecutor’s opinion, was sufficient to bring the proceedings.
- (3) Subject to subsection (4), summary proceedings for an offence under section 173 (alteration etc of personal data to prevent disclosure) may be brought within the period of 6 months beginning with the day on which the prosecutor first knew of evidence that, in the prosecutor's opinion, was sufficient to bring the proceedings.
- (4) Such proceedings may not be brought after the end of the period of 3 years beginning with the day on which the offence was committed.
@@ -5800,7 +5800,7 @@
- (2) The director, manager, secretary, officer or person, as well as the body corporate, is guilty of the offence and liable to be proceeded against and punished accordingly.
- (3) Where the affairs of a body corporate are managed by its members, subsections (1) and (2) apply in relation to the acts and omissions of a member in connection with the member’s management functions in relation to the body as if the member were a director of the body corporate.
- (3) Where the affairs of a body corporate are managed by its members, subsections (1) and (2) apply in relation to the acts and omissions of a member in connection with the member's management functions in relation to the body as if the member were a director of the body corporate.
- (4) Subsection (5) applies where—
@@ -5814,7 +5814,7 @@
##### 199
- (1) The National Police Records (Recordable Offences) Regulations 2000 ([S.I. 2000/1139](https://www.legislation.gov.uk/uksi/2000/1139)) have effect as if the offences under the following provisions were listed in the Schedule to the Regulations—
- (1) The National Police Records (Recordable Offences) Regulations 2000 (S.I. 2000/1139) have effect as if the offences under the following provisions were listed in the Schedule to the Regulations—
- (a) section 119;
@@ -5862,7 +5862,7 @@
- (a) its functions under the data protection legislation, or
- (b) its other functions relating to the Commissioner’s acts and omissions.
- (b) its other functions relating to the Commissioner's acts and omissions.
- (2) But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
@@ -5932,11 +5932,11 @@
- (f) a registered chiropractor within the meaning of the Chiropractors Act 1994 (see section 43 of that Act);
- (g) a person registered as a member of a profession to which the Health and Social Work Professions Order 2001 ([S.I. 2002/254](https://www.legislation.gov.uk/uksi/2002/254)) for the time being extends, other than the social work profession in England;
- (h) a registered pharmacist or a registered pharmacy technician within the meaning of the Pharmacy Order 2010 ([S.I. 2010/231](https://www.legislation.gov.uk/uksi/2010/231)) (see article 3 of that Order);
- (i) a registered person within the meaning of the Pharmacy (Northern Ireland) Order 1976 ([S.I. 1976/1213 (N.I. 22)](https://www.legislation.gov.uk/nisi/1976/1213)) (see Article 2 of that Order);
- (g) a person registered as a member of a profession to which the Health and Social Work Professions Order 2001 (S.I. 2002/254) for the time being extends, other than the social work profession in England;
- (h) a registered pharmacist or a registered pharmacy technician within the meaning of the Pharmacy Order 2010 (S.I. 2010/231) (see article 3 of that Order);
- (i) a registered person within the meaning of the Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22)) (see Article 2 of that Order);
- (j) a child psychotherapist;
@@ -5944,13 +5944,13 @@
- (2) In this Act, “*social work professional*” means any of the following—
- (a) a person registered as a social worker in England in the register maintained under the Health and Social Work Professions Order 2001 ([S.I. 2002/254](https://www.legislation.gov.uk/uksi/2002/254));
- (b) a person registered as a social worker in the register maintained by Social Care Wales under section 80 of the [Regulation and Inspection of Social Care (Wales) Act 2016 (anaw 2)](https://www.legislation.gov.uk/anaw/2016/2);
- (c) a person registered as a social worker in the register maintained by the Scottish Social Services Council under section 44 of the Regulation of Care (Scotland) Act [2001 (asp 8)](https://www.legislation.gov.uk/asp/2001/8);
- (d) a person registered as a social worker in the register maintained by the Northern Ireland Social Care Council under section 3 of the [Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.))](https://www.legislation.gov.uk/nia/2009/1).
- (a) a person registered as a social worker in England in the register maintained under the Health and Social Work Professions Order 2001 (S.I. 2002/254);
- (b) a person registered as a social worker in the register maintained by Social Care Wales under section 80 of the Regulation and Inspection of Social Care (Wales) Act 2016 (anaw 2);
- (c) a person registered as a social worker in the register maintained by the Scottish Social Services Council under section 44 of the Regulation of Care (Scotland) Act 2001 (asp 8);
- (d) a person registered as a social worker in the register maintained by the Northern Ireland Social Care Council under section 3 of the Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.)).
- (3) In subsection (1)(a) “*registered medical practitioner*” includes a person who is provisionally registered under section 15 or 21 of the Medical Act 1983 and is engaged in such employment as is mentioned in subsection (3) of that section.
@@ -5986,11 +5986,11 @@
- (o) the managers of a State Hospital provided under section 102 of the National Health Service (Scotland) Act 1978;
- (p) the Regional Health and Social Care Board established under section 7 of the [Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I))](https://www.legislation.gov.uk/nia/2009/1);
- (q) a special health and social care agency established under the Health and Personal Social Services (Special Agencies) (Northern Ireland) Order 1990 ([S.I. 1990/247 (N.I. 3)](https://www.legislation.gov.uk/nisi/1990/247));
- (r) a Health and Social Care trust established under Article 10 of the Health and Personal Social Services (Northern Ireland) Order 1991 ([S.I. 1991/194 (N.I. 1)](https://www.legislation.gov.uk/nisi/1991/194)).
- (p) the Regional Health and Social Care Board established under section 7 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I));
- (q) a special health and social care agency established under the Health and Personal Social Services (Special Agencies) (Northern Ireland) Order 1990 (S.I. 1990/247 (N.I. 3));
- (r) a Health and Social Care trust established under Article 10 of the Health and Personal Social Services (Northern Ireland) Order 1991 (S.I. 1991/194 (N.I. 1)).
#### General interpretation
@@ -6002,17 +6002,17 @@
- “*data concerning health*” means personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveals information about his or her health status;
- “*enactment*” includes— an enactment passed or made after this Act, an enactment comprised in subordinate legislation, an enactment comprised in, or in an instrument made under, a Measure or Act of the National Assembly for Wales, an enactment comprised in, or in an instrument made under, an Act of the Scottish Parliament, and an enactment comprised in, or in an instrument made under, Northern Ireland legislation;
- “*enactment*” includes—an enactment passed or made after this Act,an enactment comprised in subordinate legislation,an enactment comprised in, or in an instrument made under, a Measure or Act of the National Assembly for Wales,an enactment comprised in, or in an instrument made under, an Act of the Scottish Parliament, andan enactment comprised in, or in an instrument made under, Northern Ireland legislation;
- “*genetic data*” means personal data relating to the inherited or acquired genetic characteristics of an individual which gives unique information about the physiology or the health of that individual and which results, in particular, from an analysis of a biological sample from the individual in question;
- “*government department*” includes the following (except in the expression “*United Kingdom government department*”)— a part of the Scottish Administration; a Northern Ireland department; the Welsh Government; a body or authority exercising statutory functions on behalf of the Crown;
- “*health record*” means a record which— consists of data concerning health, and has been made by or on behalf of a health professional in connection with the diagnosis, care or treatment of the individual to whom the data relates;
- “*government department*” includes �??the following (except in the expression “*United Kingdom government department*”)—a part of the Scottish Administration;a Northern Ireland department;the Welsh Government;a body or authority exercising statutory functions on behalf of the Crown;
- “*health record*” means a record which—consists of data concerning health, andhas been made by or on behalf of a health professional in connection with the diagnosis, care or treatment of the individual to whom the data relates;
- “*inaccurate*”, in relation to personal data, means incorrect or misleading as to any matter of fact;
- “*international obligation of the United Kingdom*” includes— an EU obligation, and an obligation that arises under an international agreement or arrangement to which the United Kingdom is a party;
- “*international obligation of the United Kingdom*” includes—an EU obligation, andan obligation that arises under an international agreement or arrangement to which the United Kingdom is a party;
- “*international organisation*” means an organisation and its subordinate bodies governed by international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
@@ -6024,7 +6024,7 @@
- “*tribunal*” means any tribunal in which legal proceedings may be brought;
- “*the Tribunal*”, in relation to an application or appeal under this Act, means— the Upper Tribunal, in any case where it is determined by or under Tribunal Procedure Rules that the Upper Tribunal is to hear the application or appeal, or the First-tier Tribunal, in any other case.
- “*the Tribunal*”, in relation to an application or appeal under this Act, means—the Upper Tribunal, in any case where it is determined by or under Tribunal Procedure Rules that the Upper Tribunal is to hear the application or appeal, orthe First-tier Tribunal, in any other case.
- (2) References in this Act to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits, except in—
@@ -6064,64 +6064,6 @@
The Table below lists provisions which define or otherwise explain terms defined for this Act, for a Part of this Act or for Chapter 2 or 3 of Part 2 of this Act.
| the affirmative resolution procedure | section 182 |
| --- | --- |
| the applied Chapter 2 (in Chapter 3 of Part 2) | section 22 |
| the applied GDPR | section 3 |
| assessment notice (in Part 6) | section 181 |
| biometric data | section 205 |
| certification provider (in Part 6) | section 181 |
| the Commissioner | section 3 |
| competent authority (in Part 3) | section 30 |
| consent (in Part 4) | section 84 |
| controller | section 3 |
| data concerning health | section 205 |
| the Data Protection Convention | section 3 |
| the data protection legislation | section 3 |
| data subject | section 3 |
| employee (in Parts 3 and 4) | sections 33 and 84 |
| enactment | section 205 |
| enforcement notice (in Part 6) | section 181 |
| filing system | section 3 |
| FOI public authority (in Chapter 3 of Part 2) | section 21 |
| the GDPR | section 3 |
| genetic data | section 205 |
| government department | section 205 |
| health professional | section 204 |
| health record | section 205 |
| identifiable living individual | section 3 |
| inaccurate | section 205 |
| information notice (in Part 6) | section 181 |
| intelligence service (in Part 4) | section 82 |
| international obligation of the United Kingdom | section 205 |
| international organisation | section 205 |
| the Law Enforcement Directive | section 3 |
| the law enforcement purposes (in Part 3) | section 31 |
| the made affirmative resolution procedure | section 182 |
| Minister of the Crown | section 205 |
| the negative resolution procedure | section 182 |
| penalty notice (in Part 6) | section 181 |
| penalty variation notice (in Part 6) | section 181 |
| personal data | section 3 |
| personal data breach (in Parts 3 and 4) | sections 33 and 84 |
| processing | section 3 |
| processor | section 3 |
| profiling (in Part 3) | section 33 |
| public authority (in the GDPR and Part 2) | section 7 |
| public body (in the GDPR and Part 2) | section 7 |
| publish | section 205 |
| recipient (in Parts 3 and 4) | sections 33 and 84 |
| representative (in Part 6) | section 181 |
| representative body (in relation to a right of a data subject) | section 187 |
| restriction of processing (in Parts 3 and 4) | sections 33 and 84 |
| social work professional | section 204 |
| the special purposes (in Part 6) | section 174 |
| special purposes proceedings (in Part 6) | section 174 |
| subordinate legislation | section 205 |
| third country (in Part 3) | section 33 |
| tribunal | section 205 |
| the Tribunal | section 205 |
### Territorial application
#### Territorial application of this Act
@@ -6142,7 +6084,7 @@
- (i) the offering of goods or services to data subjects in the United Kingdom, whether or not for payment, or
- (ii) the monitoring of data subjects’ behaviour in the United Kingdom.
- (ii) the monitoring of data subjects' behaviour in the United Kingdom.
- (4) Subsections (1) to (3) have effect subject to any provision in or made under section 120 providing for the Commissioner to carry out functions in relation to other processing of personal data.
@@ -6480,12 +6422,12 @@
- (2) In sub-paragraph (1), “*specified*” means specified in the following table—
| Category of personal data | Groups of people (in relation to a category of personal data) |
| *Category of personal data* | *Groups of people (in relation to a category of personal data)* |
| --- | --- |
| Personal data revealing racial or ethnic origin | People of different racial or ethnic origins |
| Personal data revealing religious or philosophical beliefs | People holding different religious or philosophical beliefs |
| Data concerning health | People with different states of physical or mental health |
| Personal data concerning an individual’s sexual orientation | People of different sexual orientation |
| Personal data concerning an individual's sexual orientation | People of different sexual orientation |
- (3) Processing does not meet the condition in sub-paragraph (1) if it is carried out for the purposes of measures or decisions with respect to a particular data subject.
@@ -6539,7 +6481,7 @@
- (6) In this paragraph, “*senior manager*”, in relation to an organisation, means a person who plays a significant role in—
- (a) the making of decisions about how the whole or a substantial part of the organisation’s activities are to be managed or organised, or
- (a) the making of decisions about how the whole or a substantial part of the organisation's activities are to be managed or organised, or
- (b) the actual managing or organising of the whole or a substantial part of those activities.
@@ -6607,7 +6549,7 @@
- “*act*” includes a failure to act;
- “*regulatory requirement*” means— a requirement imposed by legislation or by a person in exercise of a function conferred by legislation, or a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity.
- “*regulatory requirement*” means—a requirement imposed by legislation or by a person in exercise of a function conferred by legislation, ora requirement forming part of generally accepted principles of good practice relating to a type of body or an activity.
#### Journalism etc in connection with unlawful acts and dishonesty etc
@@ -6643,7 +6585,7 @@
- “*act*” includes a failure to act;
- “*the special purposes*” means— the purposes of journalism; academic purposes; artistic purposes; literary purposes.
- “*the special purposes*” means—the purposes of journalism;academic purposes;artistic purposes;literary purposes.
#### Preventing fraud
@@ -6701,7 +6643,7 @@
- (c) data concerning health;
- (d) personal data concerning an individual’s sex life or sexual orientation.
- (d) personal data concerning an individual's sex life or sexual orientation.
- (3) An individual falls within this sub-paragraph if the individual is or has been a member of the body mentioned in sub-paragraph (1)(a) and—
@@ -6717,7 +6659,7 @@
- (5) In this paragraph—
- “*carer*” means an individual who provides or intends to provide care for another individual other than— under or by virtue of a contract, or as voluntary work;
- “*carer*” means an individual who provides or intends to provide care for another individual other than—under or by virtue of a contract, oras voluntary work;
- “*disability*” has the same meaning as in the Equality Act 2010 (see section 6 of, and Schedule 1 to, that Act).
@@ -6843,7 +6785,7 @@
- “*insurance contract*” means a contract of general insurance or long-term insurance;
- “*insurance purpose*” means— advising on, arranging, underwriting or administering an insurance contract, administering a claim under an insurance contract, or exercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law.
- “*insurance purpose*” means—advising on, arranging, underwriting or administering an insurance contract,administering a claim under an insurance contract, orexercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law.
- (6) The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
@@ -6887,7 +6829,7 @@
- (b) is carried out by a person or organisation included in the register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000, and
- (c) is necessary for the purposes of the person’s or organisation’s political activities,
- (c) is necessary for the purposes of the person's or organisation's political activities,
subject to the exceptions in sub-paragraphs (2) and (3).
@@ -6913,7 +6855,7 @@
- (i) by an elected representative or a person acting with the authority of such a representative,
- (ii) in connection with the discharge of the elected representative’s functions, and
- (ii) in connection with the discharge of the elected representative's functions, and
- (iii) in response to a request by an individual that the elected representative take action on behalf of the individual, and
@@ -6963,7 +6905,7 @@
- (k) an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994;
- (l) an elected member of a district council within the meaning of the [Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.))](https://www.legislation.gov.uk/apni/1972/9);
- (l) an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.));
- (m) a police and crime commissioner.
@@ -7021,7 +6963,7 @@
- (b) the member is under an obligation not to further disclose the personal data.
- (2) The references in sub-paragraph (1) to personal data about, and to informing someone about, a prisoner include personal data about, and informing someone about, arrangements for the prisoner’s release.
- (2) The references in sub-paragraph (1) to personal data about, and to informing someone about, a prisoner include personal data about, and informing someone about, arrangements for the prisoner's release.
- (3) In this paragraph—
@@ -7143,13 +7085,13 @@
- (a) section 1 of the Protection of Children Act 1978 (indecent photographs of children),
- (b) Article 3 of the Protection of Children (Northern Ireland) Order 1978 ([S.I. 1978/1047 (N.I. 17)](https://www.legislation.gov.uk/nisi/1978/1047)) (indecent photographs of children),
- (b) Article 3 of the Protection of Children (Northern Ireland) Order 1978 (S.I. 1978/1047 (N.I. 17)) (indecent photographs of children),
- (c) section 52 of the Civic Government (Scotland) Act 1982 (indecent photographs etc of children),
- (d) section 160 of the Criminal Justice Act 1988 (possession of indecent photograph of child),
- (e) Article 15 of the Criminal Justice (Evidence etc) (Northern Ireland) Order 1988 ([S.I. 1988/1847 (N.I. 17)](https://www.legislation.gov.uk/nisi/1988/1847)) (possession of indecent photograph of child), or
- (e) Article 15 of the Criminal Justice (Evidence etc) (Northern Ireland) Order 1988 (S.I. 1988/1847 (N.I. 17)) (possession of indecent photograph of child), or
- (f) section 62 of the Coroners and Justice Act 2009 (possession of prohibited images of children),
@@ -7161,7 +7103,7 @@
- “*caution*” means a caution given to a person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;
- “*conviction*” has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978 ([S.I. 1978/1908 (N.I. 27)](https://www.legislation.gov.uk/nisi/1978/1908));
- “*conviction*” has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978 (S.I. 1978/1908 (N.I. 27));
- “*payment card*” includes a credit card, a charge card and a debit card.
@@ -7197,9 +7139,9 @@
The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on a condition described in paragraph 38 if the controller has produced a document which—
- (a) explains the controller’s procedures for securing compliance with the principles in Article 5 of the GDPR (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and
- (b) explains the controller’s policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.
- (a) explains the controller's procedures for securing compliance with the principles in Article 5 of the GDPR (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and
- (b) explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.
#### Additional safeguard: retention of appropriate policy document
@@ -7223,7 +7165,7 @@
##### 41
A record maintained by the controller, or the controller’s representative, under Article 30 of the GDPR in respect of the processing of personal data in reliance on a condition described in paragraph 38 must include the following information—
A record maintained by the controller, or the controller's representative, under Article 30 of the GDPR in respect of the processing of personal data in reliance on a condition described in paragraph 38 must include the following information—
- (a) which condition is relied on,
@@ -7433,15 +7375,6 @@
to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
| Description of function design | Condition |
| --- | --- |
| 1. The function is designed to protect members of the public against— financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate, or financial loss due to the conduct of discharged or undischarged bankrupts. | The function is— conferred on a person by an enactment, a function of the Crown, a Minister of the Crown or a government department, or of a public nature, and is exercised in the public interest. |
| 2. The function is designed to protect members of the public against— dishonesty, malpractice or other seriously improper conduct, or unfitness or incompetence. | The function is— conferred on a person by an enactment, a function of the Crown, a Minister of the Crown or a government department, or of a public nature, and is exercised in the public interest. |
| 3. The function is designed— to protect charities or community interest companies against misconduct or mismanagement (whether by trustees, directors or other persons) in their administration, to protect the property of charities or community interest companies from loss or misapplication, or to recover the property of charities or community interest companies. | The function is— conferred on a person by an enactment, a function of the Crown, a Minister of the Crown or a government department, or of a public nature, and is exercised in the public interest. |
| 4. The function is designed— to secure the health, safety and welfare of persons at work, or to protect persons other than those at work against risk to health or safety arising out of or in connection with the action of persons at work. | The function is— conferred on a person by an enactment, a function of the Crown, a Minister of the Crown or a government department, or of a public nature, and is exercised in the public interest. |
| 5. The function is designed to protect members of the public against— maladministration by public bodies, failures in services provided by public bodies, or a failure of a public body to provide a service which it is a function of the body to provide. | The function is conferred by any enactment on— the Parliamentary Commissioner for Administration, the Commissioner for Local Administration in England, the Health Service Commissioner for England, the Public Services Ombudsman for Wales, the Northern Ireland Public Services Ombudsman, the Prison Ombudsman for Northern Ireland, or the Scottish Public Services Ombudsman. |
| 6. The function is designed— to protect members of the public against conduct which may adversely affect their interests by persons carrying on a business, to regulate agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or to regulate conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market. | The function is conferred on the Competition and Markets Authority by an enactment. |
#### Audit functions
##### 8
@@ -7494,7 +7427,7 @@
- (iv) Part 2A of the Public Services Ombudsman (Wales) Act 2005;
- (d) the function of considering a complaint or representations under Chapter 1 of Part 10 of the [Social Services and Well-being (Wales) Act 2014 (anaw 4)](https://www.legislation.gov.uk/anaw/2014/4).
- (d) the function of considering a complaint or representations under Chapter 1 of Part 10 of the Social Services and Well-being (Wales) Act 2014 (anaw 4).
#### Regulatory functions of certain other persons
@@ -7508,23 +7441,6 @@
to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
| Person on whom function is conferred | How function is conferred |
| --- | --- |
| 1. The Commissioner. | By or under— the data protection legislation; the Freedom of Information Act 2000; section 244 of the Investigatory Powers Act 2016; the Privacy and Electronic Communications (EC Directive) Regulations 2003 ([S.I. 2003/2426](https://www.legislation.gov.uk/uksi/2003/2426)); the Environmental Information Regulations 2004 ([S.I. 2004/3391](https://www.legislation.gov.uk/uksi/2004/3391)); the INSPIRE Regulations 2009 ([S.I. 2009/3157](https://www.legislation.gov.uk/uksi/2009/3157)); Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive [1999/93/EC](https://www.legislation.gov.uk/european/directive/1999/0093); the Re-use of Public Sector Information Regulations 2015 ([S.I. 2015/1415](https://www.legislation.gov.uk/uksi/2015/1415)); the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 ([S.I. 2016/696](https://www.legislation.gov.uk/uksi/2016/696)). |
| 2. The Scottish Information Commissioner. | By or under— the Freedom of Information (Scotland) Act [2002 (asp 13)](https://www.legislation.gov.uk/asp/2002/13); the Environmental Information (Scotland) Regulations 2004 ([S.S.I. 2004/520](https://www.legislation.gov.uk/ssi/2004/520)); the INSPIRE (Scotland) Regulations 2009 ([S.S.I. 2009/440](https://www.legislation.gov.uk/ssi/2009/440)). |
| 3. The Pensions Ombudsman. | By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland. |
| 4. The Board of the Pension Protection Fund. | By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland. |
| 5. The Ombudsman for the Board of the Pension Protection Fund. | By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland. |
| 6. The Pensions Regulator. | By an enactment. |
| 7. The Financial Conduct Authority. | By or under the Financial Services and Markets Act 2000 or by another enactment. |
| 8. The Financial Ombudsman. | By or under Part 16 of the Financial Services and Markets Act 2000. |
| 9. The investigator of complaints against the financial regulators. | By or under Part 6 of the Financial Services Act 2012. |
| 10. A consumer protection enforcer, other than the Competition and Markets Authority. | By or under the CPC Regulation. |
| 11. The monitoring officer of a relevant authority. | By or under the Local Government and Housing Act 1989. |
| 12. The monitoring officer of a relevant Welsh authority. | By or under the Local Government Act 2000. |
| 13. The Public Services Ombudsman for Wales. | By or under the Local Government Act 2000. |
| 14. The Charity Commission. | By or under— the Charities Act 1992; the Charities Act 2006; the Charities Act 2011. |
##### 12
In the Table in paragraph 11—
@@ -7551,7 +7467,7 @@
##### 14
- (1) The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person’s suitability for judicial office or the office of Queen’s Counsel.
- (1) The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person's suitability for judicial office or the office of Queen's Counsel.
- (2) The listed GDPR provisions do not apply to personal data processed by—
@@ -7567,7 +7483,7 @@
- (1) The listed GDPR provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity.
- (2) The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person’s suitability for any of the following offices—
- (2) The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person's suitability for any of the following offices—
- (a) archbishops and diocesan and suffragan bishops in the Church of England;
@@ -7603,7 +7519,7 @@
- (1) Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers), and Article 5 of the GDPR so far as its provisions correspond to the rights and obligations provided for in Article 15(1) to (3), do not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information.
- (2) Sub-paragraph (1) does not remove the controller’s obligation where—
- (2) Sub-paragraph (1) does not remove the controller's obligation where—
- (a) the other individual has consented to the disclosure of the information to the data subject, or
@@ -7653,7 +7569,7 @@
- (a) the other individual is—
- (i) a children’s court officer,
- (i) a children's court officer,
- (ii) a person who is or has been employed by a person or body referred to in paragraph 8 of Schedule 3 in connection with functions exercised in relation to the information, or
@@ -7677,7 +7593,7 @@
- (5) In this paragraph—
- “*children’s court officer*” means a person referred to in paragraph 8(1)(q), (r), (s), (t) or (u) of Schedule 3;
- “*children's court officer*” means a person referred to in paragraph 8(1)(q), (r), (s), (t) or (u) of Schedule 3;
- “*education-related worker*” means a person referred to in paragraph 14(4)(a) or (b) or 16(4)(a), (b) or (c) of Schedule 3 (educational records);
@@ -7723,7 +7639,7 @@
- (c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or
- (d) Article 10 of the Perjury (Northern Ireland) Order 1979 ([S.I. 1979/1714 (N.I. 19)](https://www.legislation.gov.uk/nisi/1979/1714)) (false statutory declarations and other false unsworn statements).
- (d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
- (3) Information disclosed by any person in compliance with Article 15 of the GDPR is not admissible against the person in proceedings for an offence under this Act.
@@ -7747,13 +7663,13 @@
- (4) In this paragraph—
- “*corporate finance service*” means a service consisting in— underwriting in respect of issues of, or the placing of issues of, any instrument, services relating to such underwriting, or advice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings;
- “*corporate finance service*” means a service consisting in—underwriting in respect of issues of, or the placing of issues of, any instrument,services relating to such underwriting, oradvice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings;
- “*instrument*” means an instrument listed in section C of Annex 1 to Directive [2004/39/EC](https://www.legislation.gov.uk/european/directive/2004/0039) of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments, and references to an instrument include an instrument not yet in existence but which is to be or may be created;
- “*price*” includes value;
- “*relevant person*” means— a person who, by reason of a permission under Part 4A of the Financial Services and Markets Act 2000, is able to carry on a corporate finance service without contravening the general prohibition; an EEA firm of the kind mentioned in paragraph 5(a) or (b) of Schedule 3 to that Act which has qualified for authorisation under paragraph 12 of that Schedule, and may lawfully carry on a corporate finance service; a person who is exempt from the general prohibition in respect of any corporate finance service— as a result of an exemption order made under section 38(1) of that Act, or by reason of section 39(1) of that Act (appointed representatives); a person, not falling within paragraph (a), (b) or (c), who may lawfully carry on a corporate finance service without contravening the general prohibition; a person who, in the course of employment, provides to their employer a service falling within paragraph (b) or (c) of the definition of “corporate finance service”; a partner who provides to other partners in the partnership a service falling within either of those paragraphs.
- “*relevant person*” means—a person who, by reason of a permission under Part 4A of the Financial Services and Markets Act 2000, is able to carry on a corporate finance service without contravening the general prohibition;an EEA firm of the kind mentioned in paragraph 5(a) or (b) of Schedule 3 to that Act which has qualified for authorisation under paragraph 12 of that Schedule, and may lawfully carry on a corporate finance service;a person who is exempt from the general prohibition in respect of any corporate finance service—as a result of an exemption order made under section 38(1) of that Act, orby reason of section 39(1) of that Act (appointed representatives);a person, not falling within paragraph (a), (b) or (c), who may lawfully carry on a corporate finance service without contravening the general prohibition;a person who, in the course of employment, provides to their employer a service falling within paragraph (b) or (c) of the definition of “corporate finance service”;a partner who provides to other partners in the partnership a service falling within either of those paragraphs.
- (5) In the definition of “relevant person” in sub-paragraph (4), references to “the general prohibition” are to the general prohibition within the meaning of section 19 of the Financial Services and Markets Act 2000.
@@ -7803,7 +7719,7 @@
- (b) if earlier, before the end of the period of 40 days beginning with the announcement of the results.
- (4) In this paragraph, “*exam*” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate’s performance while undertaking work or any other activity.
- (4) In this paragraph, “*exam*” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate's performance while undertaking work or any other activity.
- (5) For the purposes of this paragraph, the results of an exam are treated as announced when they are first published or, if not published, first communicated to the candidate.
@@ -7841,7 +7757,7 @@
- (b) Ofcom Broadcasting Code;
- (c) Editors’ Code of Practice.
- (c) Editors' Code of Practice.
- (7) The Secretary of State may by regulations amend the list in sub-paragraph (6).
@@ -7857,7 +7773,7 @@
- (iii) Article 7 (conditions for consent);
- (iv) Article 8(1) and (2) (child’s consent);
- (iv) Article 8(1) and (2) (child's consent);
- (v) Article 9 (processing of special categories of data);
@@ -7989,7 +7905,7 @@
- (1) In this Part of this Schedule—
- “*the appropriate health professional*”, in relation to a question as to whether the serious harm test is met with respect to data concerning health, means— the health professional who is currently or was most recently responsible for the diagnosis, care or treatment of the data subject in connection with the matters to which the data relates, where there is more than one such health professional, the health professional who is the most suitable to provide an opinion on the question, or a health professional who has the necessary experience and qualifications to provide an opinion on the question, where— there is no health professional available falling within paragraph (a) or (b), or the controller is the Secretary of State and data is processed in connection with the exercise of the functions conferred on the Secretary of State by or under the Child Support Act 1991 and the Child Support Act 1995, or the Secretary of State’s functions in relation to social security or war pensions, or the controller is the Department for Communities in Northern Ireland and data is processed in connection with the exercise of the functions conferred on the Department by or under the [Child Support (Northern Ireland) Order 1991 (S.I. 1991/2628 (N.I. 23)) and the Child Support (Northern Ireland) Order 1995 (S.I. 1995/2702 (N.I. 13))](https://www.legislation.gov.uk/nisi/1991/2702);
- “*the appropriate health professional*”, in relation to a question as to whether the serious harm test is met with respect to data concerning health, means—the health professional who is currently or was most recently responsible for the diagnosis, care or treatment of the data subject in connection with the matters to which the data relates,where there is more than one such health professional, the health professional who is the most suitable to provide an opinion on the question, ora health professional who has the necessary experience and qualifications to provide an opinion on the question, where—there is no health professional available falling within paragraph (a) or (b), orthe controller is the Secretary of State and data is processed in connection with the exercise of the functions conferred on the Secretary of State by or under the Child Support Act 1991 and the Child Support Act 1995, or the Secretary of State's functions in relation to social security or war pensions, orthe controller is the Department for Communities in Northern Ireland and data is processed in connection with the exercise of the functions conferred on the Department by or under the Child Support (Northern Ireland) Order 1991 (S.I. 1991/2628 (N.I. 23)) and the Child Support (Northern Ireland) Order 1995 (S.I. 1995/2702 (N.I. 13));
- “*war pension*” has the same meaning as in section 25 of the Social Security Act 1989 (establishment and functions of war pensions committees).
@@ -8009,21 +7925,21 @@
- (2) Those rules are—
- (a) the [Magistrates’ Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221)](https://www.legislation.gov.uk/nisr/1969/221);
- (b) the [Magistrates’ Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17))](https://www.legislation.gov.uk/uksi/1992/2071);
- (c) the [Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322)](https://www.legislation.gov.uk/nisr/1996/322);
- (d) the [Magistrates’ Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323)](https://www.legislation.gov.uk/nisr/1996/323);
- (e) the [Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19))](https://www.legislation.gov.uk/uksi/1997/291);
- (a) the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);
- (b) the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));
- (c) the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);
- (d) the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);
- (e) the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
- (f) the Sheriff Court Adoption Rules 2009;
- (g) the [Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17))](https://www.legislation.gov.uk/uksi/2010/2955);
- (h) the [Children’s Hearings (Scotland) Act 2011 (Rules of Procedure in Children’s Hearings) Rules 2013 (S.S.I. 2013/194)](https://www.legislation.gov.uk/ssi/2013/194).
- (g) the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
- (h) the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).
#### Exemption from the listed GDPR provisions: data subject’s expectations and wishes
@@ -8089,11 +8005,11 @@
- “*education data*” has the meaning given by paragraph 17 of this Schedule;
- “*Health and Social Care trust*” means a Health and Social Care trust established under the [Health and Personal Social Services (Northern Ireland) Order 1991 (S.I. 1991/194 (N.I. 1))](https://www.legislation.gov.uk/nisi/1991/194);
- “*Principal Reporter*” means the Principal Reporter appointed under the [Children’s Hearings (Scotland) Act 2011 (asp 1)](https://www.legislation.gov.uk/asp/2011/1), or an officer of the Scottish Children’s Reporter Administration to whom there is delegated under paragraph 10(1) of Schedule 3 to that Act any function of the Principal Reporter;
- “*social work data*” means personal data which— is data to which paragraph 8 applies, but is not education data or data concerning health.
- “*Health and Social Care trust*” means a Health and Social Care trust established under the Health and Personal Social Services (Northern Ireland) Order 1991 (S.I. 1991/194 (N.I. 1));
- “*Principal Reporter*” means the Principal Reporter appointed under the Children's Hearings (Scotland) Act 2011 (asp 1), or an officer of the Scottish Children's Reporter Administration to whom there is delegated under paragraph 10(1) of Schedule 3 to that Act any function of the Principal Reporter;
- “*social work data*” means personal data which—is data to which paragraph 8 applies, butis not education data or data concerning health.
- (2) For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to social work data if the application of Article 15 of the GDPR to the data would be likely to prejudice carrying out social work, because it would be likely to cause serious harm to the physical or mental health of the data subject or another individual.
@@ -8113,19 +8029,19 @@
- (a) data processed by a local authority—
- (i) in connection with its social services functions (within the meaning of the Local Authority Social Services Act 1970 or the [Social Services and Well-being (Wales) Act 2014 (anaw 4)](https://www.legislation.gov.uk/anaw/2014/4)) or any functions exercised by local authorities under the Social Work (Scotland) Act 1968 or referred to in section 5(1B) of that Act, or
- (i) in connection with its social services functions (within the meaning of the Local Authority Social Services Act 1970 or the Social Services and Well-being (Wales) Act 2014 (anaw 4)) or any functions exercised by local authorities under the Social Work (Scotland) Act 1968 or referred to in section 5(1B) of that Act, or
- (ii) in the exercise of other functions but obtained or consisting of information obtained in connection with any of the functions mentioned in sub-paragraph (i);
- (b) data processed by the Regional Health and Social Care Board—
- (i) in connection with the provision of social care within the meaning of section 2(5) of the [Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))](https://www.legislation.gov.uk/nia/2009/1), or
- (i) in connection with the provision of social care within the meaning of section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)), or
- (ii) in the exercise of other functions but obtained or consisting of information obtained in connection with the provision of that care;
- (c) data processed by a Health and Social Care trust—
- (i) in connection with the provision of social care within the meaning of section 2(5) of the [Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))](https://www.legislation.gov.uk/nia/2009/1) on behalf of the Regional Health and Social Care Board by virtue of an authorisation made under Article 3(1) of the [Health and Personal Social Services (Northern Ireland) Order 1994 (S.I. 1994/429 (N.I. 2))](https://www.legislation.gov.uk/nisi/1994/429), or
- (i) in connection with the provision of social care within the meaning of section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)) on behalf of the Regional Health and Social Care Board by virtue of an authorisation made under Article 3(1) of the Health and Personal Social Services (Northern Ireland) Order 1994 (S.I. 1994/429 (N.I. 2)), or
- (ii) in the exercise of other functions but obtained or consisting of information obtained in connection with the provision of that care;
@@ -8135,17 +8051,17 @@
- (i) a probation trust established under section 5 of the Offender Management Act 2007, or
- (ii) the Probation Board for Northern Ireland established by the [Probation Board (Northern Ireland) Order 1982 (S.I. 1982/713 (N.I. 10))](https://www.legislation.gov.uk/nisi/1982/713);
- (ii) the Probation Board for Northern Ireland established by the Probation Board (Northern Ireland) Order 1982 (S.I. 1982/713 (N.I. 10));
- (f) data processed by a local authority in the exercise of its functions under section 36 of the Children Act 1989 or Chapter 2 of Part 6 of the Education Act 1996, so far as those functions relate to ensuring that children of compulsory school age (within the meaning of section 8 of the Education Act 1996) receive suitable education whether by attendance at school or otherwise;
- (g) data processed by the Education Authority in the exercise of its functions under Article 55 of the [Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2))](https://www.legislation.gov.uk/nisi/1995/755) or Article 45 of, and Schedule 13 to, the [Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3))](https://www.legislation.gov.uk/nisi/1986/594), so far as those functions relate to ensuring that children of compulsory school age (within the meaning of Article 46 of the Education and Libraries (Northern Ireland) Order 1986) receive efficient full-time education suitable to their age, ability and aptitude and to any special educational needs they may have, either by regular attendance at school or otherwise;
- (g) data processed by the Education Authority in the exercise of its functions under Article 55 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)) or Article 45 of, and Schedule 13 to, the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)), so far as those functions relate to ensuring that children of compulsory school age (within the meaning of Article 46 of the Education and Libraries (Northern Ireland) Order 1986) receive efficient full-time education suitable to their age, ability and aptitude and to any special educational needs they may have, either by regular attendance at school or otherwise;
- (h) data processed by an education authority in the exercise of its functions under sections 35 to 42 of the Education (Scotland) Act 1980 so far as those functions relate to ensuring that children of school age (within the meaning of section 31 of the Education (Scotland) Act 1980) receive efficient education suitable to their age, ability and aptitude, whether by attendance at school or otherwise;
- (i) data relating to persons detained in a hospital at which high security psychiatric services are provided under section 4 of the National Health Service Act 2006 and processed by a Special Health Authority established under section 28 of that Act in the exercise of any functions similar to any social services functions of a local authority;
- (j) data relating to persons detained in special accommodation provided under Article 110 of the [Mental Health (Northern Ireland) Order 1986 (S.I. 1986/595 (N.I. 4))](https://www.legislation.gov.uk/nisi/1986/595) and processed by a Health and Social Care trust in the exercise of any functions similar to any social services functions of a local authority;
- (j) data relating to persons detained in special accommodation provided under Article 110 of the Mental Health (Northern Ireland) Order 1986 (S.I. 1986/595 (N.I. 4)) and processed by a Health and Social Care trust in the exercise of any functions similar to any social services functions of a local authority;
- (k) data which—
@@ -8173,15 +8089,15 @@
- (q) data processed by—
- (i) a children’s guardian appointed under Part 16 of the [Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17))](https://www.legislation.gov.uk/uksi/2010/2955),
- (ii) a guardian ad litem appointed under Article 60 of the [Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2))](https://www.legislation.gov.uk/nisi/1995/755) or Article 66 of the [Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22))](https://www.legislation.gov.uk/nisi/1987/2203), or
- (iii) a safeguarder appointed under section 30(2) or 31(3) of the [Children’s Hearings (Scotland) Act 2011 (asp 1)](https://www.legislation.gov.uk/asp/2011/1);
- (i) a children's guardian appointed under Part 16 of the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17)),
- (ii) a guardian ad litem appointed under Article 60 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)) or Article 66 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22)), or
- (iii) a safeguarder appointed under section 30(2) or 31(3) of the Children's Hearings (Scotland) Act 2011 (asp 1);
- (r) data processed by the Principal Reporter;
- (s) data processed by an officer of the Children and Family Court Advisory and Support Service for the purpose of the officer’s functions under section 7 of the Children Act 1989 or Part 16 of the [Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17))](https://www.legislation.gov.uk/uksi/2010/2955);
- (s) data processed by an officer of the Children and Family Court Advisory and Support Service for the purpose of the officer's functions under section 7 of the Children Act 1989 or Part 16 of the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
- (t) data processed by the Welsh family proceedings officer for the purposes of the functions under section 7 of the Children Act 1989 or Part 16 of the Family Procedure Rules 2010;
@@ -8223,21 +8139,21 @@
- (2) Those rules are—
- (a) the [Magistrates’ Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221)](https://www.legislation.gov.uk/nisr/1969/221);
- (b) the [Magistrates’ Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17))](https://www.legislation.gov.uk/uksi/1992/2071);
- (c) the [Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322)](https://www.legislation.gov.uk/nisr/1996/322);
- (d) the [Magistrates’ Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323)](https://www.legislation.gov.uk/nisr/1996/323);
- (e) the [Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19))](https://www.legislation.gov.uk/uksi/1997/291);
- (a) the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);
- (b) the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));
- (c) the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);
- (d) the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);
- (e) the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
- (f) the Sheriff Court Adoption Rules 2009;
- (g) the [Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17))](https://www.legislation.gov.uk/uksi/2010/2955);
- (h) the [Children’s Hearings (Scotland) Act 2011 (Rules of Procedure in Children’s Hearings) Rules 2013 (S.S.I. 2013/194)](https://www.legislation.gov.uk/ssi/2013/194).
- (g) the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
- (h) the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).
#### Exemption from the listed GDPR provisions: data subject’s expectations and wishes
@@ -8277,7 +8193,7 @@
- (b) the data—
- (i) originated from or was supplied by the Principal Reporter acting in pursuance of the Principal Reporter’s statutory duties, and
- (i) originated from or was supplied by the Principal Reporter acting in pursuance of the Principal Reporter's statutory duties, and
- (ii) is not data which the data subject is entitled to receive from the Principal Reporter.
@@ -8305,7 +8221,7 @@
- (c) originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).
- (2) But this paragraph does not apply to information which is processed by a teacher solely for the teacher’s own use.
- (2) But this paragraph does not apply to information which is processed by a teacher solely for the teacher's own use.
- (3) The schools referred to in sub-paragraph (1)(a) are—
@@ -8359,7 +8275,7 @@
- (b) for the purpose of the relevant function of the authority.
- (2) But this paragraph does not apply to information which is processed by a teacher solely for the teacher’s own use.
- (2) But this paragraph does not apply to information which is processed by a teacher solely for the teacher's own use.
- (3) For the purposes of this paragraph, information processed by an education authority is processed for the purpose of the relevant function of the authority if the processing relates to the discharge of that function in respect of a person—
@@ -8379,7 +8295,7 @@
- (c) originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).
- (2) But this paragraph does not apply to information which is processed by a teacher solely for the teacher’s own use.
- (2) But this paragraph does not apply to information which is processed by a teacher solely for the teacher's own use.
- (3) The schools referred to in sub-paragraph (1)(a) are—
@@ -8397,9 +8313,9 @@
- (d) the pupil to whom the record relates;
- (e) a parent, as defined by Article 2(2) of the [Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3))](https://www.legislation.gov.uk/nisi/1986/594).
- (5) In this paragraph, “*grant-aided school*”, “*independent school*”, “*proprietor*” and “*trustees*” have the same meaning as in the [Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3))](https://www.legislation.gov.uk/nisi/1986/594).
- (e) a parent, as defined by Article 2(2) of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).
- (5) In this paragraph, “*grant-aided school*”, “*independent school*”, “*proprietor*” and “*trustees*” have the same meaning as in the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).
#### Other definitions
@@ -8409,15 +8325,15 @@
- “*education authority*” and “*further education*” have the same meaning as in the Education (Scotland) Act 1980;
- “*education data*” means personal data consisting of information which— constitutes an educational record, but is not data concerning health;
- “*Principal Reporter*” means the Principal Reporter appointed under the [Children’s Hearings (Scotland) Act 2011 (asp 1)](https://www.legislation.gov.uk/asp/2011/1), or an officer of the Scottish Children’s Reporter Administration to whom there is delegated under paragraph 10(1) of Schedule 3 to that Act any function of the Principal Reporter;
- “*pupil*” means— in relation to a school in England and Wales, a registered pupil within the meaning of the Education Act 1996, in relation to a school in Scotland, a pupil within the meaning of the Education (Scotland) Act 1980, and in relation to a school in Northern Ireland, a registered pupil within the meaning of the [Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3))](https://www.legislation.gov.uk/nisi/1986/594);
- “school”— in relation to England and Wales, has the same meaning as in the Education Act 1996, in relation to Scotland, has the same meaning as in the Education (Scotland) Act 1980, and in relation to Northern Ireland, has the same meaning as in the Education and Libraries (Northern Ireland) Order 1986;
- “*teacher*” includes— in Great Britain, head teacher, and in Northern Ireland, the principal of a school.
- “*education data*” means personal data consisting of information which—constitutes an educational record, butis not data concerning health;
- “*Principal Reporter*” means the Principal Reporter appointed under the Children's Hearings (Scotland) Act 2011 (asp 1), or an officer of the Scottish Children's Reporter Administration to whom there is delegated under paragraph 10(1) of Schedule 3 to that Act any function of the Principal Reporter;
- “*pupil*” means—in relation to a school in England and Wales, a registered pupil within the meaning of the Education Act 1996,in relation to a school in Scotland, a pupil within the meaning of the Education (Scotland) Act 1980, andin relation to a school in Northern Ireland, a registered pupil within the meaning of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3));
- “school”—in relation to England and Wales, has the same meaning as in the Education Act 1996,in relation to Scotland, has the same meaning as in the Education (Scotland) Act 1980, andin relation to Northern Ireland, has the same meaning as in the Education and Libraries (Northern Ireland) Order 1986;
- “*teacher*” includes—in Great Britain, head teacher, andin Northern Ireland, the principal of a school.
- (2) For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to education data if the application of Article 15 of the GDPR to the data would be likely to cause serious harm to the physical or mental health of the data subject or another individual.
@@ -8435,21 +8351,21 @@
- (2) Those rules are—
- (a) the [Magistrates’ Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221)](https://www.legislation.gov.uk/nisr/1969/221);
- (b) the [Magistrates’ Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17))](https://www.legislation.gov.uk/uksi/1992/2071);
- (c) the [Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322)](https://www.legislation.gov.uk/nisr/1996/322);
- (d) the [Magistrates’ Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323)](https://www.legislation.gov.uk/nisr/1996/323);
- (e) the [Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19))](https://www.legislation.gov.uk/uksi/1997/291);
- (a) the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);
- (b) the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));
- (c) the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);
- (d) the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);
- (e) the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
- (f) the Sheriff Court Adoption Rules 2009;
- (g) the [Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17))](https://www.legislation.gov.uk/uksi/2010/2955);
- (h) the [Children’s Hearings (Scotland) Act 2011 (Rules of Procedure in Children’s Hearings) Rules 2013 (S.S.I. 2013/194)](https://www.legislation.gov.uk/ssi/2013/194).
- (g) the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
- (h) the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).
#### Exemption from Article 15 of the GDPR: serious harm
@@ -8467,7 +8383,7 @@
- (b) the controller believes that the data—
- (i) originated from or was supplied by or on behalf of the Principal Reporter acting in pursuance of the Principal Reporter’s statutory duties, and
- (i) originated from or was supplied by or on behalf of the Principal Reporter acting in pursuance of the Principal Reporter's statutory duties, and
- (ii) is not data which the data subject is entitled to receive from the Principal Reporter.
@@ -8521,39 +8437,39 @@
- (2) The enactments extending to England and Wales are—
- (a) regulation 14 of the [Adoption Agencies Regulations 1983 (S.I. 1983/1964)](https://www.legislation.gov.uk/uksi/1983/1964);
- (b) regulation 41 of the [Adoption Agencies Regulations 2005 (S.I. 2005/389)](https://www.legislation.gov.uk/uksi/2005/389);
- (c) regulation 42 of the [Adoption Agencies (Wales) Regulations 2005 (S.I. 2005/1313 (W. 95))](https://www.legislation.gov.uk/wsi/2005/1313);
- (d) rules 5, 6, 9, 17, 18, 21, 22 and 53 of the [Adoption Rules 1984 (S.I. 1984/265)](https://www.legislation.gov.uk/uksi/1984/265);
- (e) rules 24, 29, 30, 65, 72, 73, 77, 78 and 83 of the [Family Procedure (Adoption) Rules 2005 (S.I. 2005/2795 (L. 22))](https://www.legislation.gov.uk/uksi/2005/2795);
- (f) in the [Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17))](https://www.legislation.gov.uk/uksi/2010/2955), rules 14.6, 14.11, 14.12, 14.13, 14.14, 14.24, 16.20 (so far as it applies to a children’s guardian appointed in proceedings to which Part 14 of those Rules applies), 16.32 and 16.33 (so far as it applies to a children and family reporter in proceedings to which Part 14 of those Rules applies).
- (a) regulation 14 of the Adoption Agencies Regulations 1983 (S.I. 1983/1964);
- (b) regulation 41 of the Adoption Agencies Regulations 2005 (S.I. 2005/389);
- (c) regulation 42 of the Adoption Agencies (Wales) Regulations 2005 (S.I. 2005/1313 (W. 95));
- (d) rules 5, 6, 9, 17, 18, 21, 22 and 53 of the Adoption Rules 1984 (S.I. 1984/265);
- (e) rules 24, 29, 30, 65, 72, 73, 77, 78 and 83 of the Family Procedure (Adoption) Rules 2005 (S.I. 2005/2795 (L. 22));
- (f) in the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17)), rules 14.6, 14.11, 14.12, 14.13, 14.14, 14.24, 16.20 (so far as it applies to a children's guardian appointed in proceedings to which Part 14 of those Rules applies), 16.32 and 16.33 (so far as it applies to a children and family reporter in proceedings to which Part 14 of those Rules applies).
- (3) The enactments extending to Scotland are—
- (a) regulation 23 of the [Adoption Agencies (Scotland) Regulations 1996 (S.I. 1996/3266 (S. 254))](https://www.legislation.gov.uk/uksi/1996/3266);
- (b) rule 67.3 of the [Act of Sederunt (Rules of the Court of Session 1994) 1994 (S.I. 1994/1443 (S. 69))](https://www.legislation.gov.uk/uksi/1994/1443);
- (c) rules 10.3, 17.2, 21, 25, 39, 43.3, 46.2 and 47 of the [Act of Sederunt (Sheriff Court Rules Amendment) (Adoption and Children (Scotland) Act 2007) 2009 (S.S.I. 2009/284)](https://www.legislation.gov.uk/ssi/2009/284);
- (d) sections 53 and 55 of the [Adoption and Children (Scotland) Act 2007 (asp 4)](https://www.legislation.gov.uk/asp/2007/4);
- (e) regulation 28 of the [Adoption Agencies (Scotland) Regulations 2009 (S.S.I. 2009/154)](https://www.legislation.gov.uk/ssi/2009/154);
- (f) regulation 3 of the [Adoption (Disclosure of Information and Medical Information about Natural Parents) (Scotland) Regulations 2009 (S.S.I. 2009/268)](https://www.legislation.gov.uk/ssi/2009/268).
- (a) regulation 23 of the Adoption Agencies (Scotland) Regulations 1996 (S.I. 1996/3266 (S. 254));
- (b) rule 67.3 of the Act of Sederunt (Rules of the Court of Session 1994) 1994 (S.I. 1994/1443 (S. 69));
- (c) rules 10.3, 17.2, 21, 25, 39, 43.3, 46.2 and 47 of the Act of Sederunt (Sheriff Court Rules Amendment) (Adoption and Children (Scotland) Act 2007) 2009 (S.S.I. 2009/284);
- (d) sections 53 and 55 of the Adoption and Children (Scotland) Act 2007 (asp 4);
- (e) regulation 28 of the Adoption Agencies (Scotland) Regulations 2009 (S.S.I. 2009/154);
- (f) regulation 3 of the Adoption (Disclosure of Information and Medical Information about Natural Parents) (Scotland) Regulations 2009 (S.S.I. 2009/268).
- (4) The enactments extending to Northern Ireland are—
- (a) Articles 50 and 54 of the [Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22))](https://www.legislation.gov.uk/nisi/1987/2203);
- (b) rule 53 of Order 84 of the [Rules of the Court of Judicature (Northern Ireland) 1980 (S.R. (N.I.) 1980 No. 346)](https://www.legislation.gov.uk/nisr/1980/346);
- (c) rules 4A.4(5), 4A.5(1), 4A.6(6), 4A.22(5) and 4C.7 of Part IVA of the [Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322)](https://www.legislation.gov.uk/nisr/1996/322).
- (a) Articles 50 and 54 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22));
- (b) rule 53 of Order 84 of the Rules of the Court of Judicature (Northern Ireland) 1980 (S.R. (N.I.) 1980 No. 346);
- (c) rules 4A.4(5), 4A.5(1), 4A.6(6), 4A.22(5) and 4C.7 of Part IVA of the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322).
#### Statements of special educational needs
@@ -8563,11 +8479,11 @@
- (2) The enactments are—
- (a) regulation 17 of the [Special Educational Needs and Disability Regulations 2014 (S.I. 2014/1530)](https://www.legislation.gov.uk/uksi/2014/1530);
- (b) regulation 10 of the [Additional Support for Learning (Co-ordinated Support Plan) (Scotland) Amendment Regulations 2005 (S.S.I. 2005/518)](https://www.legislation.gov.uk/ssi/2005/518);
- (c) regulation 22 of the [Education (Special Educational Needs) Regulations (Northern Ireland) 2005 (S.R. (N.I.) 2005 No. 384)](https://www.legislation.gov.uk/nisr/2005/384).
- (a) regulation 17 of the Special Educational Needs and Disability Regulations 2014 (S.I. 2014/1530);
- (b) regulation 10 of the Additional Support for Learning (Co-ordinated Support Plan) (Scotland) Amendment Regulations 2005 (S.S.I. 2005/518);
- (c) regulation 22 of the Education (Special Educational Needs) Regulations (Northern Ireland) 2005 (S.R. (N.I.) 2005 No. 384).
#### Parental order records and reports
@@ -8577,19 +8493,19 @@
- (2) The enactments extending to England and Wales are—
- (a) sections 60, 77, 78 and 79 of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of and Schedule 1 to the [Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985)](https://www.legislation.gov.uk/uksi/2010/985) in relation to parental orders made under—
- (a) sections 60, 77, 78 and 79 of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of and Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985) in relation to parental orders made under—
- (i) section 30 of the Human Fertilisation and Embryology Act 1990, or
- (ii) section 54 of the Human Fertilisation and Embryology Act 2008;
- (b) rules made under section 144 of the Magistrates’ Courts Act 1980 by virtue of section 141(1) of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of and Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010, so far as the rules relate to—
- (b) rules made under section 144 of the Magistrates' Courts Act 1980 by virtue of section 141(1) of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of and Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010, so far as the rules relate to—
- (i) the appointment and duties of the parental order reporter, and
- (ii) the keeping of registers and the custody, inspection and disclosure of documents and information relating to parental order proceedings or related proceedings;
- (c) rules made under section 75 of the Courts Act 2003 by virtue of section 141(1) of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of Schedule 1 to the [Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985)](https://www.legislation.gov.uk/uksi/2010/985), so far as the rules relate to—
- (c) rules made under section 75 of the Courts Act 2003 by virtue of section 141(1) of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985), so far as the rules relate to—
- (i) the appointment and duties of the parental order reporter, and
@@ -8597,27 +8513,27 @@
- (3) The enactments extending to Scotland are—
- (a) sections 53 and 55 of the [Adoption and Children (Scotland) Act 2007 (asp 4)](https://www.legislation.gov.uk/asp/2007/4), as applied with modifications by regulation 4 of and Schedule 3 to the [Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985)](https://www.legislation.gov.uk/uksi/2010/985) in relation to parental orders made under—
- (a) sections 53 and 55 of the Adoption and Children (Scotland) Act 2007 (asp 4), as applied with modifications by regulation 4 of and Schedule 3 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985) in relation to parental orders made under—
- (i) section 30 of the Human Fertilisation and Embryology Act 1990, or
- (ii) section 54 of the Human Fertilisation and Embryology Act 2008;
- (b) rules 2.47 and 2.59 of the [Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19))](https://www.legislation.gov.uk/uksi/1997/291);
- (b) rules 2.47 and 2.59 of the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
- (c) rules 21 and 25 of the Sheriff Court Adoption Rules 2009.
- (4) The enactments extending to Northern Ireland are—
- (a) Articles 50 and 54 of the [Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22))](https://www.legislation.gov.uk/nisi/1987/2203), as applied with modifications by regulation 3 of and Schedule 2 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 in respect of parental orders made under—
- (a) Articles 50 and 54 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22)), as applied with modifications by regulation 3 of and Schedule 2 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 in respect of parental orders made under—
- (i) section 30 of the Human Fertilisation and Embryology Act 1990, or
- (ii) section 54 of the Human Fertilisation and Embryology Act 2008;
- (b) rules 4, 5 and 16 of Order 84A of the [Rules of the Court of Judicature (Northern Ireland) 1980 (S.R. (N.I.) 1980 No. 346)](https://www.legislation.gov.uk/nisr/1980/346);
- (c) rules 3, 4 and 15 of Order 50A of the [County Court Rules (Northern Ireland) 1981 (S.R. (N.I.) 1981 No. 225)](https://www.legislation.gov.uk/nisr/1981/225).
- (b) rules 4, 5 and 16 of Order 84A of the Rules of the Court of Judicature (Northern Ireland) 1980 (S.R. (N.I.) 1980 No. 346);
- (c) rules 3, 4 and 15 of Order 50A of the County Court Rules (Northern Ireland) 1981 (S.R. (N.I.) 1981 No. 225).
#### Information provided by Principal Reporter for children’s hearing
@@ -8625,9 +8541,9 @@
The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by any of the following enactments—
- (a) section 178 of the [Children’s Hearings (Scotland) Act 2011 (asp 1)](https://www.legislation.gov.uk/asp/2011/1);
- (b) the [Children’s Hearings (Scotland) Act 2011 (Rules of Procedure in Children’s Hearings) Rules 2013 (S.S.I. 2013/194)](https://www.legislation.gov.uk/ssi/2013/194).
- (a) section 178 of the Children's Hearings (Scotland) Act 2011 (asp 1);
- (b) the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).
## SCHEDULE 5
@@ -8643,7 +8559,7 @@
- (2) In this Schedule—
- “*accreditation authority*” means— the Commissioner, or the national accreditation body;
- “*accreditation authority*” means—the Commissioner, orthe national accreditation body;
- “*certification provider*” and “*national accreditation body*” have the same meaning as in section 17.
@@ -8653,7 +8569,7 @@
- (1) The applicant may ask the accreditation authority to review the decision.
- (2) The request must be made in writing before the end of the period of 28 days beginning with the day on which the person receives written notice of the accreditation authority’s decision.
- (2) The request must be made in writing before the end of the period of 28 days beginning with the day on which the person receives written notice of the accreditation authority's decision.
- (3) The request must specify—
@@ -8799,7 +8715,7 @@
- (2) Sub-paragraph (1) is subject to the specific modifications made in this Part of this Schedule.
- (3) In this paragraph, “*domestic law*” means the law of the United Kingdom, or of a part of the United Kingdom, and includes law in the form of an enactment, an instrument made under Her Majesty’s prerogative or a rule of law.
- (3) In this paragraph, “*domestic law*” means the law of the United Kingdom, or of a part of the United Kingdom, and includes law in the form of an enactment, an instrument made under Her Majesty's prerogative or a rule of law.
#### References to the Union and to Member States
@@ -8851,7 +8767,7 @@
In Article 4 (definitions)—
- (a) in paragraph (7) (meaning of “*controller*”), for “; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” substitute “, subject to section 6 of the 2018 Act (meaning of “*controller*”)”;
- (a) in paragraph (7) (meaning of “controller”), for “; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” substitute “ , subject to section 6 of the 2018 Act (meaning of “controller”) ”;
- (b) after paragraph (7) insert—
@@ -8859,17 +8775,17 @@
;
- (c) omit paragraph (16) (meaning of “*main establishment*”);
- (d) omit paragraph (17) (meaning of “*representative*”);
- (e) in paragraph (20) (meaning of “*binding corporate rules*”), for “on the territory of a Member State” substitute “in the United Kingdom”;
- (f) in paragraph (21) (meaning of “*supervisory authority*”)—
- (i) after “a Member State” insert “(other than the United Kingdom)”;
- (ii) for “Article 51” substitute “Article 51 of the GDPR”;
- (c) omit paragraph (16) (meaning of “main establishment”);
- (d) omit paragraph (17) (meaning of “representative”);
- (e) in paragraph (20) (meaning of “binding corporate rules”), for “on the territory of a Member State” substitute “ in the United Kingdom ”;
- (f) in paragraph (21) (meaning of “supervisory authority”)—
- (i) after “a Member State” insert “ (other than the United Kingdom) ”;
- (ii) for “Article 51” substitute “ Article 51 of the GDPR ”;
- (g) after paragraph (21) insert—
@@ -8877,11 +8793,11 @@
;
- (h) omit paragraph (22) (meaning of “*supervisory authority concerned*”);
- (i) omit paragraph (23) (meaning of “*cross-border processing*”);
- (j) omit paragraph (24) (meaning of “*relevant and reasoned objection*”);
- (h) omit paragraph (22) (meaning of “supervisory authority concerned”);
- (i) omit paragraph (23) (meaning of “cross-border processing”);
- (j) omit paragraph (24) (meaning of “relevant and reasoned objection”);
- (k) after paragraph (26) insert—
@@ -8902,11 +8818,11 @@
;
- (c) in paragraph 3, in the second subparagraph, for “The Union or the Member State law shall” substitute “The regulations must”.
- (c) in paragraph 3, in the second subparagraph, for “The Union or the Member State law shall” substitute “ The regulations must ”.
##### 11
In Article 8 (conditions applicable to child’s consent in relation to information society services)—
In Article 8 (conditions applicable to child's consent in relation to information society services)—
- (a) in paragraph 1, for the second subparagraph substitute—
@@ -8914,7 +8830,7 @@
;
- (b) in paragraph 3, for “the general contract law of Member States” substitute “the general law of contract as it operates in domestic law”.
- (b) in paragraph 3, for “the general contract law of Member States” substitute “ the general law of contract as it operates in domestic law ”.
##### 12
@@ -8922,7 +8838,7 @@
- (a) in paragraph 2(a), omit “, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject”;
- (b) in paragraph 2(b), for “Union or Member State law” substitute “domestic law (see section 10 of the 2018 Act)”;
- (b) in paragraph 2(b), for “Union or Member State law” substitute “ domestic law (see section 10 of the 2018 Act) ”;
- (c) in paragraph 2, for point (g) substitute—
@@ -8930,9 +8846,9 @@
;
- (d) in paragraph 2(h), for “Union or Member State law” substitute “domestic law (see section 10 of the 2018 Act)”;
- (e) in paragraph 2(i), for “Union or Member State law” insert “domestic law (see section 10 of the 2018 Act);”;
- (d) in paragraph 2(h), for “Union or Member State law” substitute “ domestic law (see section 10 of the 2018 Act) ”;
- (e) in paragraph 2(i), for “Union or Member State law” insert “ domestic law (see section 10 of the 2018 Act); ”;
- (f) in paragraph 2, for point (j) substitute—
@@ -8940,13 +8856,13 @@
;
- (g) in paragraph 3, for “national competent bodies”, in both places, substitute “a national competent body of the United Kingdom”;
- (g) in paragraph 3, for “national competent bodies”, in both places, substitute “ a national competent body of the United Kingdom ”;
- (h) omit paragraph 4.
##### 13
In Article 10 (processing of personal data relating to criminal convictions and offences), in the first sentence, for “Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects” substitute “domestic law (see section 10 of the 2018 Act)”.
In Article 10 (processing of personal data relating to criminal convictions and offences), in the first sentence, for “Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects” substitute “ domestic law (see section 10 of the 2018 Act) ”.
#### Section 1 of Chapter III of the GDPR (rights of the data subject: transparency and modalities)
@@ -8960,9 +8876,9 @@
In Article 13 (personal data collected from data subject: information to be provided), in paragraph 1—
- (a) in point (a), omit “and, where applicable, of the controller’s representative”;
- (b) in point (f), after “the Commission” insert “pursuant to Article 45(3) of the GDPR”.
- (a) in point (a), omit “and, where applicable, of the controller's representative”;
- (b) in point (f), after “the Commission” insert “ pursuant to Article 45(3) of the GDPR ”.
##### 16
@@ -8970,11 +8886,11 @@
- (a) in paragraph 1—
- (i) in point (a), omit “and, where applicable, of the controller’s representative”;
- (ii) in point (f), after “the Commission” insert “pursuant to Article 45(3) of the GDPR”;
- (b) in paragraph 5(c), for “Union or Member State law to which the controller is subject” substitute “a rule of domestic law”.
- (i) in point (a), omit “and, where applicable, of the controller's representative”;
- (ii) in point (f), after “the Commission” insert “ pursuant to Article 45(3) of the GDPR ”;
- (b) in paragraph 5(c), for “Union or Member State law to which the controller is subject” substitute “ a rule of domestic law ”.
#### Section 3 of Chapter III of the GDPR (rights of the data subject: rectification and erasure)
@@ -8982,13 +8898,13 @@
In Article 17 (right to erasure (‘right to be forgotten’))—
- (a) in paragraph 1(e), for “in Union or Member State law to which the controller is subject” substitute “under domestic law”;
- (b) in paragraph 3(b), for “by Union or Member State law to which the controller is subject” substitute “under domestic law”.
- (a) in paragraph 1(e), for “in Union or Member State law to which the controller is subject” substitute “ under domestic law ”;
- (b) in paragraph 3(b), for “by Union or Member State law to which the controller is subject” substitute “ under domestic law ”.
##### 18
In Article 18 (right to restriction of processing), in paragraph 2, for “of the Union or of a Member State” substitute “of the United Kingdom”.
In Article 18 (right to restriction of processing), in paragraph 2, for “of the Union or of a Member State” substitute “ of the United Kingdom ”.
#### Section 4 of Chapter III of the GDPR (rights of the data subject: right to object and automated individual decision-making)
@@ -9010,9 +8926,9 @@
In Article 23 (restrictions), in paragraph 1—
- (a) for “Union or Member State law to which the data controller or processor is subject” substitute “In addition to the provision made by section 15 of and Schedules 2, 3 and 4 to the 2018 Act, the Secretary of State”;
- (b) in point (e), for “of the Union or of a Member State”, in both places, substitute “of the United Kingdom”;
- (a) for “Union or Member State law to which the data controller or processor is subject” substitute “ In addition to the provision made by section 15 of and Schedules 2, 3 and 4 to the 2018 Act, the Secretary of State ”;
- (b) in point (e), for “of the Union or of a Member State”, in both places, substitute “ of the United Kingdom ”;
- (c) after point (j) insert—
@@ -9022,7 +8938,7 @@
##### 22
In Article 26 (joint controllers), in paragraph 1, for “Union or Member State law to which the controllers are subject” substitute “domestic law”.
In Article 26 (joint controllers), in paragraph 1, for “Union or Member State law to which the controllers are subject” substitute “ domestic law ”.
##### 23
@@ -9032,11 +8948,11 @@
In Article 28 (processor)—
- (a) in paragraph 3, in point (a), for “Union or Member State law to which the processor is subject” substitute “domestic law”;
- (b) in paragraph 3, in the second subparagraph, for “other Union or Member State data protection provisions” substitute “any other rule of domestic law relating to data protection”;
- (c) in paragraph 6, for “paragraphs 7 and 8” substitute “paragraph 8”;
- (a) in paragraph 3, in point (a), for “Union or Member State law to which the processor is subject” substitute “ domestic law ”;
- (b) in paragraph 3, in the second subparagraph, for “other Union or Member State data protection provisions” substitute “ any other rule of domestic law relating to data protection ”;
- (c) in paragraph 6, for “paragraphs 7 and 8” substitute “ paragraph 8 ”;
- (d) omit paragraph 7;
@@ -9046,19 +8962,19 @@
In Article 30 (records of processing activities)—
- (a) in paragraph 1, in the first sentence, omit “and, where applicable, the controller’s representative,”;
- (b) in paragraph 1, in point (a), omit “, the controller’s representative”;
- (c) in paragraph 1, in point (g), after “32(1)” insert “or section 28(3) of the 2018 Act”;
- (d) in paragraph 2, in the first sentence, omit “and, where applicable, the processor’s representative”;
- (e) in paragraph 2, in point (a), omit “the controller’s or the processor’s representative, and”;
- (f) in paragraph 2, in point (d), after “32(1)” insert “or section 28(3) of the 2018 Act”;
- (g) in paragraph 4, omit “and, where applicable, the controller’s or the processor’s representative,”.
- (a) in paragraph 1, in the first sentence, omit “and, where applicable, the controller's representative,”;
- (b) in paragraph 1, in point (a), omit “, the controller's representative”;
- (c) in paragraph 1, in point (g), after “32(1)” insert “ or section 28(3) of the 2018 Act ”;
- (d) in paragraph 2, in the first sentence, omit “and, where applicable, the processor's representative”;
- (e) in paragraph 2, in point (a), omit “the controller's or the processor's representative, and”;
- (f) in paragraph 2, in point (d), after “32(1)” insert “ or section 28(3) of the 2018 Act ”;
- (g) in paragraph 4, omit “and, where applicable, the controller's or the processor's representative,”.
##### 26
@@ -9090,7 +9006,7 @@
##### 30
In Article 39 (tasks of the data protection officer), in paragraph 1(a) and (b), for “other Union or Member State data protection provisions” substitute “other rules of domestic law relating to data protection”.
In Article 39 (tasks of the data protection officer), in paragraph 1(a) and (b), for “other Union or Member State data protection provisions” substitute “ other rules of domestic law relating to data protection ”.
#### Section 5 of Chapter IV of the GDPR (controller and processor: codes of conduct and certification)
@@ -9098,7 +9014,7 @@
In Article 40 (codes of conduct)—
- (a) in paragraph 1, for “The Member States, the supervisory authorities, the Board and the Commission shall” substitute “The Commissioner must”;
- (a) in paragraph 1, for “The Member States, the supervisory authorities, the Board and the Commission shall” substitute “ The Commissioner must ”;
- (b) omit paragraph 3;
@@ -9116,7 +9032,7 @@
- (a) in paragraph 1—
- (i) for “The Member States, the supervisory authorities, the Board and the Commission” substitute “The Commissioner”;
- (i) for “The Member States, the supervisory authorities, the Board and the Commission” substitute “ The Commissioner ”;
- (ii) omit “, in particular at Union level,”;
@@ -9130,7 +9046,7 @@
In Article 43 (certification bodies)—
- (a) in paragraph 1, in the second sentence, for “Member States shall ensure that those certification bodies are” substitute “Those certification bodies must be”;
- (a) in paragraph 1, in the second sentence, for “Member States shall ensure that those certification bodies are” substitute “ Those certification bodies must be ”;
- (b) in paragraph 2, in point (b), omit “or by the Board pursuant to Article 63”;
@@ -9146,11 +9062,11 @@
In Article 45 (transfers on the basis of an adequacy decision)—
- (a) in paragraph 1, after “decided” insert “in accordance with Article 45 of the GDPR”;
- (a) in paragraph 1, after “decided” insert “ in accordance with Article 45 of the GDPR ”;
- (b) after paragraph 1 insert—
> (1A) But a transfer of personal data to a third country or international organisation must not take place under paragraph 1, if the Commission’s decision in relation to the third country (including a territory or sector within it) or the international organisation—
> (1A) But a transfer of personal data to a third country or international organisation must not take place under paragraph 1, if the Commission's decision in relation to the third country (including a territory or sector within it) or the international organisation—
> (a) is suspended,
> (b) has been amended, or
> (c) has been repealed,
@@ -9160,13 +9076,13 @@
- (c) omit paragraphs 2 to 8;
- (d) in paragraph 9, for “of this Article” substitute “of Article 45 of the GDPR”.
- (d) in paragraph 9, for “of this Article” substitute “ of Article 45 of the GDPR ”.
##### 36
In Article 46 (transfers subject to appropriate safeguards)—
- (a) in paragraph 1, for “Article 45(3)” substitute “Article 45(3) of the GDPR”;
- (a) in paragraph 1, for “Article 45(3)” substitute “ Article 45(3) of the GDPR ”;
- (b) in paragraph 2, omit point (c);
@@ -9176,9 +9092,9 @@
- (e) in paragraph 5—
- (i) in the first sentence, for “a Member State or supervisory authority” substitute “the Commissioner”;
- (ii) in the second sentence, for “this Article” substitute “Article 46 of the GDPR”.
- (i) in the first sentence, for “a Member State or supervisory authority” substitute “ the Commissioner ”;
- (ii) in the second sentence, for “this Article” substitute “ Article 46 of the GDPR ”.
##### 37
@@ -9186,9 +9102,9 @@
- (a) in paragraph 1, in the first sentence, omit “in accordance with the consistency mechanism set out in Article 63”;
- (b) in paragraph 2, in point (e), for “the competent courts of the Member States” substitute “a court”;
- (c) in paragraph 2, in point (f), for “on the territory of a Member State” substitute “in the United Kingdom”;
- (b) in paragraph 2, in point (e), for “the competent courts of the Member States” substitute “ a court ”;
- (c) in paragraph 2, in point (f), for “on the territory of a Member State” substitute “ in the United Kingdom ”;
- (d) omit paragraph 3.
@@ -9198,11 +9114,11 @@
- (a) in paragraph 1, in the first sentence—
- (i) for “Article 45(3)” substitute “Article 45(3) of the GDPR”;
- (ii) for “Article 46” substitute “Article 46 of this Regulation”;
- (b) in paragraph 4, for “Union law or in the law of the Member State to which the controller is subject” substitute “domestic law (see section 18 of the 2018 Act which makes certain provision about the public interest)”;
- (i) for “Article 45(3)” substitute “ Article 45(3) of the GDPR ”;
- (ii) for “Article 46” substitute “ Article 46 of this Regulation ”;
- (b) in paragraph 4, for “Union law or in the law of the Member State to which the controller is subject” substitute “ domestic law (see section 18 of the 2018 Act which makes certain provision about the public interest) ”;
- (c) for paragraph 5 substitute—
@@ -9220,7 +9136,7 @@
- (a) in paragraph 1—
- (i) for “Each Member State shall provide for one or more independent public authorities to be” substitute “The Commissioner is”;
- (i) for “Each Member State shall provide for one or more independent public authorities to be” substitute “ The Commissioner is ”;
- (ii) omit “and to facilitate the free flow of personal data within the Union (‘supervisory authority’)”;
@@ -9232,15 +9148,15 @@
- (a) in paragraph 2—
- (i) for “The member or members of each supervisory authority” substitute “The Commissioner”;
- (ii) for “their”, in both places, substitute “the Commissioner’s”;
- (i) for “The member or members of each supervisory authority” substitute “ The Commissioner ”;
- (ii) for “their”, in both places, substitute “the Commissioner's”;
- (b) in paragraph 3—
- (i) for “Member or members of each supervisory authority” substitute “The Commissioner”;
- (ii) for “their”, in both places, substitute “the Commissioner’s”;
- (i) for “Member or members of each supervisory authority” substitute “ The Commissioner ”;
- (ii) for “their”, in both places, substitute “the Commissioner's”;
- (c) omit paragraphs 4 to 6.
@@ -9270,7 +9186,7 @@
In Article 57 (tasks)—
- (a) in paragraph 1, in the first sentence, for “each supervisory authority shall on its territory” substitute “the Commissioner is to”;
- (a) in paragraph 1, in the first sentence, for “each supervisory authority shall on its territory” substitute “ the Commissioner is to ”;
- (b) in paragraph 1, in point (e), omit “and, if appropriate, cooperate with the supervisory authorities in other Member States to that end”;
@@ -9286,11 +9202,11 @@
In Article 58 (powers)—
- (a) in paragraph 1, in point (a), omit “, and, where applicable, the controller’s or the processor’s representative”;
- (b) in paragraph 1, in point (f), for “Union or Member State procedural law” substitute “domestic law”;
- (c) in paragraph 3, in point (b), for “the Member State government” substitute “the Secretary of State”;
- (a) in paragraph 1, in point (a), omit “, and, where applicable, the controller's or the processor's representative”;
- (b) in paragraph 1, in point (f), for “Union or Member State procedural law” substitute “ domestic law ”;
- (c) in paragraph 3, in point (b), for “the Member State government” substitute “ the Secretary of State ”;
- (d) in paragraph 3, omit point (c);
@@ -9300,7 +9216,7 @@
In Article 59 (activity reports)—
- (a) for “, the government and other authorities as designated by Member State law” substitute “and the Secretary of State”;
- (a) for “, the government and other authorities as designated by Member State law” substitute “ and the Secretary of State ”;
- (b) omit “, to the Commission and to the Board”.
@@ -9310,10 +9226,10 @@
For Articles 60 to 76 substitute—
> (1) The Commissioner may, in connection with carrying out the Commissioner’s functions under this Regulation—
> (1) The Commissioner may, in connection with carrying out the Commissioner's functions under this Regulation—
> (a) co-operate with, provide assistance to and seek assistance from other supervisory authorities;
> (b) conduct joint operations with other supervisory authorities, including joint investigations and joint enforcement measures.
> (2) The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, have regard to—
> (2) The Commissioner must, in carrying out the Commissioner's functions under this Regulation, have regard to—
> (a) decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR;
> (b) any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).
@@ -9325,7 +9241,7 @@
- (a) in paragraph 1, omit “in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement”;
- (b) in paragraph 2, for “The supervisory authority with which the complaint has been lodged” substitute “The Commissioner”.
- (b) in paragraph 2, for “The supervisory authority with which the complaint has been lodged” substitute “ The Commissioner ”.
##### 51
@@ -9353,7 +9269,7 @@
- (a) in paragraph 1, omit “where provided for by Member State law”;
- (b) in paragraph 2, for “Member States” substitute “The Secretary of State”;
- (b) in paragraph 2, for “Member States” substitute “ The Secretary of State ”;
- (c) after that paragraph insert—
@@ -9373,17 +9289,17 @@
In Article 83 (general conditions for imposing administrative fines)—
- (a) in paragraph 5, in point (d), for “pursuant to Member State law adopted under Chapter IX” substitute “under Part 5 or 6 of Schedule 2 to the 2018 Act or under regulations made under section 16 of that Act”;
- (a) in paragraph 5, in point (d), for “pursuant to Member State law adopted under Chapter IX” substitute “ under Part 5 or 6 of Schedule 2 to the 2018 Act or under regulations made under section 16 of that Act ”;
- (b) in paragraph 7—
- (i) for “each Member State” substitute “the Secretary of State”;
- (ii) for “that Member State” substitute “the United Kingdom”;
- (i) for “each Member State” substitute “ the Secretary of State ”;
- (ii) for “that Member State” substitute “ the United Kingdom ”;
- (c) for paragraph 8 substitute—
> (8) Section 115(9) of the 2018 Act makes provision about the exercise of the Commissioner’s powers under this Article.
> (8) Section 115(9) of the 2018 Act makes provision about the exercise of the Commissioner's powers under this Article.
;
@@ -9409,7 +9325,7 @@
- (a) omit paragraph 1;
- (b) in paragraph 2, for “Member States shall” substitute “the Secretary of State, in addition to the relevant provisions, may by way of regulations (see section 16 of the 2018 Act),”;
- (b) in paragraph 2, for “Member States shall” substitute “ the Secretary of State, in addition to the relevant provisions, may by way of regulations (see section 16 of the 2018 Act), ”;
- (c) in paragraph 2, at the end insert—
@@ -9421,7 +9337,7 @@
##### 59
In Article 86 (processing and public access to official documents), for “Union or Member State law to which the public authority or body is subject” substitute “domestic law”.
In Article 86 (processing and public access to official documents), for “Union or Member State law to which the public authority or body is subject” substitute “ domestic law ”.
##### 60
@@ -9433,15 +9349,7 @@
##### 62
In Article 89 (safeguards and derogations relating to processing for archiving purposes etc)—
- (a) in paragraph 2, for “Union or Member State law may” substitute “the Secretary of State, in addition to the relevant provisions, may in regulations (see section 16 of the 2018 Act)”;
- (b) in paragraph 3, for “Union or Member State law may” substitute “the Secretary of State, in addition to the relevant provisions, may in regulations (see section 16 of the 2018 Act)”;
- (c) after paragraph 3 insert—
> (3A) In this Article “*the relevant provisions*” means section 15 of and Part 6 of Schedule 2 to the 2018 Act.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
##### 63
@@ -9473,7 +9381,7 @@
##### 69
In Article 96 (relationship with previously concluded Agreements), for “by Member States” substitute “by the United Kingdom or the Commissioner”.
In Article 96 (relationship with previously concluded Agreements), for “by Member States” substitute “ by the United Kingdom or the Commissioner ”.
##### 70
@@ -9509,7 +9417,7 @@
##### 75
In section 16 (power to make further exemptions etc by regulations), in subsection (1)(a), for “Member State law” substitute “the Secretary of State”.
In section 16 (power to make further exemptions etc by regulations), in subsection (1)(a), for “Member State law” substitute “ the Secretary of State ”.
## SCHEDULE 7
@@ -9583,7 +9491,7 @@
- (b) a body of constables appointed under an order made under section 14 of the Harbours Act 1964;
- (c) the body of constables appointed under section 154 of the [Port of London Act 1968 (c.xxxii)](https://www.legislation.gov.uk/ukla/1968/32).
- (c) the body of constables appointed under section 154 of the Port of London Act 1968 (c.xxxii).
##### 17
@@ -9605,7 +9513,7 @@
##### 21
The Commissioners for Her Majesty’s Revenue and Customs.
The Commissioners for Her Majesty's Revenue and Customs.
##### 22
@@ -9653,7 +9561,7 @@
##### 33
Her Majesty’s Land Registry.
Her Majesty's Land Registry.
##### 34
@@ -10175,7 +10083,7 @@
- (4) In this paragraph—
- “*exam*” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate’s performance while undertaking work or any other activity;
- “*exam*” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate's performance while undertaking work or any other activity;
- “*the relevant time*” has the same meaning as in section 94.
@@ -10215,7 +10123,7 @@
- (1) The Commissioner is to continue to be a corporation sole.
- (2) The Commissioner and the Commissioner’s officers and staff are not to be regarded as servants or agents of the Crown.
- (2) The Commissioner and the Commissioner's officers and staff are not to be regarded as servants or agents of the Crown.
#### Appointment
@@ -10225,7 +10133,7 @@
- (2) No recommendation may be made to Her Majesty for the appointment of a person as the Commissioner unless the person concerned has been selected on merit on the basis of fair and open competition.
- (3) The Commissioner is to hold office for such term not exceeding 7 years as may be determined at the time of the Commissioner’s appointment, subject to paragraph 3.
- (3) The Commissioner is to hold office for such term not exceeding 7 years as may be determined at the time of the Commissioner's appointment, subject to paragraph 3.
- (4) A person cannot be appointed as the Commissioner more than once.
@@ -10233,7 +10141,7 @@
##### 3
- (1) The Commissioner may be relieved of office by Her Majesty at the Commissioner’s own request.
- (1) The Commissioner may be relieved of office by Her Majesty at the Commissioner's own request.
- (2) The Commissioner may be removed from office by Her Majesty on an Address from both Houses of Parliament.
@@ -10241,7 +10149,7 @@
- (a) the Commissioner is guilty of serious misconduct;
- (b) the Commissioner no longer fulfils the conditions required for the performance of the Commissioner’s functions.
- (b) the Commissioner no longer fulfils the conditions required for the performance of the Commissioner's functions.
#### Salary etc
@@ -10289,7 +10197,7 @@
- (5) In making appointments under this paragraph, the Commissioner must have regard to the principle of selection on merit on the basis of fair and open competition.
- (6) The Employers’ Liability (Compulsory Insurance) Act 1969 does not require insurance to be effected by the Commissioner.
- (6) The Employers' Liability (Compulsory Insurance) Act 1969 does not require insurance to be effected by the Commissioner.
#### Carrying out of the Commissioner’s functions by officers and staff
@@ -10301,9 +10209,9 @@
- (b) the Commissioner is for any reason unable to act.
- (2) When the Commissioner appoints a second or subsequent deputy commissioner, the Commissioner must specify which deputy commissioner is to carry out which of the Commissioner’s functions in the circumstances referred to in sub-paragraph (1).
- (3) A function of the Commissioner may, to the extent authorised by the Commissioner, be carried out by any of the Commissioner’s officers or staff.
- (2) When the Commissioner appoints a second or subsequent deputy commissioner, the Commissioner must specify which deputy commissioner is to carry out which of the Commissioner's functions in the circumstances referred to in sub-paragraph (1).
- (3) A function of the Commissioner may, to the extent authorised by the Commissioner, be carried out by any of the Commissioner's officers or staff.
#### Authentication of the seal of the Commissioner
@@ -10311,7 +10219,7 @@
The application of the seal of the Commissioner is to be authenticated by—
- (a) the Commissioner’s signature, or
- (a) the Commissioner's signature, or
- (b) the signature of another person authorised for the purpose.
@@ -10321,7 +10229,7 @@
A document purporting to be an instrument issued by the Commissioner and to be—
- (a) duly executed under the Commissioner’s seal, or
- (a) duly executed under the Commissioner's seal, or
- (b) signed by or on behalf of the Commissioner,
@@ -10337,7 +10245,7 @@
##### 10
- (1) All fees, charges, penalties and other sums received by the Commissioner in carrying out the Commissioner’s functions are to be paid by the Commissioner to the Secretary of State.
- (1) All fees, charges, penalties and other sums received by the Commissioner in carrying out the Commissioner's functions are to be paid by the Commissioner to the Secretary of State.
- (2) Sub-paragraph (1) does not apply where the Secretary of State, with the consent of the Treasury, otherwise directs.
@@ -10361,7 +10269,7 @@
- (3) The Comptroller and Auditor General must examine, certify and report on the statement.
- (4) The Commissioner must arrange for copies of the statement and the Comptroller and Auditor General’s report to be laid before Parliament.
- (4) The Commissioner must arrange for copies of the statement and the Comptroller and Auditor General's report to be laid before Parliament.
- (5) In this paragraph, “*financial year*” means a period of 12 months beginning with 1 April.
@@ -10383,11 +10291,11 @@
- (b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing of personal data to which those Parts apply;
- (c) advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals’ rights and freedoms with regard to processing of personal data to which those Parts apply;
- (c) advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to processing of personal data to which those Parts apply;
- (d) promote the awareness of controllers and processors of their obligations under Parts 3 and 4 of this Act;
- (e) on request, provide information to a data subject concerning the exercise of the data subject’s rights under Parts 3 and 4 of this Act and, if appropriate, co-operate with LED supervisory authorities and foreign designated authorities to provide such information;
- (e) on request, provide information to a data subject concerning the exercise of the data subject's rights under Parts 3 and 4 of this Act and, if appropriate, co-operate with LED supervisory authorities and foreign designated authorities to provide such information;
- (f) co-operate with LED supervisory authorities and foreign designated authorities with a view to ensuring the consistency of application and enforcement of the Law Enforcement Directive and the Data Protection Convention, including by sharing information and providing mutual assistance;
@@ -10411,7 +10319,7 @@
- (c) to issue reprimands to a controller or processor where processing operations have infringed provisions of Part 3 or 4 of this Act;
- (d) to issue, on the Commissioner’s own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.
- (d) to issue, on the Commissioner's own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.
#### Definitions
@@ -10431,9 +10339,9 @@
##### 1
- (1) The Commissioner may provide information or assistance to an LED supervisory authority to the extent that, in the opinion of the Commissioner, providing that information or assistance is necessary for the performance of the recipient’s data protection functions.
- (2) The Commissioner may ask an LED supervisory authority to provide information or assistance which the Commissioner requires for the performance of the Commissioner’s data protection functions.
- (1) The Commissioner may provide information or assistance to an LED supervisory authority to the extent that, in the opinion of the Commissioner, providing that information or assistance is necessary for the performance of the recipient's data protection functions.
- (2) The Commissioner may ask an LED supervisory authority to provide information or assistance which the Commissioner requires for the performance of the Commissioner's data protection functions.
- (3) In this paragraph, “*data protection functions*” means functions relating to the protection of individuals with respect to the processing of personal data.
@@ -10547,7 +10455,7 @@
##### 1
- (1) This paragraph applies if a judge of the High Court, a circuit judge or a District Judge (Magistrates’ Courts) is satisfied by information on oath supplied by the Commissioner that—
- (1) This paragraph applies if a judge of the High Court, a circuit judge or a District Judge (Magistrates' Courts) is satisfied by information on oath supplied by the Commissioner that—
- (a) there are reasonable grounds for suspecting that—
@@ -10563,7 +10471,7 @@
##### 2
- (1) This paragraph applies if a judge of the High Court, a circuit judge or a District Judge (Magistrates’ Courts) is satisfied by information on oath supplied by the Commissioner that a controller or processor has failed to comply with a requirement imposed by an assessment notice.
- (1) This paragraph applies if a judge of the High Court, a circuit judge or a District Judge (Magistrates' Courts) is satisfied by information on oath supplied by the Commissioner that a controller or processor has failed to comply with a requirement imposed by an assessment notice.
- (2) The judge may, for the purpose of enabling the Commissioner to determine whether the controller or processor has complied or is complying with the data protection legislation, grant a warrant to the Commissioner in relation to premises that were specified in the assessment notice.
@@ -10585,13 +10493,13 @@
- (c) the Commissioner requires access to the premises in question urgently.
- (2) The first condition is that the Commissioner has given 7 days’ notice in writing to the occupier of the premises in question demanding access to the premises.
- (2) The first condition is that the Commissioner has given 7 days' notice in writing to the occupier of the premises in question demanding access to the premises.
- (3) The second condition is that—
- (a) access to the premises was demanded at a reasonable hour and was unreasonably refused, or
- (b) entry to the premises was granted but the occupier unreasonably refused to comply with a request by the Commissioner or the Commissioner’s officers or staff to be allowed to do any of the things referred to in paragraph 5.
- (b) entry to the premises was granted but the occupier unreasonably refused to comply with a request by the Commissioner or the Commissioner's officers or staff to be allowed to do any of the things referred to in paragraph 5.
- (4) The third condition is that, since the refusal, the occupier of the premises—
@@ -10605,7 +10513,7 @@
##### 5
- (1) A warrant issued under this Schedule must authorise the Commissioner or any of the Commissioner’s officers or staff—
- (1) A warrant issued under this Schedule must authorise the Commissioner or any of the Commissioner's officers or staff—
- (a) to enter the premises,
@@ -10613,7 +10521,7 @@
- (c) to inspect, examine, operate and test any equipment found on the premises which is used or intended to be used for the processing of personal data.
- (2) A warrant issued under paragraph 1 must authorise the Commissioner or any of the Commissioner’s officers or staff—
- (2) A warrant issued under paragraph 1 must authorise the Commissioner or any of the Commissioner's officers or staff—
- (a) to inspect and seize any documents or other material found on the premises which may be evidence of the failure or offence mentioned in that paragraph,
@@ -10623,7 +10531,7 @@
- (d) to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the controller or processor has failed or is failing as described in section 149(2).
- (3) A warrant issued under paragraph 2 must authorise the Commissioner or any of the Commissioner’s officers or staff—
- (3) A warrant issued under paragraph 2 must authorise the Commissioner or any of the Commissioner's officers or staff—
- (a) to inspect and seize any documents or other material found on the premises which may enable the Commissioner to determine whether the controller or processor has complied or is complying with the data protection legislation,
@@ -10633,7 +10541,7 @@
- (d) to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the controller or processor has complied or is complying with the data protection legislation.
- (4) A warrant issued under this Schedule must authorise the Commissioner or any of the Commissioner’s officers or staff to do the things described in sub-paragraphs (1) to (3) at any time in the period of 7 days beginning with the day on which the warrant is issued.
- (4) A warrant issued under this Schedule must authorise the Commissioner or any of the Commissioner's officers or staff to do the things described in sub-paragraphs (1) to (3) at any time in the period of 7 days beginning with the day on which the warrant is issued.
- (5) For the purposes of this paragraph, a copy of information is in an “appropriate form” if —
@@ -10697,13 +10605,13 @@
- (1) The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable in respect of a communication which is made—
- (a) between a professional legal adviser and the adviser’s client, and
- (a) between a professional legal adviser and the adviser's client, and
- (b) in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
- (2) The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable in respect of a communication which is made—
- (a) between a professional legal adviser and the adviser’s client or between such an adviser or client and another person,
- (a) between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
- (b) in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
@@ -10711,7 +10619,7 @@
- (3) Sub-paragraphs (1) and (2) do not prevent the exercise of powers conferred by a warrant issued under this Schedule in respect of—
- (a) anything in the possession of a person other than the professional legal adviser or the adviser’s client, or
- (a) anything in the possession of a person other than the professional legal adviser or the adviser's client, or
- (b) anything held with the intention of furthering a criminal purpose.
@@ -10777,7 +10685,7 @@
- (i) in giving evidence that person makes a statement inconsistent with that explanation or information, and
- (ii) evidence relating to that explanation or information is adduced, or a question relating to it is asked, by that person or on that person’s behalf.
- (ii) evidence relating to that explanation or information is adduced, or a question relating to it is asked, by that person or on that person's behalf.
- (2) Those provisions are—
@@ -10787,7 +10695,7 @@
- (c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or
- (d) Article 10 of the Perjury (Northern Ireland) Order 1979 ([S.I. 1979/1714 (N.I. 19)](https://www.legislation.gov.uk/nisi/1979/1714)) (false statutory declarations and other false unsworn statements).
- (d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
#### Vessels, vehicles etc
@@ -10861,13 +10769,13 @@
- (3) A notice of intent must also—
- (a) state that the person may make written representations about the Commissioner’s intention to give a penalty notice, and
- (a) state that the person may make written representations about the Commissioner's intention to give a penalty notice, and
- (b) specify the period within which such representations may be made.
- (4) The period specified for making written representations must be a period of not less than 21 days beginning when the notice of intent is given.
- (5) If the Commissioner considers that it is appropriate for the person to have an opportunity to make oral representations about the Commissioner’s intention to give a penalty notice, the notice of intent must also—
- (5) If the Commissioner considers that it is appropriate for the person to have an opportunity to make oral representations about the Commissioner's intention to give a penalty notice, the notice of intent must also—
- (a) state that the person may make such representations, and
@@ -10901,7 +10809,7 @@
- (g) details of the rights of appeal under section 162;
- (h) details of the Commissioner’s enforcement powers under this Schedule.
- (h) details of the Commissioner's enforcement powers under this Schedule.
- (2) The information required under sub-paragraph (1)(d) includes—
@@ -10993,7 +10901,7 @@
In this Schedule—
- “*relevant period*” means— the period of 18 months beginning when the Commissioner starts the first review under section 178, and the period of 12 months beginning when the Commissioner starts a subsequent review under that section;
- “*relevant period*” means—the period of 18 months beginning when the Commissioner starts the first review under section 178, andthe period of 12 months beginning when the Commissioner starts a subsequent review under that section;
- “*the relevant review*”, in relation to a relevant period, means the review under section 178 which the Commissioner must produce a report about by the end of that period.
@@ -11005,9 +10913,9 @@
- (2) If the information notice—
- (a) states that, in the Commissioner’s opinion, the information is required for the purposes of the relevant review, and
- (b) gives the Commissioner’s reasons for reaching that opinion,
- (a) states that, in the Commissioner's opinion, the information is required for the purposes of the relevant review, and
- (b) gives the Commissioner's reasons for reaching that opinion,
subsections (5) and (6) of section 142 do not apply but the notice must not require the information to be provided before the end of the period of 24 hours beginning when the notice is given.
@@ -11019,9 +10927,9 @@
- (2) If the assessment notice—
- (a) states that, in the Commissioner’s opinion, it is necessary for the controller or processor to comply with a requirement in the notice for the purposes of the relevant review, and
- (b) gives the Commissioner’s reasons for reaching that opinion,
- (a) states that, in the Commissioner's opinion, it is necessary for the controller or processor to comply with a requirement in the notice for the purposes of the relevant review, and
- (b) gives the Commissioner's reasons for reaching that opinion,
subsections (6) and (7) of section 146 do not apply but the notice must not require the controller or processor to comply with the requirement before the end of the period of 7 days beginning when the notice is given.
@@ -11087,7 +10995,7 @@
- “*caution*” means a caution given to a person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;
- “*conviction*” has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978 ([S.I. 1978/1908 (N.I. 27)](https://www.legislation.gov.uk/nisi/1978/1908)).
- “*conviction*” has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978 (S.I. 1978/1908 (N.I. 27)).
#### Relevant records relating to statutory functions
@@ -11113,23 +11021,23 @@
- (3) In relation to the Secretary of State, the “relevant functions” are—
- (a) the Secretary of State’s functions in relation to a person sentenced to detention under—
- (a) the Secretary of State's functions in relation to a person sentenced to detention under—
- (i) section 92 of the Powers of Criminal Courts (Sentencing) Act 2000,
- (ii) section 205(2) or 208 of the Criminal Procedure (Scotland) Act 1995, or
- (iii) Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 ([S.I. 1998/1504 (N.I. 9)](https://www.legislation.gov.uk/nisi/1998/1504));
- (b) the Secretary of State’s functions in relation to a person imprisoned or detained under—
- (iii) Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 (S.I. 1998/1504 (N.I. 9));
- (b) the Secretary of State's functions in relation to a person imprisoned or detained under—
- (i) the Prison Act 1952,
- (ii) the Prisons (Scotland) Act 1989, or
- (iii) the [Prison Act (Northern Ireland) 1953 (c. 18 (N.I.))](https://www.legislation.gov.uk/apni/1953/18);
- (c) the Secretary of State’s functions under—
- (iii) the Prison Act (Northern Ireland) 1953 (c. 18 (N.I.));
- (c) the Secretary of State's functions under—
- (i) the Social Security Contributions and Benefits Act 1992,
@@ -11149,9 +11057,9 @@
- (b) the Social Security Administration (Northern Ireland) Act 1992,
- (c) the Jobseekers (Northern Ireland) Order 1995 ([S.I. 1995/2705 (N.I. 15)](https://www.legislation.gov.uk/nisi/1995/2705)), or
- (d) Part 1 of the [Welfare Reform Act (Northern Ireland) 2007 (c. 2 (N.I.))](https://www.legislation.gov.uk/nia/2007/2).
- (c) the Jobseekers (Northern Ireland) Order 1995 (S.I. 1995/2705 (N.I. 15)), or
- (d) Part 1 of the Welfare Reform Act (Northern Ireland) 2007 (c. 2 (N.I.)).
- (5) In relation to the Department of Justice in Northern Ireland, the “relevant functions” are its functions under Part 5 of the Police Act 1997.
@@ -11159,7 +11067,7 @@
- (a) Part 5 of the Police Act 1997, or
- (b) Parts 1 and 2 of the Protection of Vulnerable Groups (Scotland) Act [2007 (asp 14)](https://www.legislation.gov.uk/asp/2007/14).
- (b) Parts 1 and 2 of the Protection of Vulnerable Groups (Scotland) Act 2007 (asp 14).
- (7) In relation to the Disclosure and Barring Service, the “relevant functions” are its functions under—
@@ -11167,7 +11075,7 @@
- (b) the Safeguarding Vulnerable Groups Act 2006, or
- (c) the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 ([S.I. 2007/1351 (N.I. 11)](https://www.legislation.gov.uk/nisi/2007/1351)).
- (c) the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (S.I. 2007/1351 (N.I. 11)).
#### Data subject access right
@@ -11207,9 +11115,9 @@
- (1) Section 19AC of the Registration Service Act 1953 (codes of practice) is amended as follows.
- (2) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.
- (3) In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.
- (2) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
- (3) In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
#### Veterinary Surgeons Act 1966 (c. 36)
@@ -11227,12 +11135,12 @@
, and
- (c) in paragraph (b), at the beginning insert “legislation in the United Kingdom that implements”.
- (c) in paragraph (b), at the beginning insert “ legislation in the United Kingdom that implements ”.
- (3) In subsection (9), after “section” insert
> —
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
.
@@ -11302,19 +11210,19 @@
In section 157(2A) (duty to disclose name etc of agency)—
- (a) in paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and
- (b) in paragraph (b), after “any” insert “other”.
- (a) in paragraph (a), for “the Data Protection Act 1998” substitute “ the GDPR ”, and
- (b) in paragraph (b), after “any” insert “ other ”.
##### 9
In section 159(1)(a) (correction of wrong information) for “section 7 of the Data Protection Act 1998” substitute “Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers)”.
In section 159(1)(a) (correction of wrong information) for “section 7 of the Data Protection Act 1998” substitute “ Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) ”.
##### 10
In section 189(1) (definitions), at the appropriate place insert—
> - “*the GDPR*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
> “*the GDPR*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
.
@@ -11332,13 +11240,13 @@
In article 8D (European professional card), after paragraph (3) insert—
> (4) In Schedule 2C, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.
> (4) In Schedule 2C, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.
##### 14
In article 22A(6) (Directive [2005/36/EC](https://www.legislation.gov.uk/european/directive/2005/0036): functions of competent authority etc.), before sub-paragraph (a) insert—
> (za) “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
> (za) “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
.
@@ -11346,7 +11254,7 @@
- (1) Schedule 2C (Directive [2005/36/EC](https://www.legislation.gov.uk/european/directive/2005/0036): European professional card) is amended as follows.
- (2) In paragraph 8(1) (access to data), for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (2) In paragraph 8(1) (access to data), for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
- (3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)).
@@ -11354,15 +11262,15 @@
- (1) The table in Schedule 2D (functions of the Society under Directive [2005/36/EC](https://www.legislation.gov.uk/european/directive/2005/0036)) is amended as follows.
- (2) In the entry for Article 56(2), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (3) In the entry for Article 56a(4), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (2) In the entry for Article 56(2), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
- (3) In the entry for Article 56a(4), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
##### 17
- (1) Paragraph 2 of Schedule 3 (fitness to practice: disclosure of information) is amended as follows.
- (2) In sub-paragraph (2)(a), after “provision” insert “or the GDPR”.
- (2) In sub-paragraph (2)(a), after “provision” insert “ or the GDPR ”.
- (3) For sub-paragraph (3) substitute—
@@ -11378,13 +11286,13 @@
- (1) Schedule 2 to the Representation of the People Act 1983 (provisions which may be contained in regulations as to registration etc) is amended as follows.
- (2) In paragraph 1A(5), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.
- (3) In paragraph 8C(2), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.
- (2) In paragraph 1A(5), for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
- (3) In paragraph 8C(2), for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
- (4) In paragraph 11A—
- (a) in sub-paragraph (1) for “who are data users to supply data, or documents containing information extracted from data and” substitute “to supply information”, and
- (a) in sub-paragraph (1) for “who are data users to supply data, or documents containing information extracted from data and” substitute “ to supply information ”, and
- (b) omit sub-paragraph (2).
@@ -11398,7 +11306,7 @@
- (1) Section 29E (evidence) is amended as follows.
- (2) In subsection (5), after “enactment” insert “or the GDPR”.
- (2) In subsection (5), after “enactment” insert “ or the GDPR ”.
- (3) For subsection (7) substitute—
@@ -11406,13 +11314,13 @@
- (4) In subsection (9), at the end insert—
> - “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).
> “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).
##### 21
- (1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.
- (2) In subsection (4), after “enactment” insert “or the GDPR”.
- (1) Section 35A (General Medical Council's power to require disclosure of information) is amended as follows.
- (2) In subsection (4), after “enactment” insert “ or the GDPR ”.
- (3) For subsection (5A) substitute—
@@ -11420,14 +11328,14 @@
- (4) In subsection (7), at the end insert—
> - “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).
> “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).
##### 22
In section 49B(7) (Directive 2005/36: designation of competent authority etc.), after “Schedule 4A” insert
In section 49B(7) ([Directive 2005/36](https://www.legislation.gov.uk/european/directive/2005/0036): designation of competent authority etc.), after “Schedule 4A” insert
> —
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
.
@@ -11439,7 +11347,7 @@
- (1) Paragraph 9B of Schedule 1 (incidental powers of the General Medical Council) is amended as follows.
- (2) In sub-paragraph (2)(a), after “enactment” insert “or the GPDR”.
- (2) In sub-paragraph (2)(a), after “enactment” insert “ or the GPDR ”.
- (3) After sub-paragraph (3) insert—
@@ -11449,7 +11357,7 @@
- (1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows.
- (2) In sub-paragraph (8), after “enactment” insert “or the GDPR”.
- (2) In sub-paragraph (8), after “enactment” insert “ or the GDPR ”.
- (3) For sub-paragraph (8A) substitute—
@@ -11461,11 +11369,11 @@
##### 26
- (1) The table in Schedule 4A (functions of the General Medical Council as competent authority under Directive 2005/36) is amended as follows.
- (2) In the entry for Article 56(2), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (3) In the entry for Article 56a(4), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (1) The table in Schedule 4A (functions of the General Medical Council as competent authority under [Directive 2005/36](https://www.legislation.gov.uk/european/directive/2005/0036)) is amended as follows.
- (2) In the entry for Article 56(2), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
- (3) In the entry for Article 56a(4), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
#### Dentists Act 1984 (c. 24)
@@ -11475,14 +11383,16 @@
##### 28
- (1) Section 33B (the General Dental Council’s power to require disclosure of information: the dental profession) is amended as follows.
- (2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.
- (1) Section 33B (the General Dental Council's power to require disclosure of information: the dental profession) is amended as follows.
- (2) In subsection (3), after “enactment” insert “ or relevant provision of the GDPR ”.
- (3) For subsection (4) substitute—
> (4) For the purposes of subsection (3)—
> - “*relevant enactment*” means any enactment other than— this Act, or the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2018 (exemptions to Part 4 : disclosures required by law);
> - “*relevant enactment*” means any enactment other than—
> 1. this Act, or
> 2. the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2018 (exemptions to Part 4 : disclosures required by law);
> - “*relevant provision of the GDPR*” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2018 (GDPR provisions to be adapted or restricted: disclosures required by law).
- (4) After subsection (10) insert—
@@ -11491,22 +11401,24 @@
##### 29
In section 36ZA(6) (Directive 2005/36: designation of competent authority etc), after “Schedule 4ZA—” insert—
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
In section 36ZA(6) ([Directive 2005/36](https://www.legislation.gov.uk/european/directive/2005/0036): designation of competent authority etc), after “Schedule 4ZA—” insert—
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
.
##### 30
- (1) Section 36Y (the General Dental Council’s power to require disclosure of information: professions complementary to dentistry) is amended as follows.
- (2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.
- (1) Section 36Y (the General Dental Council's power to require disclosure of information: professions complementary to dentistry) is amended as follows.
- (2) In subsection (3), after “enactment” insert “ or relevant provision of the GDPR ”.
- (3) For subsection (4) substitute—
> (4) For the purposes of subsection (3)—
> - “*relevant enactment*” means any enactment other than— this Act, or the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2018 (exemptions to Part 4 : disclosures required by law);
> - “*relevant enactment*” means any enactment other than—
> 1. this Act, or
> 2. the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2018 (exemptions to Part 4 : disclosures required by law);
> - “*relevant provision of the GDPR*” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2018 (GDPR provisions to be adapted or restricted: disclosures required by law).
- (4) After subsection (10) insert—
@@ -11519,17 +11431,17 @@
##### 32
- (1) The table in Schedule 4ZA (Directive 2005/36: functions of the General Dental Council under section 36ZA(3)) is amended as follows.
- (2) In the entry for Article 56(2), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (3) In the entry for Article 56a(4), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (1) The table in Schedule 4ZA ([Directive 2005/36](https://www.legislation.gov.uk/european/directive/2005/0036): functions of the General Dental Council under section 36ZA(3)) is amended as follows.
- (2) In the entry for Article 56(2), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
- (3) In the entry for Article 56a(4), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
#### Companies Act 1985 (c. 6)
##### 33
In section 449(11) of the Companies Act 1985 (provision for security of information obtained), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In section 449(11) of the Companies Act 1985 (provision for security of information obtained), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
#### Access to Medical Reports Act 1988 (c. 28)
@@ -11537,7 +11449,7 @@
In section 2(1) of the Access to Medical Reports Act 1988 (interpretation), for the definition of “health professional” substitute—
> - “*health professional*” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act);
> “*health professional*” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act);
.
@@ -11545,9 +11457,9 @@
##### 35
- (1) Section 13B of the Opticians Act 1989 (the Council’s power to require disclosure of information) is amended as follows.
- (2) In subsection (3), after “enactment” insert “or the GDPR”.
- (1) Section 13B of the Opticians Act 1989 (the Council's power to require disclosure of information) is amended as follows.
- (2) In subsection (3), after “enactment” insert “ or the GDPR ”.
- (3) For subsection (4) substitute—
@@ -11583,11 +11495,11 @@
- (1) Section 33D of the Human Fertilisation and Embryology Act 1990 (disclosure for the purposes of medical or other research) is amended as follows.
- (2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) In subsection (9), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).
#### Trade Union and Labour Relations (Consolidation) Act 1992 (c. 52)
@@ -11595,7 +11507,7 @@
- (1) Section 251B of the Trade Union and Labour Relations (Consolidation) Act 1992 (prohibition on disclosure of information) is amended as follows.
- (2) In subsection (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (3), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (6) insert—
@@ -11605,7 +11517,7 @@
##### 41
In the table in Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals to which the Act applies), in the second column, in paragraph 14(a), for “section 6 of the Data Protection Act 1998” substitute “section 114 of the Data Protection Act 2018”.
In the table in Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals to which the Act applies), in the second column, in paragraph 14(a), for “section 6 of the Data Protection Act 1998” substitute “ section 114 of the Data Protection Act 2018 ”.
#### Industrial Relations (Northern Ireland) Order 1992 (S.I. 1992/807 (N.I. 5))
@@ -11613,7 +11525,7 @@
- (1) Article 90B of the Industrial Relations (Northern Ireland) Order 1992 (prohibition on disclosure of information held by the Labour Relations Agency) is amended as follows.
- (2) In paragraph (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In paragraph (3), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After paragraph (6) insert—
@@ -11647,7 +11559,7 @@
##### 45
In section 17A(4) of the Crime and Disorder Act 1998 (sharing of information), for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act))”.
In section 17A(4) of the Crime and Disorder Act 1998 (sharing of information), for “(within the meaning of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.
#### Food Standards Act 1999 (c. 28)
@@ -11655,12 +11567,12 @@
- (1) Section 19 of the Food Standards Act 1999 (publication etc by the Food Standards Agency of advice and information) is amended as follows.
- (2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) In subsection (8), after “section” insert
> —
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -11696,21 +11608,21 @@
##### 50
In section 391A(6)(b) (publication: special provisions relating to the capital requirements directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In section 391A(6)(b) (publication: special provisions relating to the capital requirements directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 51
In section 391C(7)(a) (publication: special provisions relating to the UCITS directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In section 391C(7)(a) (publication: special provisions relating to the UCITS directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 52
In section 391D(9)(a) (publication: special provisions relating to the markets in financial instruments directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In section 391D(9)(a) (publication: special provisions relating to the markets in financial instruments directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 53
In section 417 (definitions), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -11718,7 +11630,7 @@
##### 54
In section 21F(2)(d) of the Terrorism Act 2000 (other permitted disclosures between institutions etc) for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act))”.
In section 21F(2)(d) of the Terrorism Act 2000 (other permitted disclosures between institutions etc) for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.
#### Freedom of Information Act 2000 (c. 36)
@@ -11745,9 +11657,9 @@
- (2) In subsection (2)—
- (a) in paragraph (a), for “do” substitute “does”, and
- (b) in paragraph (b), for “either the first or the second” substitute “the first, second or third”.
- (a) in paragraph (a), for “do” substitute “ does ”, and
- (b) in paragraph (b), for “either the first or the second” substitute “ the first, second or third ”.
- (3) For subsection (3) substitute—
@@ -11778,7 +11690,9 @@
- (7) For subsection (7) substitute—
> (7) In this section—
> - “*the data protection principles*” means the principles set out in— Article 5(1) of the GDPR, and section 34(1) of the Data Protection Act 2018;
> - “*the data protection principles*” means the principles set out in—
> 1. Article 5(1) of the GDPR, and
> 2. section 34(1) of the Data Protection Act 2018;
> - “*data subject*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> - “the GDPR”, “personal data”, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4), (10), (11) and (14) of that Act).
> (8) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
@@ -11810,7 +11724,7 @@
##### 61
In section 76(1) (disclosure of information between Commissioner and ombudsmen), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In section 76(1) (disclosure of information between Commissioner and ombudsmen), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 62
@@ -11829,7 +11743,7 @@
In section 84 (interpretation), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -11839,7 +11753,7 @@
- (1) Paragraph 28 of Schedule 19C to the Political Parties, Elections and Referendums Act 2000 (civil sanctions: disclosure of information) is amended as follows.
- (2) In sub-paragraph (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In sub-paragraph (4)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After sub-paragraph (5) insert—
@@ -11853,17 +11767,17 @@
##### 67
In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
##### 68
In section 26C(3)(a) (power to require disclosure of data), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
In section 26C(3)(a) (power to require disclosure of data), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
##### 69
In section 29(1) (interpretation), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -11887,11 +11801,11 @@
##### 72
In section 65(7) (meaning of “*legal privilege*”)—
- (a) for “paragraph 1 of Schedule 9 to the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2018”, and
- (b) for “paragraph 9” substitute “paragraph 11 (matters exempt from inspection and seizure: privileged communications)”.
In section 65(7) (meaning of “legal privilege”)—
- (a) for “paragraph 1 of Schedule 9 to the Data Protection Act 1998 (c. 29)” substitute “ paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2018 ”, and
- (b) for “paragraph 9” substitute “ paragraph 11 (matters exempt from inspection and seizure: privileged communications) ”.
##### 73
@@ -11899,7 +11813,7 @@
- (a) omit paragraph 65, and
- (b) after paragraph 73R insert—
- (b) after paragraph 73T insert—
> (73T) The power of seizure conferred by paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2018 (powers of entry and inspection).
@@ -11913,24 +11827,18 @@
- (1) Section 19 (disclosure of information held by revenue departments) is amended as follows.
- (2) In subsection (7), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) In subsection (9), after “section” insert
> —
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
##### 76
- (1) Part 1 of Schedule 4 (extension of existing disclosure powers) is amended as follows.
- (2) Omit paragraph 42.
- (3) After paragraph 53F insert—
> (53G) Section 132(3) of the Data Protection Act 2018.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
#### Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.))
@@ -11938,7 +11846,7 @@
- (1) Section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 (power to obtain information etc) is amended as follows.
- (2) In subsection (3), after “provision” insert “or the GDPR”.
- (2) In subsection (3), after “provision” insert “ or the GDPR ”.
- (3) For subsection (5) substitute—
@@ -11954,7 +11862,7 @@
- (1) Section 5A of the Justice (Northern Ireland) Act 2002 (disclosure of information to the Commission) is amended as follows.
- (2) In subsection (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (3)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (9) insert—
@@ -11968,23 +11876,23 @@
##### 80
In section 333C(2)(d) (other permitted disclosures between institutions etc), for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act))”.
In section 333C(2)(d) (other permitted disclosures between institutions etc), for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.
##### 81
In section 436(3)(a) (disclosure of information to certain Directors), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
In section 436(3)(a) (disclosure of information to certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
##### 82
In section 438(8)(a) (disclosure of information by certain Directors), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
In section 438(8)(a) (disclosure of information by certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
##### 83
In section 439(3)(a) (disclosure of information to Lord Advocate and to Scottish Ministers), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
In section 439(3)(a) (disclosure of information to Lord Advocate and to Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
##### 84
In section 441(7)(a) (disclosure of information by Lord Advocate and Scottish Ministers), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
In section 441(7)(a) (disclosure of information by Lord Advocate and Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
##### 85
@@ -11998,7 +11906,7 @@
- (1) Section 237 of the Enterprise Act 2002 (general restriction on disclosure) is amended as follows.
- (2) In subsection (4), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (4), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (6) insert—
@@ -12059,9 +11967,11 @@
- (6) In subsection (5), for the definitions of “the data protection principles” and of “data subject” and “personal data” substitute—
> - “*the data protection principles*” means the principles set out in— Article 5(1) of the GDPR, and section 34(1) of the Data Protection Act 2018;
> - “*data subject*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> - “the GDPR”, “personal data”, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4), (10), (11) and (14) of that Act);
> “*the data protection principles*” means the principles set out in—
> (a) Article 5(1) of the GDPR, and
> (b) section 34(1) of the Data Protection Act 2018;
> “*data subject*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “the GDPR”, “personal data”, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4), (10), (11) and (14) of that Act);
.
@@ -12079,7 +11989,7 @@
- (1) Paragraph 9C (disclosure of information in connection with making of attachment of earnings orders or applications for benefit deductions: supplementary) is amended as follows.
- (2) In sub-paragraph (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In sub-paragraph (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After sub-paragraph (5) insert—
@@ -12089,11 +11999,11 @@
- (1) Paragraph 10A (attachment of earnings orders (Justice Act (Northern Ireland) 2016): disclosure of information) is amended as follows.
- (2) In sub-paragraph (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In sub-paragraph (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) In sub-paragraph (8), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -12103,11 +12013,11 @@
- (1) Section 94 of the Sexual Offences Act 2003 (Part 2: supply of information to the Secretary of State etc for verification) is amended as follows.
- (2) In subsection (6), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) In subsection (8), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -12119,7 +12029,7 @@
##### 96
In section 327A(9) (disclosure of information about convictions etc of child sex offenders to members of the public), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In section 327A(9) (disclosure of information about convictions etc of child sex offenders to members of the public), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 97
@@ -12133,11 +12043,11 @@
- (1) Section 279 of the Mental Health (Care and Treatment) (Scotland) Act 2003 (information for research) is amended as follows.
- (2) In subsection (2), for “research purposes within the meaning given by section 33 of the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29) (research, history and statistics)” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”.
- (2) In subsection (2), for “research purposes within the meaning given by section 33 of the Data Protection Act 1998 (c. 29) (research, history and statistics)” substitute “ purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics) ”.
- (3) After subsection (9) insert—
> (10) In this section, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
> (10) In this section, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
#### Public Audit (Wales) Act 2004 (c. 23)
@@ -12145,12 +12055,12 @@
- (1) Section 64C of the Public Audit (Wales) Act 2004 (voluntary provision of data) is amended as follows.
- (2) In subsection (3)(a), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) In subsection (5), at the beginning insert
> In this section—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -12168,7 +12078,7 @@
- (a) omit “within the meaning of the Data Protection Act 1998”, and
- (b) for “that Act” substitute “the data protection legislation”.
- (b) for “that Act” substitute “ the data protection legislation ”.
- (3) After subsection (7) insert—
@@ -12180,7 +12090,7 @@
- (1) Section 15D (permitted disclosure of information obtained under compulsory powers) is amended as follows.
- (2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (7) insert—
@@ -12192,7 +12102,7 @@
- (1) Section 54 of the Domestic Violence, Crime and Victims Act 2004 (disclosure of information) is amended as follows.
- (2) In subsection (7), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (8) insert—
@@ -12208,7 +12118,7 @@
- (1) Section 12 (information databases) is amended as follows.
- (2) In subsection (13)(e) for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (13)(e) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (13) insert—
@@ -12218,7 +12128,7 @@
- (1) Section 29 (information databases: Wales) is amended as follows.
- (2) In subsection (14)(e) for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (14)(e) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (14) insert—
@@ -12230,7 +12140,7 @@
- (1) Section 107 of the Constitutional Reform Act 2005 (disclosure of information to the Commission) is amended as follows.
- (2) In subsection (3)(a), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (9) insert—
@@ -12242,7 +12152,7 @@
In section 64 of the Mental Capacity Act 2005 (interpretation), for the definition of “health record” substitute—
> - “*health record*” has the same meaning as in the Data Protection Act 2018 (see section 205 of that Act);
> “*health record*” has the same meaning as in the Data Protection Act 2018 (see section 205 of that Act);
.
@@ -12272,7 +12182,7 @@
- (2) The existing text becomes subsection (1).
- (3) In that subsection, in paragraph (a), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (3) In that subsection, in paragraph (a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (4) After that subsection insert—
@@ -12286,7 +12196,7 @@
- (2) The existing text becomes subsection (1).
- (3) In that subsection, for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (3) In that subsection, for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (4) After that subsection insert—
@@ -12320,11 +12230,11 @@
- (1) Section 251 (control of patient information) is amended as follows.
- (2) In subsection (7), for “made by or under the Data Protection Act [1998 (c 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “of the data protection legislation”.
- (2) In subsection (7), for “made by or under the Data Protection Act 1998 (c 29)” substitute “ of the data protection legislation ”.
- (3) In subsection (13), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -12332,7 +12242,7 @@
- (1) Section 264C (provision and disclosure of information about health service products: supplementary) is amended as follows.
- (2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (3) insert—
@@ -12340,7 +12250,7 @@
##### 116
In paragraph 7B(3) of Schedule 1 (further provision about the Secretary of State and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.
In paragraph 7B(3) of Schedule 1 (further provision about the Secretary of State and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “ has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
#### National Health Service (Wales) Act 2006 (c. 42)
@@ -12352,7 +12262,7 @@
- (1) Section 201C (provision of information about medical supplies: supplementary) is amended as follows.
- (2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (3) insert—
@@ -12360,7 +12270,7 @@
##### 119
In paragraph 7B(3) of Schedule 1 (further provision about the Welsh Ministers and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.
In paragraph 7B(3) of Schedule 1 (further provision about the Welsh Ministers and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “ has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.
#### Companies Act 2006 (c. 46)
@@ -12372,39 +12282,39 @@
In section 458(2) (disclosure of information by tax authorities)—
- (a) for “within the meaning of the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)”, and
- (b) for “that Act” substitute “the data protection legislation”.
- (a) for “within the meaning of the Data Protection Act 1998 (c. 29)” substitute “ within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act) ”, and
- (b) for “that Act” substitute “ the data protection legislation ”.
##### 122
In section 461(7) (permitted disclosure of information obtained under compulsory powers), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
In section 461(7) (permitted disclosure of information obtained under compulsory powers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
##### 123
In section 948(9) (restrictions on disclosure) for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
In section 948(9) (restrictions on disclosure) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
##### 124
In section 1173(1) (minor definitions: general), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
##### 125
In section 1224A(7) (restrictions on disclosure), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In section 1224A(7) (restrictions on disclosure), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 126
In section 1253D(3) (restriction on transfer of audit working papers to third countries), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In section 1253D(3) (restriction on transfer of audit working papers to third countries), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 127
In section 1261(1) (minor definitions: Part 42), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -12434,11 +12344,11 @@
##### 131
In section 11(5)(b) (right to appeal to Upper Tribunal), for “section 28(4) or (6) of the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “section 27(3) or (5), 79(5) or (7) or 111(3) or (5) of the Data Protection Act 2018”.
In section 11(5)(b) (right to appeal to Upper Tribunal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “ section 27(3) or (5), 79(5) or (7) or 111(3) or (5) of the Data Protection Act 2018 ”.
##### 132
In section 13(8)(a) (right to appeal to the Court of Appeal), for “section 28(4) or (6) of the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “section 27(3) or (5), 79(5) or (7) or 111(3) or (5) of the Data Protection Act 2018”.
In section 13(8)(a) (right to appeal to the Court of Appeal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “ section 27(3) or (5), 79(5) or (7) or 111(3) or (5) of the Data Protection Act 2018 ”.
#### Statistics and Registration Service Act 2007 (c. 18)
@@ -12450,61 +12360,61 @@
- (1) Section 45 (information held by HMRC) is amended as follows.
- (2) In subsection (4A), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.
- (3) In subsection (4B), for “the Data Protection Act 1998” substitute “the Data Protection Act 2018”.
- (2) In subsection (4A), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
- (3) In subsection (4B), for “the Data Protection Act 1998” substitute “ the Data Protection Act 2018 ”.
##### 135
- (1) Section 45A (information held by other public authorities) is amended as follows.
- (2) In subsection (8), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.
- (3) In subsection (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (4) In subsection (12)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (5) In subsection 12(c), after the first “legislation” insert “(which is not part of the data protection legislation)”.
- (2) In subsection (8), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
- (3) In subsection (9), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (4) In subsection (12)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (5) In subsection 12(c), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.
##### 136
- (1) Section 45B(3) (access to information held by Crown bodies etc) is amended as follows.
- (2) In paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (3) In paragraph (c), after the first “legislation” insert “(which is not part of the data protection legislation)”.
- (2) In paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) In paragraph (c), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.
##### 137
- (1) Section 45C(13) (power to require disclosures by other public authorities) is amended as follows.
- (2) In paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (3) In paragraph (d), after the first “legislation” insert “(which is not part of the data protection legislation)”.
- (2) In paragraph (b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) In paragraph (d), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.
##### 138
In section 45D(9)(b) (power to require disclosure by undertakings), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In section 45D(9)(b) (power to require disclosure by undertakings), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 139
- (1) Section 45E (further provision about powers in sections 45B, 45C and 45D) is amended as follows.
- (2) In subsection (6), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.
- (3) In subsection (16), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.
- (4) In subsection (17), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (6), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
- (3) In subsection (16), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
- (4) In subsection (17), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 140
- (1) Section 53A (disclosure by the Statistics Board to devolved administrations) is amended as follows.
- (2) In subsection (9), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.
- (3) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (4) In subsection (12)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (9), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
- (3) In subsection (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (4) In subsection (12)(b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 141
@@ -12518,7 +12428,7 @@
In section 67 (general interpretation: Part 1), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -12534,9 +12444,9 @@
- (2) In subsection (6)—
- (a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and
- (b) for “are” substitute “is”.
- (a) for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
- (b) for “are” substitute “ is ”.
- (3) After subsection (6) insert—
@@ -12546,21 +12456,21 @@
- (1) Section 68 (disclosure of information to prevent fraud) is amended as follows.
- (2) In subsection (4)(a), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) In subsection (8), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).
##### 146
- (1) Section 85 (disclosure of information by Revenue and Customs) is amended as follows.
- (2) In subsection (8)(a), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (8)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) In subsection (9), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).
#### Legal Services Act 2007 (c. 29)
@@ -12568,7 +12478,7 @@
- (1) Section 169 of the Legal Services Act 2007 (disclosure of information to the Legal Services Board) is amended as follows.
- (2) In subsection (3)(a), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (8) insert—
@@ -12600,7 +12510,7 @@
- (1) Section 114 (supply of information to Secretary of State etc) is amended as follows.
- (2) In subsection (5), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (5), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (6) insert—
@@ -12612,7 +12522,7 @@
- (1) Section 70 of the Regulatory Enforcement and Sanctions Act 2008 (disclosure of information) is amended as follows.
- (2) In subsection (4)(a), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (5) insert—
@@ -12622,7 +12532,7 @@
##### 153
In section 20A(5) of the Health and Social Care Act 2008 (functions relating to processing of information by registered persons), in the definition of “processing”, for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);”.
In section 20A(5) of the Health and Social Care Act 2008 (functions relating to processing of information by registered persons), in the definition of “processing”, for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act); ”.
#### Counter-Terrorism Act 2008 (c. 28)
@@ -12630,7 +12540,7 @@
- (1) Section 20 of the Counter-Terrorism Act 2008 (disclosure and the intelligence services: supplementary provisions) is amended as follows.
- (2) In subsection (2)(a), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (2)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (4) insert—
@@ -12642,7 +12552,7 @@
- (1) Section 117 of the Public Health etc. (Scotland) Act 2008 (disclosure of information) is amended as follows.
- (2) In subsection (6), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (7) insert—
@@ -12654,12 +12564,12 @@
- (1) Section 83ZY of the Banking Act 2009 (special resolution regime: publication of notices etc) is amended as follows.
- (2) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) In subsection (11), after “section” insert
> —
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -12669,7 +12579,7 @@
- (1) Section 19 of the Borders, Citizenship and Immigration Act 2009 (use and disclosure of customs information: application of statutory provisions) is amended as follows.
- (2) In subsection (1)(a), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (1)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (4) insert—
@@ -12685,7 +12595,7 @@
- (1) Paragraph 13 of Schedule 7 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.
- (2) In sub-paragraph (5)(a), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After sub-paragraph (6) insert—
@@ -12695,7 +12605,7 @@
- (1) Paragraph 9 of Schedule 10 (further provision about fixed monetary penalties: disclosure of information) is amended as follows.
- (2) In sub-paragraph (5)(a), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After sub-paragraph (6) insert—
@@ -12713,12 +12623,12 @@
- (1) Section 38 of the Broads Authority Act 2009 (provision of information) is amended as follows.
- (2) In subsection (3), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) In subsection (6), after “section” insert
> —
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -12728,7 +12638,7 @@
- (1) Section 13 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (functions of the Regional Agency) is amended as follows.
- (2) In subsection (8), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (8), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (8) insert—
@@ -12740,11 +12650,11 @@
- (1) Section 25 of the Terrorist Asset-Freezing etc. Act 2010 (application of provisions) is amended as follows.
- (2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) In subsection (6), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -12754,7 +12664,7 @@
- (1) Paragraph 12 of Schedule 2 to the Marine (Scotland) Act 2010 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.
- (2) In sub-paragraph (5)(a), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After sub-paragraph (6) insert—
@@ -12768,7 +12678,7 @@
- (2) The existing text becomes subsection (1).
- (3) In that subsection, in paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (3) In that subsection, in paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (4) After that subsection insert—
@@ -12794,7 +12704,7 @@
- (b) in the Welsh language text, for paragraph (a) substitute—
> (a) adrannau 142 i 154, 160 i 164, neu 174 i 176 o Ddeddf Diogelu Data 2018 neu Atodlen 15 i’r Ddeddf honno (darpariaethau penodol yn ymwneud â gorfodi);
> (a) adrannau 142 i 154, 160 i 164, neu 174 i 176 o Ddeddf Diogelu Data 2018 neu Atodlen 15 i'r Ddeddf honno (darpariaethau penodol yn ymwneud â gorfodi);
.
@@ -12810,27 +12720,27 @@
- (b) in the Welsh language text substitute—
> (5) Y tramgwyddau y cyfeirir atynt yn is-adran (3)(b) yw’r rhai—
> (5) Y tramgwyddau y cyfeirir atynt yn is-adran (3)(b) yw'r rhai—
> (a) o dan ddarpariaeth yn Neddf Diogelu Data 2018 ac eithrio paragraff 15 o Atodlen 15 (rhwystro gweithredu gwarant etc); neu
> (b) o dan adran 77 o Ddeddf Rhyddid Gwybodaeth 2000 (trosedd o altro etc cofnodion gyda’r bwriad o atal datgelu).
> (b) o dan adran 77 o Ddeddf Rhyddid Gwybodaeth 2000 (trosedd o altro etc cofnodion gyda'r bwriad o atal datgelu).
- (4) In subsection (8)—
- (a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and
- (b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.
- (a) in the English language text, for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
- (b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso'r ddeddfwriaeth diogelu data”.
- (5) In subsection (9)—
- (a) at the appropriate place in the English language text insert—
> - “*the data protection legislation*” (“*y ddeddfwriaeth diogelu data*”) has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” (“**y ddeddfwriaeth diogelu data**”) has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
, and
- (b) at the appropriate place in the Welsh language text insert—
> - “mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o’r Ddeddf honno);
> “mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o'r Ddeddf honno);
.
@@ -12840,22 +12750,22 @@
- (2) In sub-paragraph (7)—
- (a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and
- (b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.
- (a) in the English language text, for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
- (b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso'r ddeddfwriaeth diogelu data”.
- (3) In sub-paragraph (8)—
- (a) in the English language text, after “this paragraph” insert
> —
> - “*the data protection legislation*” (“*y ddeddfwriaeth diogelu data*”) has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” (“**y ddeddfwriaeth diogelu data**”) has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
, and
- (b) in the Welsh language text, after “hwn” insert—
> - “mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o’r Ddeddf honno);
> “mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o'r Ddeddf honno);
.
@@ -12865,7 +12775,7 @@
- (1) Section 10 of the Safeguarding Board Act (Northern Ireland) 2011 (duty to co-operate) is amended as follows.
- (2) In subsection (3), for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
- (2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.
- (3) After subsection (3) insert—
@@ -12881,7 +12791,7 @@
In section 250(7) (power to publish information standards), for the definition of “processing” substitute—
> - “*processing*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);
> “*processing*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);
.
@@ -12889,7 +12799,7 @@
- (1) Section 251A (consistent identifiers) is amended as follows.
- (2) In subsection (7)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.
- (2) In subsection (7)(a), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.
- (3) After subsection (8) insert—
@@ -12899,7 +12809,7 @@
- (1) Section 251B (duty to share information) is amended as follows.
- (2) In subsection (5)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.
- (2) In subsection (5)(a), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.
- (3) After subsection (6) insert—
@@ -12915,7 +12825,7 @@
- (1) Section 27 (exceptions and further provision about consent and notification) is amended as follows.
- (2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (5) insert—
@@ -12925,7 +12835,7 @@
In section 28(1) (interpretation: Chapter 2), for the definition of “processing” substitute—
> - “*processing*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);
> “*processing*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);
.
@@ -12933,7 +12843,7 @@
In section 29(7) (code of practice for surveillance camera systems), for the definition of “processing” substitute—
> - “*processing*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);
> “*processing*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);
.
@@ -12943,7 +12853,7 @@
- (1) Section 14A of the HGV Road User Levy Act 2013 (disclosure of information by Revenue and Customs) is amended as follows.
- (2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (5) insert—
@@ -12959,7 +12869,7 @@
- (1) Section 42 (other interpretive provisions) is amended as follows.
- (2) In subsection (5)(a), for “section 13 of the Data Protection Act 1998 (damage or distress suffered as a result of a contravention of a requirement of that Act)” substitute “Article 82 of the GDPR or section 168 or 169 of the Data Protection Act 2018 (compensation for contravention of the data protection legislation)”.
- (2) In subsection (5)(a), for “section 13 of the Data Protection Act 1998 (damage or distress suffered as a result of a contravention of a requirement of that Act)” substitute “ Article 82 of the GDPR or section 168 or 169 of the Data Protection Act 2018 (compensation for contravention of the data protection legislation) ”.
- (3) After subsection (5) insert—
@@ -12973,9 +12883,9 @@
- (3) In that sub-paragraph, in paragraph (a)—
- (a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and
- (b) for “are” substitute “is”.
- (a) for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
- (b) for “are” substitute “ is ”.
- (4) After that sub-paragraph, insert—
@@ -12987,7 +12897,7 @@
- (1) Paragraph 8 of Schedule 2 to the Marine Act (Northern Ireland) 2013 (further provision about fixed monetary penalties under section 35: disclosure of information) is amended as follows.
- (2) In sub-paragraph (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In sub-paragraph (5)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After sub-paragraph (6) insert—
@@ -12999,13 +12909,13 @@
- (1) Paragraph 3 of Schedule 9 to the Local Audit and Accountability Act 2014 (data matching: voluntary provision of data) is amended as follows.
- (2) In sub-paragraph (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In sub-paragraph (3)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After sub-paragraph (3) insert—
> (3A) “*The data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).
- (4) In sub-paragraph (4), for “comprise or include” substitute “comprises or includes”.
- (4) In sub-paragraph (4), for “comprise or include” substitute “ comprises or includes ”.
#### Anti-social Behaviour, Crime and Policing Act 2014 (c. 12)
@@ -13015,9 +12925,9 @@
- (2) In sub-paragraph (4)—
- (a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and
- (b) for “are” substitute “is”.
- (a) for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
- (b) for “are” substitute “ is ”.
- (3) After sub-paragraph (5) insert—
@@ -13033,9 +12943,9 @@
- (3) In that sub-paragraph, in paragraph (a)—
- (a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and
- (b) for “are” substitute “is”.
- (a) for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and
- (b) for “are” substitute “ is ”.
- (4) After that sub-paragraph insert—
@@ -13057,9 +12967,9 @@
In section 18(10)(b) of the Social Services and Well-being (Wales) Act 2014 (registers of sight-impaired, hearing-impaired and other disabled people)—
- (a) in the English language text, for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act))”, and
- (b) in the Welsh language text, for “(o fewn ystyr “*personal data*” yn Neddf Diogelu Data 1998)” substitute “(o fewn ystyr “*personal data*” yn Rhan 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o’r Ddeddf honno))”.
- (a) in the English language text, for “(within the meaning of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”, and
- (b) in the Welsh language text, for “(o fewn ystyr “personal data” yn Neddf Diogelu Data 1998)” substitute “(o fewn ystyr “ personal data ” yn Rhan 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o'r Ddeddf honno))”.
#### Counter-Terrorism and Security Act 2015 (c. 6)
@@ -13067,7 +12977,7 @@
- (1) Section 38 of the Counter-Terrorism and Security Act 2015 (support etc for people vulnerable to being drawn into terrorism: co-operation) is amended as follows.
- (2) In subsection (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (4)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (4) insert—
@@ -13099,12 +13009,12 @@
- (1) Section 54A of the Modern Slavery Act 2015 (Gangmasters and Labour Abuse Authority: information gateways) is amended as follows.
- (2) In subsection (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (5)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) In subsection (9), after “section” insert
> —
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -13116,19 +13026,19 @@
##### 193
In section 13(5) (duty to notify National Crime Agency about suspected victims of certain offences) for “the Data Protection Act 1998” substitute “the data protection legislation”.
In section 13(5) (duty to notify National Crime Agency about suspected victims of certain offences) for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 194
In section 25(1) (interpretation of this Act), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
##### 195
In paragraph 18(5) of Schedule 3 (supply of information to relevant Northern Ireland departments, Secretary of State, etc) for “the Data Protection Act 1998” substitute “the data protection legislation”.
In paragraph 18(5) of Schedule 3 (supply of information to relevant Northern Ireland departments, Secretary of State, etc) for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
#### Justice Act (Northern Ireland) 2015 (c. 9 (N.I.))
@@ -13136,11 +13046,11 @@
- (1) Section 72 of the Justice Act (Northern Ireland) 2015 (supply of information to relevant Northern Ireland departments or Secretary of State) is amended as follows.
- (2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) In subsection (7), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -13150,11 +13060,11 @@
- (1) Section 7 of the Immigration Act 2016 (information gateways: supplementary) is amended as follows.
- (2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) In subsection (11), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -13182,7 +13092,7 @@
##### 201
In section 202(4) (restriction on use of class BPD warrants), in the definition of “sensitive personal data”, for “which is of a kind mentioned in section 2(a) to (f) of the Data Protection Act 1998” substitute “the processing of which would be sensitive processing for the purposes of section 86(7) of the Data Protection Act 2018”.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
##### 202
@@ -13196,7 +13106,7 @@
- (1) Section 237 (information gateway) is amended as follows.
- (2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (2) insert—
@@ -13230,7 +13140,7 @@
- (1) Section 1 of the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (control of information of a relevant person) is amended as follows.
- (2) In subsection (8), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.
- (2) In subsection (8), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.
- (3) After subsection (12) insert—
@@ -13242,7 +13152,7 @@
In section 306(1) of the Mental Capacity Act (Northern Ireland) 2016 (definitions for purposes of Act), for the definition of “health record” substitute—
> - “*health record*” has the meaning given by section 205 of the Data Protection Act 2018;
> “*health record*” has the meaning given by section 205 of the Data Protection Act 2018;
.
@@ -13256,12 +13166,12 @@
- (1) Section 17 (disclosure of information) is amended as follows.
- (2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) In subsection (8), after “section” insert
> —
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -13269,7 +13179,7 @@
In section 44(3) (disclosure of information)—
- (a) in paragraph (a), for “Part 5 of the Data Protection Act 1998” substitute “sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018”, and
- (a) in paragraph (a), for “Part 5 of the Data Protection Act 1998” substitute “ sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 ”, and
- (b) for paragraph (b) substitute—
@@ -13285,7 +13195,7 @@
- (2) The existing text becomes subsection (1).
- (3) In that subsection, in paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (3) In that subsection, in paragraph (b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (4) After that subsection, insert—
@@ -13311,11 +13221,11 @@
- (1) Section 63 (cooperation and information sharing by the Office for Students) is amended as follows.
- (2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) In subsection (7), at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
.
@@ -13323,7 +13233,7 @@
- (1) Section 112 (cooperation and information sharing between the Office for Students and UKRI) is amended as follows.
- (2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (6) insert —
@@ -13339,7 +13249,7 @@
- (1) Section 40 (further provisions about disclosures under sections 35 to 39) is amended as follows.
- (2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (10) insert—
@@ -13349,15 +13259,15 @@
- (1) Section 43 (codes of practice) is amended as follows.
- (2) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.
- (3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.
- (2) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
- (3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.
##### 218
- (1) Section 49 (further provision about disclosures under section 48) is amended as follows.
- (2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (10) insert—
@@ -13367,15 +13277,15 @@
- (1) Section 52 (code of practice) is amended as follows.
- (2) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.
- (3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018 (other codes of practice)”.
- (2) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
- (3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.
##### 220
- (1) Section 57 (further provision about disclosures under section 56) is amended as follows.
- (2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (10) insert—
@@ -13385,15 +13295,15 @@
- (1) Section 60 (code of practice) is amended as follows.
- (2) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.
- (3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018 (other codes of practice)”.
- (2) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
- (3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.
##### 222
- (1) Section 65 (supplementary provision about disclosures under section 64) is amended as follows.
- (2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After subsection (8) insert—
@@ -13403,9 +13313,9 @@
- (1) Section 70 (code of practice) is amended as follows.
- (2) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.
- (3) In subsection (15), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018 (other codes of practice)”.
- (2) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.
- (3) In subsection (15), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.
##### 224
@@ -13419,9 +13329,9 @@
- (2) In subsection (4)(a)—
- (a) in the English language text, for “the Data Protection Act [1998 (c. 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”, and
- (b) in the Welsh language text, for “torri Deddf Diogelu Data 1998 (p. 29)” substitute “torri’r ddeddfwriaeth diogelu data”.
- (a) in the English language text, for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”, and
- (b) in the Welsh language text, for “torri Deddf Diogelu Data 1998 (p. 29)” substitute “torri'r ddeddfwriaeth diogelu data”.
- (3) After subsection (7)—
@@ -13433,7 +13343,7 @@
- (b) in the Welsh language text insert—
> (8) Yn yr adran hon, mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o’r Ddeddf honno).
> (8) Yn yr adran hon, mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o'r Ddeddf honno).
#### Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (anaw 2)
@@ -13448,8 +13358,8 @@
- (b) after subsection (9) insert—
> (9A) In subsection (9)—
> - “*data subject*” (“*testun y data*”) has the meaning given by section 3(5) of the Data Protection Act 2018;
> - “*personal data*” (“*data personol*”) has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).
> - “*data subject*” (“**testun y data**”) has the meaning given by section 3(5) of the Data Protection Act 2018;
> - “*personal data*” (“**data personol**”) has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).
- (3) In the Welsh language text—
@@ -13458,8 +13368,8 @@
- (b) after subsection (9) insert—
> (9A) Yn is-adran (9)—
> - mae i “data personol” yr un ystyr ag a roddir i “personal data” yn Rhannau 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o’r Ddeddf honno);
> - mae i “testun y data” yr ystyr a roddir i “data subject” gan adran 3(5) o’r Ddeddf honno.
> - mae i “data personol” yr un ystyr ag a roddir i “personal data” yn Rhannau 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o'r Ddeddf honno);
> - mae i “testun y data” yr ystyr a roddir i “data subject” gan adran 3(5) o'r Ddeddf honno.
#### This Act
@@ -13499,23 +13409,23 @@
- (2) In paragraph (2)—
- (a) for “section 5 of the Data Protection Act 1998 (“*the 1998 Act*”), data which are” substitute “section 207 of the Data Protection Act 2018 (“*the 2018 Act*”), data which is”,
- (b) for “data controller” substitute “controller”,
- (c) after “in the context of” insert “the activities of”, and
- (d) for “and the 1998 Act” substitute “and the 2018 Act”.
- (a) for “section 5 of the Data Protection Act 1998 (“*the 1998 Act*”), data which are” substitute “ section 207 of the Data Protection Act 2018 (“*the 2018 Act*”), data which is ”,
- (b) for “data controller” substitute “ controller ”,
- (c) after “in the context of” insert “ the activities of ”, and
- (d) for “and the 1998 Act” substitute “ and the 2018 Act ”.
- (3) In paragraph (3)—
- (a) for “section 5 of the 1998 Act, data which are” substitute “section 207 of the 2018 Act, data which is”,
- (b) for “data controller” substitute “controller”,
- (c) after “in the context of” insert “the activities of”, and
- (d) for “and the 1998 Act” substitute “and the 2018 Act”.
- (a) for “section 5 of the 1998 Act, data which are” substitute “ section 207 of the 2018 Act, data which is ”,
- (b) for “data controller” substitute “ controller ”,
- (c) after “in the context of” insert “ the activities of ”, and
- (d) for “and the 1998 Act” substitute “ and the 2018 Act ”.
#### Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))
@@ -13531,7 +13441,7 @@
##### 232
In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “made by the Department”.
In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “ made by the Department ”.
#### Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)
@@ -13556,17 +13466,17 @@
- (3) At the appropriate place insert—
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
.
##### 236
- (1) The table in Schedule A1 (functions of the GDC under Directive 2005/36) is amended as follows.
- (2) In the entry for Article 56(2), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (3) In the entry for Article 56a(4), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (1) The table in Schedule A1 (functions of the GDC under [Directive 2005/36](https://www.legislation.gov.uk/european/directive/2005/0036)) is amended as follows.
- (2) In the entry for Article 56(2), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
- (3) In the entry for Article 56a(4), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
#### Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)
@@ -13700,29 +13610,29 @@
In regulation 3(1) (interpretation), at the appropriate places insert—
> - “*Article 89 GDPR purposes*” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);
> “*Article 89 GDPR purposes*” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);
;
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
;
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
.
##### 254
In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 255
In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 256
In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 257
@@ -13744,23 +13654,23 @@
##### 259
In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section 122(5) of the Data Protection Act 2018”.
In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.
##### 260
In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
##### 261
In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
##### 262
In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
##### 263
In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
##### 264
@@ -13780,29 +13690,29 @@
In regulation 3(1) (interpretation), at the appropriate places, insert—
> - “*Article 89 GDPR purposes*” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);
> “*Article 89 GDPR purposes*” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);
;
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
;
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
.
##### 267
In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 268
In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 269
In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.
In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
##### 270
@@ -13832,19 +13742,19 @@
##### 273
In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section 122(5) of the Data Protection Act 2018”.
In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.
##### 274
In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
##### 275
In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
##### 276
In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
##### 277
@@ -13880,7 +13790,7 @@
- (1) Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.
- (2) In paragraph (18), after “enactment” insert “or the GDPR”.
- (2) In paragraph (18), after “enactment” insert “ or the GDPR ”.
- (3) After paragraph (18) insert—
@@ -13888,29 +13798,29 @@
##### 281
- (1) Article 25 (the Council’s power to require disclosure of information) is amended as follows.
- (2) In paragraph (3), after “enactment” insert “or the GDPR”.
- (1) Article 25 (the Council's power to require disclosure of information) is amended as follows.
- (2) In paragraph (3), after “enactment” insert “ or the GDPR ”.
- (3) In paragraph (6)—
- (a) for “paragraph (5),” substitute “paragraph (3)—”, and
- (a) for “paragraph (5),” substitute “ paragraph (3)— ”, and
- (b) at the appropriate place insert—
> - “*the GDPR*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).
> “*the GDPR*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).
##### 282
In article 39B (European professional card), after paragraph (2) insert—
> (3) For the purposes of Schedule 2B, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.
> (3) For the purposes of Schedule 2B, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.
##### 283
In article 40(6) (Directive [2005/36/EC](https://www.legislation.gov.uk/european/directive/2005/0036): designation of competent authority etc), at the appropriate place insert—
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
.
@@ -13918,17 +13828,17 @@
- (1) Schedule 2B (Directive [2005/36/EC](https://www.legislation.gov.uk/european/directive/2005/0036): European professional card) is amended as follows.
- (2) In paragraph 8(1) (access to data) for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (2) In paragraph 8(1) (access to data) for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
- (3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)).
##### 285
- (1) The table in Schedule 3 (functions of the Council under Directive 2005/36) is amended as follows.
- (2) In the entry for Article 56(2), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (3) In the entry for Article 56a(4), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (1) The table in Schedule 3 (functions of the Council under [Directive 2005/36](https://www.legislation.gov.uk/european/directive/2005/0036)) is amended as follows.
- (2) In the entry for Article 56(2), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
- (3) In the entry for Article 56a(4), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
##### 286
@@ -13942,7 +13852,7 @@
##### 288
In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “the GDPR”.
In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “ the GDPR ”.
##### 289
@@ -13952,7 +13862,7 @@
- (b) at the appropriate place insert—
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
.
@@ -13970,7 +13880,7 @@
##### 292
In regulation 2(1) (interpretation), in the definition of “the Information Commissioner” and “the Commissioner”, for “section 6 of the Data Protection Act 1998” substitute “the Data Protection Act 2018”.
In regulation 2(1) (interpretation), in the definition of “the Information Commissioner” and “the Commissioner”, for “section 6 of the Data Protection Act 1998” substitute “ the Data Protection Act 2018 ”.
##### 293
@@ -13978,7 +13888,7 @@
- (2) The existing text becomes sub-paragraph (1).
- (3) In that sub-paragraph, for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (3) In that sub-paragraph, for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (4) After that sub-paragraph insert—
@@ -13987,7 +13897,7 @@
> - “*personal data*” and “*processing*” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act).
> (3) Regulation 2(2) and (3) (meaning of certain expressions) do not apply for the purposes of this regulation.
- (5) In the heading of that regulation, for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (5) In the heading of that regulation, for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
#### Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)
@@ -13999,29 +13909,29 @@
In article 8(2) (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales)—
- (a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2018”, and
- (b) for “are” substitute “is”.
- (a) for “The Data Protection Act 1998” substitute “ The Data Protection Act 2018 ”, and
- (b) for “are” substitute “ is ”.
##### 296
In article 11(4) (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect)—
- (a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2018”,
- (b) for “are” substitute “is”,
- (c) for “section 5” substitute “section 207”,
- (d) for “data controller” substitute “controller”, and
- (e) after “in the context of” insert “the activities of”.
- (a) for “The Data Protection Act 1998” substitute “ The Data Protection Act 2018 ”,
- (b) for “are” substitute “ is ”,
- (c) for “section 5” substitute “ section 207 ”,
- (d) for “data controller” substitute “ controller ”, and
- (e) after “in the context of” insert “ the activities of ”.
#### Pupils’ Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)
##### 297
The Pupils’ Educational Records (Scotland) Regulations 2003 are amended as follows.
The Pupils' Educational Records (Scotland) Regulations 2003 are amended as follows.
##### 298
@@ -14031,7 +13941,7 @@
- (3) At the appropriate place insert—
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
.
@@ -14039,7 +13949,7 @@
- (1) Regulation 6 (circumstances where information should not be disclosed) is amended as follows.
- (2) After “any information” insert “to the extent that any of the following conditions are satisfied”.
- (2) After “any information” insert “ to the extent that any of the following conditions are satisfied ”.
- (3) For paragraphs (a) to (c) substitute—
@@ -14048,9 +13958,9 @@
.
- (4) In paragraph (d), for “to the extent that its disclosure” substitute “the disclosure of the information”.
- (5) In paragraph (e), for “that” substitute “the information”.
- (4) In paragraph (d), for “to the extent that its disclosure” substitute “ the disclosure of the information ”.
- (5) In paragraph (e), for “that” substitute “ the information ”.
##### 300
@@ -14075,17 +13985,17 @@
- (3) At the appropriate places insert—
> - “*Article 89 GDPR purposes*” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);
> “*Article 89 GDPR purposes*” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);
;
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
.
##### 303
In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.
In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “ Article 89 GDPR purposes ”.
#### Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244)
@@ -14105,19 +14015,22 @@
- (2) In paragraph (1), at the appropriate places, insert—
> - “*the data protection principles*” means the principles set out in— Article 5(1) of the GDPR, section 34(1) of the Data Protection Act 2018, and section 85(1) of that Act;
> “*the data protection principles*” means the principles set out in—
> (a) Article 5(1) of the GDPR,
> (b) section 34(1) of the Data Protection Act 2018, and
> (c) section 85(1) of that Act;
;
> - “*data subject*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*data subject*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
;
> - “the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
> “the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
;
> - “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);
> “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);
.
@@ -14175,11 +14088,11 @@
##### 308
In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “regulation 13(1)(b) or (5A)”.
In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “ regulation 13(1)(b) or (5A) ”.
##### 309
In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “regulation 13(5A)”.
In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “ regulation 13(5A) ”.
#### Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)
@@ -14193,19 +14106,21 @@
- (2) In paragraph (1), at the appropriate places, insert—
> - “*the data protection principles*” means the principles set out in— Article 5(1) of the GDPR, and section 34(1) of the Data Protection Act 2018;”;
> “*the data protection principles*” means the principles set out in—
> (a) Article 5(1) of the GDPR, and
> (b) section 34(1) of the Data Protection Act 2018;”;
;
> - “*data subject*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*data subject*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
;
> - “the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
> “the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
;
> - “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);
> “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);
.
@@ -14272,7 +14187,7 @@
##### 315
In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “section 3(4) of the Data Protection Act 2018”.
In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “ section 3(4) of the Data Protection Act 2018 ”.
##### 316
@@ -14280,13 +14195,13 @@
- (2) In paragraph (4)—
- (a) in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and
- (b) in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “the GDPR”.
- (a) in sub-paragraph (a), for “the Data Protection Act 1998” substitute “ the GDPR ”, and
- (b) in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “ the GDPR ”.
- (3) After paragraph (6) insert—
> (7) In this regulation, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.
> (7) In this regulation, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.
#### Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)
@@ -14298,7 +14213,7 @@
- (a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and
- (b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.
- (b) for “(2) or (3)” substitute “ (1A), (1B) or (1C) ”.
- (3) After paragraph (1) insert—
@@ -14313,7 +14228,10 @@
> (b) on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or
> (c) on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.
> (1D) In this regulation—
> - “*the data protection principles*” means the principles set out in— Article 5(1) of the GDPR, section 34(1) of the Data Protection Act 2018, and section 85(1) of that Act;
> - “*the data protection principles*” means the principles set out in—
> 1. Article 5(1) of the GDPR,
> 2. section 34(1) of the Data Protection Act 2018, and
> 3. section 85(1) of that Act;
> - “the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
> - “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
> (1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
@@ -14328,13 +14246,13 @@
- (a) for the definition of “data protection principles” substitute—
> - “*data protection principles*” means the principles set out in Article 5(1) of the GDPR;
> “*data protection principles*” means the principles set out in Article 5(1) of the GDPR;
, and
- (b) at the appropriate place insert—
> - “*the GDPR*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
> “*the GDPR*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
.
@@ -14352,7 +14270,7 @@
- (a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and
- (b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.
- (b) for “(2) or (3)” substitute “ (1A), (1B) or (1C) ”.
- (3) After paragraph (1) insert—
@@ -14367,7 +14285,10 @@
> (b) on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or
> (c) on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.
> (1D) In this regulation—
> - “*the data protection principles*” means the principles set out in— Article 5(1) of the GDPR, section 34(1) of the Data Protection Act 2018, and section 85(1) of that Act;
> - “*the data protection principles*” means the principles set out in—
> 1. Article 5(1) of the GDPR,
> 2. section 34(1) of the Data Protection Act 2018, and
> 3. section 85(1) of that Act;
> - “*data subject*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> - “the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
> - “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
@@ -14397,13 +14318,13 @@
- (4) After that sub-paragraph insert—
> (2) In this paragraph, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
> (2) In this paragraph, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
#### Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (S.I. 2007/679)
##### 323
In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity), for paragraph (b) substitute—
In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant's loss of capacity), for paragraph (b) substitute—
> (b) any material used consists of or includes human cells or human DNA,
@@ -14435,7 +14356,7 @@
##### 325
In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity) —
In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant's loss of capacity) —
- (a) in the English language text, for paragraph (c) substitute—
@@ -14445,7 +14366,7 @@
- (b) in the Welsh language text, for paragraph (c) substitute—
> (c) os yw unrhyw ddeunydd a ddefnyddir yn gelloedd dynol neu’n DNA dynol neu yn eu cynnwys; ac
> (c) os yw unrhyw ddeunydd a ddefnyddir yn gelloedd dynol neu'n DNA dynol neu yn eu cynnwys; ac
.
@@ -14463,7 +14384,7 @@
- (3) After paragraph (1) insert—
> (2) In this regulation, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
> (2) In this regulation, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
#### Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (S.S.I. 2007/264)
@@ -14479,7 +14400,7 @@
- (b) after paragraph (3) insert—
> (4) In this regulation, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
> (4) In this regulation, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
#### Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 (S.R. (N.I.) 2007 No. 43)
@@ -14491,13 +14412,13 @@
In regulation 2 (interpretation), at the appropriate place insert—
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
.
##### 330
In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “information to which the pupil to whom the information relates would have no right of access under the GDPR”.
In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “ information to which the pupil to whom the information relates would have no right of access under the GDPR ”.
#### Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)
@@ -14505,17 +14426,17 @@
In regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)—
- (a) in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”, and
- (a) in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “ purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics) ”, and
- (b) after paragraph (3) insert—
> (4) In this regulation, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
> (4) In this regulation, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
#### Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (S.I. 2008/3122)
##### 332
In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act [1998 (c 29)](https://www.legislation.gov.uk/ukpga/1998/29)” substitute “the data protection legislation”.
In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act 1998 (c 29)” substitute “ the data protection legislation ”.
#### Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 (S.I. 2008/3239 (W.286))
@@ -14529,13 +14450,13 @@
- (a) at the appropriate place in the English language text insert—
> - “*the GDPR*” (“*y GDPR*”) and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
> “*the GDPR*” (“**y GDPR**”) and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
, and
- (b) at the appropriate place in the Welsh language text insert—
> - “mae i “y GDPR” a chyfeiriadau at Atodlen 2 i Ddeddf Diogelu Data 2018 yr un ystyr ag a roddir i “the GDPR” a chyfeiriadau at yr Atodlen honno yn Rhannau 5 i 7 o’r Ddeddf honno (gweler adran 3(10), (11) a (14) o’r Ddeddf honno);”.
> “mae i “y GDPR” a chyfeiriadau at Atodlen 2 i Ddeddf Diogelu Data 2018 yr un ystyr ag a roddir i “the GDPR” a chyfeiriadau at yr Atodlen honno yn Rhannau 5 i 7 o'r Ddeddf honno (gweler adran 3(10), (11) a (14) o'r Ddeddf honno);”.
##### 335
@@ -14543,9 +14464,9 @@
- (2) In paragraph (7)—
- (a) in the English language text, at the end insert “or the GDPR”, and
- (b) in the Welsh language text, at the end insert “neu’r GDPR”.
- (a) in the English language text, at the end insert “ or the GDPR ”, and
- (b) in the Welsh language text, at the end insert “neu'r GDPR”.
- (3) For paragraph (8)—
@@ -14557,7 +14478,7 @@
- (b) in the Welsh language text substitute—
> (8) Wrth benderfynu at ddibenion paragraff (7) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.
> (8) Wrth benderfynu at ddibenion paragraff (7) a yw datgeliad wedi'i wahardd, mae i'w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i'r Ddeddf honno (esemptiadau rhag darpariaethau penodol o'r ddeddfwriaeth diogelu data: datgeliadau sy'n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.
##### 336
@@ -14565,9 +14486,9 @@
- (2) In paragraph (6)—
- (a) in the English language text, at the end insert “or the GDPR”, and
- (b) in the Welsh language text, at the end insert “neu’r GDPR”.
- (a) in the English language text, at the end insert “ or the GDPR ”, and
- (b) in the Welsh language text, at the end insert “neu'r GDPR”.
- (3) For paragraph (7)—
@@ -14579,7 +14500,7 @@
- (b) in the Welsh language text substitute—
> (7) Wrth benderfynu at ddibenion paragraff (6) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.
> (7) Wrth benderfynu at ddibenion paragraff (6) a yw datgeliad wedi'i wahardd, mae i'w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i'r Ddeddf honno (esemptiadau rhag darpariaethau penodol o'r ddeddfwriaeth diogelu data: datgeliadau sy'n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.
##### 337
@@ -14587,9 +14508,9 @@
- (2) In paragraph (3)—
- (a) in the English language text, at the end insert “or the GDPR”, and
- (b) in the Welsh language text, at the end insert “neu’r GDPR”.
- (a) in the English language text, at the end insert “ or the GDPR ”, and
- (b) in the Welsh language text, at the end insert “neu'r GDPR”.
- (3) For paragraph (4)—
@@ -14601,7 +14522,7 @@
- (b) in the Welsh language text substitute—
> (4) Wrth benderfynu at ddibenion paragraff (3) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.
> (4) Wrth benderfynu at ddibenion paragraff (3) a yw datgeliad wedi'i wahardd, mae i'w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i'r Ddeddf honno (esemptiadau rhag darpariaethau penodol o'r ddeddfwriaeth diogelu data: datgeliadau sy'n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.
#### Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (S.R. (N.I.) 2008 No. 3)
@@ -14613,7 +14534,7 @@
- (a) omit “within the meaning of section 1(1) of the Data Protection Act 1998”, and
- (b) for the words from “where” to the end substitute “if the condition in paragraph (3A) or (3B) is satisfied”.
- (b) for the words from “where” to the end substitute “ if the condition in paragraph (3A) or (3B) is satisfied ”.
- (3) After paragraph (3) insert—
@@ -14627,7 +14548,10 @@
- (4) After paragraph (4) insert—
> (5) In this regulation—
> - “*the data protection principles*” means the principles set out in— Article 5(1) of the GDPR, section 34(1) of the Data Protection Act 2018, and section 85(1) of that Act;
> - “*the data protection principles*” means the principles set out in—
> 1. Article 5(1) of the GDPR,
> 2. section 34(1) of the Data Protection Act 2018, and
> 3. section 85(1) of that Act;
> - “*the GDPR*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
> - “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
@@ -14719,7 +14643,7 @@
In regulation 25 of the Provision of Services Regulations 2009 (derogations from the freedom to provide services), for paragraph (d) substitute—
> (d) matters covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
> (d) matters covered by [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
.
@@ -14745,7 +14669,10 @@
- (3) After paragraph (7) insert—
> (8) In this regulation—
> - “*the data protection principles*” means the principles set out in— Article 5(1) of the GDPR, section 34(1) of the Data Protection Act 2018, and section 85(1) of that Act;
> - “*the data protection principles*” means the principles set out in—
> 1. Article 5(1) of the GDPR,
> 2. section 34(1) of the Data Protection Act 2018, and
> 3. section 85(1) of that Act;
> - “*the GDPR*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
> - “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
> (9) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
@@ -14772,7 +14699,10 @@
- (3) After paragraph (6) insert—
> (7) In this regulation—
> - “*the data protection principles*” means the principles set out in— Article 5(1) of the GDPR, section 34(1) of the Data Protection Act 2018, and section 85(1) of that Act;
> - “*the data protection principles*” means the principles set out in—
> 1. Article 5(1) of the GDPR,
> 2. section 34(1) of the Data Protection Act 2018, and
> 3. section 85(1) of that Act;
> - “*the GDPR*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
> - “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
> (8) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
@@ -14787,7 +14717,7 @@
In regulation 2(2) (interpretation), at the appropriate place insert—
> - “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
> “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
.”
@@ -14795,7 +14725,7 @@
- (1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.
- (2) In paragraph (7), at the end insert “or the GDPR”.
- (2) In paragraph (7), at the end insert “ or the GDPR ”.
- (3) For paragraph (8) substitute—
@@ -14805,7 +14735,7 @@
- (1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.
- (2) In paragraph (6), at the end insert “or the GDPR”.
- (2) In paragraph (6), at the end insert “ or the GDPR ”.
- (3) For paragraph (7) substitute—
@@ -14815,7 +14745,7 @@
- (1) Regulation 29 (occurrence reports) is amended as follows.
- (2) In paragraph (3), at the end insert “or the GDPR”.
- (2) In paragraph (3), at the end insert “ or the GDPR ”.
- (3) For paragraph (4) substitute—
@@ -14853,13 +14783,13 @@
In article 33A (European professional card), after paragraph (2) insert—
> (3) In Schedule 2A, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.
> (3) In Schedule 2A, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.
##### 355
- (1) Article 49 (disclosure of information: general) is amended as follows.
- (2) In paragraph (2)(a), after “enactment” insert “or the GDPR”.
- (2) In paragraph (2)(a), after “enactment” insert “ or the GDPR ”.
- (3) For paragraph (3) substitute—
@@ -14873,7 +14803,7 @@
- (1) Article 55 (professional performance assessments) is amended as follows.
- (2) In paragraph (5)(a), after “enactment” insert “or the GDPR”.
- (2) In paragraph (5)(a), after “enactment” insert “ or the GDPR ”.
- (3) For paragraph (6) substitute—
@@ -14887,7 +14817,7 @@
In article 67(6) (Directive [2005/36/EC](https://www.legislation.gov.uk/european/directive/2005/0036): designation of competent authority etc.), after sub-paragraph (a) insert—
> (aa) “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
> (aa) “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
.
@@ -14895,7 +14825,7 @@
- (1) Schedule 2A (Directive [2005/36/EC](https://www.legislation.gov.uk/european/directive/2005/0036): European professional card) is amended as follows.
- (2) In paragraph 8(1) (access to data), for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046))” substitute “the GDPR”.
- (2) In paragraph 8(1) (access to data), for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046))” substitute “ the GDPR ”.
- (3) In paragraph 9 (processing data)—
@@ -14909,9 +14839,9 @@
- (1) The table in Schedule 3 (Directive [2005/36/EC](https://www.legislation.gov.uk/european/directive/2005/0036): designation of competent authority etc.) is amended as follows.
- (2) In the entry for Article 56(2), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (3) In the entry for Article 56a(4), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
- (2) In the entry for Article 56(2), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
- (3) In the entry for Article 56a(4), in the second column, for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
#### Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910)
@@ -14933,7 +14863,7 @@
- (b) at the appropriate place insert—
> - “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
> “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
##### 363
@@ -14941,21 +14871,21 @@
- (2) In paragraph (1)—
- (a) for “disclosure of data” substitute “disclosure of information”, and
- (b) for “requested data” substitute “requested information”.
- (a) for “disclosure of data” substitute “ disclosure of information ”, and
- (b) for “requested data” substitute “ requested information ”.
- (3) In paragraph (2)—
- (a) for “requested data” substitute “requested information”,
- (b) for “those data are” substitute “the information is”, and
- (c) for “receive those data” substitute “receive that information”.
- (4) In paragraph (3), for “requested data” substitute “requested information”.
- (5) In paragraph (4), for “requested data” substitute “requested information”.
- (a) for “requested data” substitute “ requested information ”,
- (b) for “those data are” substitute “ the information is ”, and
- (c) for “receive those data” substitute “ receive that information ”.
- (4) In paragraph (3), for “requested data” substitute “ requested information ”.
- (5) In paragraph (4), for “requested data” substitute “ requested information ”.
#### Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)
@@ -14969,15 +14899,15 @@
- (b) at the appropriate places insert—
> - “*Article 89 GDPR purposes*” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);
> “*Article 89 GDPR purposes*” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);
;
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
.
- (3) In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.
- (3) In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “ Article 89 GDPR purposes ”.
#### Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))
@@ -14995,23 +14925,23 @@
, and
- (b) in the Welsh language text, for “ddogfennau sy’n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute
- (b) in the Welsh language text, for “ddogfennau sy'n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute
> wybodaeth—
> (a) na allai’r pennaeth ei datgelu’n gyfreithlon i’r disgybl o dan y GDPR, neu
> (a) na allai'r pennaeth ei datgelu'n gyfreithlon i'r disgybl o dan y GDPR, neu
> (b) na fyddai gan y disgybl hawl mynediad ati o dan y GDPR.
- (3) After paragraph (5)—
- (a) in the English language text insert—
> (6) In this regulation, “*the GDPR*” (“*y GDPR*”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.
> (6) In this regulation, “*the GDPR*” (“**y GDPR**”) means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.
, and
- (b) in the Welsh language text insert—
> (6) Yn y rheoliad hwn, ystyr “*y GDPR*” (“*the GDPR*”) yw Rheoliad (EU) 2016/679 Senedd Ewrop a’r Cyngor dyddiedig 27 Ebrill 2016 ar ddiogelu personau naturiol o ran prosesu data personol a rhyddid symud data o’r fath (y Rheoliad Diogelu Data Cyffredinol), fel y’i darllenir ynghyd â Phennod 2 o Ran 2 o Ddeddf Diogelu Data 2018.
> (6) Yn y rheoliad hwn, ystyr “*y GDPR*” (“**the GDPR**”) yw Rheoliad (EU) 2016/679 Senedd Ewrop a'r Cyngor dyddiedig 27 Ebrill 2016 ar ddiogelu personau naturiol o ran prosesu data personol a rhyddid symud data o'r fath (y Rheoliad Diogelu Data Cyffredinol), fel y'i darllenir ynghyd â Phennod 2 o Ran 2 o Ddeddf Diogelu Data 2018.
#### Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)
@@ -15039,7 +14969,7 @@
- (b) after sub-paragraph (10) insert—
> (11) In this paragraph, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
> (11) In this paragraph, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
- (3) In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—
@@ -15051,7 +14981,7 @@
- (b) after that sub-paragraph insert—
> (4) In this paragraph, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
> (4) In this paragraph, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
##### 369
@@ -15069,7 +14999,7 @@
- (b) after sub-paragraph (4) insert—
> (5) In this paragraph, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
> (5) In this paragraph, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
#### Data Protection (Processing of Sensitive Personal Data) Order 2012 (S.I. 2012/1978)
@@ -15089,17 +15019,17 @@
- (2) At the appropriate places insert—
> - “*Article 89 GDPR purposes*” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);
> “*Article 89 GDPR purposes*” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);
;
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
.
- (3) For the definition of “relevant conditions” substitute—
> - “*relevant requirement*” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards;
> “*relevant requirement*” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards;
.
@@ -15107,19 +15037,19 @@
##### 373
In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “section 122(5) of the Data Protection Act 2018”.
In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.
##### 374
In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
##### 375
In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
##### 376
In paragraph 39(8) and (97) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
In paragraph 39(8) and (97) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.
##### 377
@@ -15139,7 +15069,7 @@
> (4) Where a CDAO, a responsible body or someone acting on their behalf is permitted to share information which includes personal data by virtue of a function under these Regulations, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.
- (3) In paragraph (5), after “enactment” insert “or the GDPR”.
- (3) In paragraph (5), after “enactment” insert “ or the GDPR ”.
- (4) After paragraph (6) insert—
@@ -15153,7 +15083,7 @@
- (2) The existing text becomes paragraph (1).
- (3) In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (3) In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (4) After that paragraph insert—
@@ -15239,7 +15169,7 @@
- (1) Regulation 12 (criteria for the designation of a credit reference agency) is amended as follows.
- (2) In paragraph (1)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In paragraph (1)(b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) After paragraph (2) insert—
@@ -15271,21 +15201,21 @@
- (3) At the appropriate place insert—
> - “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
> “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;
.
##### 390
In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR and Directive”.
In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR and Directive ”.
##### 391
In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
##### 392
In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR”.
In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR ”.
##### 393
@@ -15293,7 +15223,7 @@
##### 394
In regulation 66(3) (exchange of information), for “Directives [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “the GDPR and Directive”.
In regulation 66(3) (exchange of information), for “Directives [95/46/EC](https://www.legislation.gov.uk/european/directive/1995/0046)” substitute “ the GDPR and Directive ”.
#### Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)
@@ -15315,7 +15245,7 @@
- (b) after sub-paragraph (10) insert—
> (11) In this paragraph, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
> (11) In this paragraph, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
- (3) In paragraph 20 (restriction on use of absent voting lists)—
@@ -15327,7 +15257,7 @@
- (b) after that sub-paragraph insert—
> (4) In this paragraph, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
> (4) In this paragraph, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
##### 397
@@ -15345,7 +15275,7 @@
- (b) after sub-paragraph (4) insert—
> (5) In this paragraph, “*the GDPR*” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
> (5) In this paragraph, “*the GDPR*” means [Regulation (EU) 2016/679](https://www.legislation.gov.uk/european/regulation/2016/0679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
#### Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (S.I. 2016/295)
@@ -15455,35 +15385,35 @@
> (1) Section 142 has effect as if subsections (9) and (10) were omitted.
> (2) In that section, subsection (1) has effect as if—
> (a) in paragraph (a)—
> (i) for “controller or processor” there were substituted “trust service provider”;
> (ii) for “the data protection legislation” there were substituted “the eIDAS Regulation and the EITSET Regulations”;
> (i) for “controller or processor” there were substituted “ trust service provider ”;
> (ii) for “the data protection legislation” there were substituted “ the eIDAS Regulation and the EITSET Regulations ”;
> (b) paragraph (b) were omitted.
> (3) In that section, subsection (2) has effect as if paragraph (a) were omitted.
> (4)
> (1) Section 143 has effect as if subsections (1) and (9) were omitted.
> (2) In that section—
> (a) subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”;
> (b) subsection (7)(a) has effect as if for “this Act” there were substituted “section 144 or 148 or paragraph 15 of Schedule 15”;
> (c) subsection (8) has effect as if for “this Act (other than an offence under section 144)” there were substituted “section 148 or paragraph 15 of Schedule 15”.
> (5) Section 145(2)(b) has effect as if for “section 142(2)(b)” there were substituted “section 142(2)”.
> (a) subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”;
> (b) subsection (7)(a) has effect as if for “this Act” there were substituted “ section 144 or 148 or paragraph 15 of Schedule 15 ”;
> (c) subsection (8) has effect as if for “this Act (other than an offence under section 144)” there were substituted “ section 148 or paragraph 15 of Schedule 15 ”.
> (5) Section 145(2)(b) has effect as if for “section 142(2)(b)” there were substituted “ section 142(2) ”.
> (6)
> (1) Section 146 has effect as if subsection (11) were omitted.
> (2) In that section—
> (a) subsection (1) has effect as if—
> (i) for “*controller or processor*” (in both places) there were substituted “trust service provider”;
> (ii) for “the data protection legislation” there were substituted “the eIDAS requirements”;
> (i) for “controller or processor” (in both places) there were substituted “ trust service provider ”;
> (ii) for “the data protection legislation” there were substituted “ the eIDAS requirements ”;
> (b) subsection (2) has effect as if paragraphs (h) and (i) were omitted;
> (c) subsections (7), (8), (9) and (10) have effect as if for “*controller or processor*” (in each place) there were substituted “trust service provider.
> (d) subsection (9)(a) has effect as if for “as described in section 149(2) or that an offence under this Act” there were substituted “to comply with the eIDAS requirements or that an offence under section 144 or 148 or paragraph 15 of Schedule 15”.
> (c) subsections (7), (8), (9) and (10) have effect as if for “controller or processor” (in each place) there were substituted “trust service provider.
> (d) subsection (9)(a) has effect as if for “as described in section 149(2) or that an offence under this Act” there were substituted “ to comply with the eIDAS requirements or that an offence under section 144 or 148 or paragraph 15 of Schedule 15 ”.
> (7)
> (1) Section 147 has effect as if subsections (5) and (6) were omitted.
> (2) In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.
> (2) In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”.
> (8)
> (1) Section 149 has effect as if subsections (2) to (5) and (7) to (9) were omitted.
> (2) In that section—
> (a) subsection (1) has effect as if—
> (i) for “as described in subsection (2), (3), (4) or (5)” there were substituted “to comply with the eIDAS requirements”;
> (ii) for “sections 150 and 151” there were substituted “section 150”;
> (i) for “as described in subsection (2), (3), (4) or (5)” there were substituted “ to comply with the eIDAS requirements ”;
> (ii) for “sections 150 and 151” there were substituted “ section 150 ”;
> (b) subsection (6) has effect as if the words “given in reliance on subsection (2), (3) or (5)” were omitted.
> (9)
> (1) Section 150 has effect as if subsection (3) were omitted.
@@ -15508,27 +15438,27 @@
> (i) a trust service provider has failed or is failing to comply with the eIDAS requirements, or
> (ii) an offence under section 144 or 148 or paragraph 15 of Schedule 15 has been or is being committed,
> (3) Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—
> (a) in sub-paragraphs (1) and (2), for “controller or processor” there were substituted “trust service provider”;
> (b) in sub-paragraph (2), for “the data protection legislation” there were substituted “the eIDAS requirements”.
> (a) in sub-paragraphs (1) and (2), for “controller or processor” there were substituted “ trust service provider ”;
> (b) in sub-paragraph (2), for “the data protection legislation” there were substituted “ the eIDAS requirements ”.
> (4) Paragraph 5 of that Schedule (content of warrants) has effect as if—
> (a) in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “the provision of trust services”;
> (a) in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “ the provision of trust services ”;
> (b) in sub-paragraph (2)(d)—
> (i) for “controller or processor” there were substituted “trust service provider”;
> (ii) for “as described in section 149(2)” there were substituted “to comply with the eIDAS requirements”;
> (i) for “controller or processor” there were substituted “ trust service provider ”;
> (ii) for “as described in section 149(2)” there were substituted “ to comply with the eIDAS requirements ”;
> (c) in sub-paragraph (3)(a) and (d)—
> (i) for “controller or processor” there were substituted “trust service provider”;
> (ii) for “the data protection legislation” there were substituted “the eIDAS requirements”.
> (5) Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.
> (i) for “controller or processor” there were substituted “ trust service provider ”;
> (ii) for “the data protection legislation” there were substituted “ the eIDAS requirements ”.
> (5) Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”.
> (13)
> (1) Section 155 has effect as if subsections (1)(a), (2)(a), (3)(g), (4) and (6) to (8) were omitted.
> (2) Subsection (2) of that section has effect as if—
> (a) the words “Subject to subsection (4),” were omitted;
> (b) in paragraph (b), the words “to the extent that the notice concerns another matter,” were omitted.
> (3) Subsection (3) of that section has effect as if—
> (a) for “controller or processor”, in each place, there were substituted “trust services provider”;
> (a) for “controller or processor”, in each place, there were substituted “ trust services provider ”;
> (b) in paragraph (c), the words “or distress” were omitted;
> (c) in paragraph (c), for “data subjects” there were substituted “relying parties”;
> (d) in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “Article 19(1) of the eIDAS Regulation”.
> (c) in paragraph (c), for “data subjects” there were substituted “ relying parties ”;
> (d) in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “ Article 19(1) of the eIDAS Regulation ”.
> (14) Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.
> (15) Section 157 has effect as if subsections (1) to (3) and (6) were omitted.
> (16) Section 159 has effect as if—
@@ -15536,7 +15466,7 @@
> (b) in subsection (2), the words “Article 83 of the GDPR” and “and section 158” were omitted.
> (17)
> (1) Section 160 has effect as if subsections (5) and (12) were omitted.
> (2) In that section, subsection (4)(f) has effect as if for “controllers and processors” there were substituted “trust service providers”.
> (2) In that section, subsection (4)(f) has effect as if for “controllers and processors” there were substituted “ trust service providers ”.
> (18)
> (1) Section 162 has effect as if subsection (4) were omitted.
> (2) In that section, subsection (1) has effect as if, after paragraph (c), there were inserted—
@@ -15544,18 +15474,18 @@
> (19) Section 163 has effect as if subsection (6) were omitted.
> (20)
> (1) Section 180 has effect as if subsections (2)(d) and (e) and (3) were omitted.
> (2) Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “subsection (4)”.
> (2) Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “ subsection (4) ”.
> (21) Section 182 has effect as if subsections (3), (4), (6), (8) to (11) and (14) were omitted.
> (22)
> (1) Section 196 has effect as if subsections (3) to (5) were omitted.
> (2) In that section—
> (a) subsection (1) has effect as if the words “section 119 or 173 or” were omitted;
> (b) subsection (2) has effect as if for “section 132, 144, 148, 170, 171 or 184” there were substituted “section 144 or 148”.
> (b) subsection (2) has effect as if for “section 132, 144, 148, 170, 171 or 184” there were substituted “ section 144 or 148 ”.
> (23) Section 197 has effect as if subsections (3) to (6) were omitted.
> (24) Section 202 has effect as if in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “on an appeal under section 162”.
> (24) Section 202 has effect as if in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “ on an appeal under section 162 ”.
> (25) Section 203 has effect as if—
> (a) in subsection (1), for paragraphs (a) and (b) there were substituted “the exercise of the rights of appeal conferred by section 162”;
> (b) in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “the provision of trust services”.
> (a) in subsection (1), for paragraphs (a) and (b) there were substituted “ the exercise of the rights of appeal conferred by section 162 ”;
> (b) in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “ the provision of trust services ”.
> (26)
> (1) This paragraph applies if the first guidance produced under section 160(1) of the Data Protection Act 2018 and the first guidance produced under that provision as applied by this Schedule are laid before Parliament as a single document (“the combined guidance”).
> (2) Section 161 of that Act (including that section as applied by this Schedule) has effect as if the references to “the guidance” were references to the combined guidance, except in subsections (2)(b) and (4).
@@ -15598,11 +15528,11 @@
In regulation 3(1) (interpretation), at the appropriate places insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
;
> - “the GDPR” and references to provisions of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
> “the GDPR” and references to provisions of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
.
@@ -15635,7 +15565,7 @@
- (2) Omit paragraph (2).
- (3) In paragraph (3)(a), after “Regulations” insert “or the GDPR”.
- (3) In paragraph (3)(a), after “Regulations” insert “ or the GDPR ”.
- (4) Omit paragraphs (4) and (5).
@@ -15655,7 +15585,7 @@
- (1) Regulation 84 (publication: the Financial Conduct Authority) is amended as follows.
- (2) In paragraph (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In paragraph (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) For paragraph (11) substitute—
@@ -15665,7 +15595,7 @@
- (1) Regulation 85 (publication: the Commissioners) is amended as follows.
- (2) In paragraph (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.
- (2) In paragraph (9), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
- (3) For paragraph (10) substitute—
@@ -15712,11 +15642,11 @@
In regulation 1(2) of the Data Protection (Charges and Information) Regulations 2018 (interpretation), at the appropriate places insert—
> - “*data controller*” means a person who is a controller for the purposes of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);
> “*data controller*” means a person who is a controller for the purposes of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);
;
> - “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);
> “*personal data*” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);
.
@@ -15742,7 +15672,7 @@
- (b) at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
, and
@@ -15765,7 +15695,7 @@
> - “*data protection officer*” means a person designated as a data protection officer under the data protection legislation;
> - “*personal data*” and “*processing*” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).
- (4) In paragraph 65(2)(b) (roles, responsibilities and obligations: general), for “data controllers” substitute “controllers”.
- (4) In paragraph 65(2)(b) (roles, responsibilities and obligations: general), for “data controllers” substitute “ controllers ”.
- (5) In paragraph 69(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute
@@ -15808,7 +15738,7 @@
- (b) at the appropriate place insert—
> - “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
> “*the data protection legislation*” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
, and
@@ -15847,7 +15777,7 @@
, and
- (d) in sub-paragraph (6)(b), for “data controllers” substitute “controllers”.
- (d) in sub-paragraph (6)(b), for “data controllers” substitute “ controllers ”.
- (3) In paragraph 37(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute
@@ -15950,11 +15880,11 @@
- “*the 1998 Act*” means the Data Protection Act 1998;
- “*the 2014 Regulations*” means the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 ([S.I. 2014/3141](https://www.legislation.gov.uk/uksi/2014/3141));
- “*the 2014 Regulations*” means the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141);
- “*data controller*” has the same meaning as in the 1998 Act (see section 1 of that Act);
- “*the old data protection principles*” means the principles set out in— Part 1 of Schedule 1 to the 1998 Act, and regulation 30 of the 2014 Regulations.
- “*the old data protection principles*” means the principles set out in—Part 1 of Schedule 1 to the 1998 Act, andregulation 30 of the 2014 Regulations.
- (2) A provision of the 1998 Act that has effect by virtue of this Schedule is not, by virtue of that, part of the data protection legislation (as defined in section 3).
@@ -15972,7 +15902,7 @@
- (4) In this paragraph—
- “*the relevant regulations*” means— the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 ([S.I. 2000/191](https://www.legislation.gov.uk/uksi/2000/191)); regulation 4 of, and Schedule 1 to, the Consumer Credit (Credit Reference Agency) Regulations 2000 ([S.I. 2000/290](https://www.legislation.gov.uk/uksi/2000/290)); regulation 3 of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 ([S.I. 2004/3244](https://www.legislation.gov.uk/uksi/2004/3244));
- “*the relevant regulations*” means—the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (S.I. 2000/191);regulation 4 of, and Schedule 1 to, the Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290);regulation 3 of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244);
- “*the relevant time*” means the time when the repeal of section 7 of the 1998 Act comes into force;
@@ -16050,7 +15980,7 @@
- (3) In this paragraph—
- “*the relevant Orders*” means— the Data Protection (Corporate Finance Exemption) Order 2000 ([S.I. 2000/184](https://www.legislation.gov.uk/uksi/2000/184)); the Data Protection (Subject Access Modification) (Health) Order 2000 ([S.I. 2000/413](https://www.legislation.gov.uk/uksi/2000/413)); the Data Protection (Subject Access Modification) (Education) Order 2000 ([S.I. 2000/414](https://www.legislation.gov.uk/uksi/2000/414)); the Data Protection (Subject Access Modification) (Social Work) Order 2000 ([S.I. 2000/415](https://www.legislation.gov.uk/uksi/2000/415)); the Data Protection (Crown Appointments) Order 2000 ([S.I. 2000/416](https://www.legislation.gov.uk/uksi/2000/416)); Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 ([S.I. 2000/419](https://www.legislation.gov.uk/uksi/2000/419)); Data Protection (Designated Codes of Practice) (No. 2) Order 2000 ([S.I. 2000/1864](https://www.legislation.gov.uk/uksi/2000/1864));
- “*the relevant Orders*” means—the Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184);the Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413);the Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414);the Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415);the Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416);Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419);Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864);
- “*the relevant time*” means the time when the repeal of the provision of Part 2 of the 1998 Act in question comes into force.
@@ -16176,7 +16106,7 @@
- (i) beginning with the relevant day, and
- (ii) lasting for 7 years less a period equal to the individual’s pre-commencement term.
- (ii) lasting for 7 years less a period equal to the individual's pre-commencement term.
- (2) On and after the relevant day, a resolution passed by the House of Commons for the purposes of paragraph 3 of Schedule 5 to the 1998 Act (salary and pension of Commissioner), and not superseded before that day, is to be treated as having been passed for the purposes of paragraph 4 of Schedule 12 to this Act.
@@ -16190,17 +16120,17 @@
##### 20
- (1) The repeal of paragraph 10 of Schedule 5 to the 1998 Act does not affect the duties of the Commissioner and the Comptroller and Auditor General under that paragraph in respect of the Commissioner’s statement of account for the financial year beginning with 1 April 2017.
- (2) The Commissioner’s duty under paragraph 11 of Schedule 12 to this Act to prepare a statement of account for each financial year includes a duty to do so for the financial year beginning with 1 April 2018.
- (1) The repeal of paragraph 10 of Schedule 5 to the 1998 Act does not affect the duties of the Commissioner and the Comptroller and Auditor General under that paragraph in respect of the Commissioner's statement of account for the financial year beginning with 1 April 2017.
- (2) The Commissioner's duty under paragraph 11 of Schedule 12 to this Act to prepare a statement of account for each financial year includes a duty to do so for the financial year beginning with 1 April 2018.
#### Annual report
##### 21
- (1) The repeal of section 52(1) of the 1998 Act (annual report) does not affect the Commissioner’s duty under that subsection to produce a general report on the exercise of the Commissioner’s functions under the 1998 Act during the period of 1 year beginning with 1 April 2017 and to lay it before Parliament.
- (2) The repeal of section 49 of the Freedom of Information Act 2000 (annual report) does not affect the Commissioner’s duty under that section to produce a general report on the exercise of the Commissioner’s functions under that Act during the period of 1 year beginning with 1 April 2017 and to lay it before Parliament.
- (1) The repeal of section 52(1) of the 1998 Act (annual report) does not affect the Commissioner's duty under that subsection to produce a general report on the exercise of the Commissioner's functions under the 1998 Act during the period of 1 year beginning with 1 April 2017 and to lay it before Parliament.
- (2) The repeal of section 49 of the Freedom of Information Act 2000 (annual report) does not affect the Commissioner's duty under that section to produce a general report on the exercise of the Commissioner's functions under that Act during the period of 1 year beginning with 1 April 2017 and to lay it before Parliament.
- (3) The first report produced by the Commissioner under section 139 of this Act must relate to the period of 1 year beginning with 1 April 2018.
@@ -16220,9 +16150,9 @@
##### 24
- (1) The repeal of section 54(2) of the 1998 Act (functions to be discharged by the Commissioner for the purposes of Article 13 of the Data Protection Convention), and the revocation of the Data Protection (Functions of Designated Authority) Order 2000 ([S.I. 2000/186](https://www.legislation.gov.uk/uksi/2000/186)), do not affect the application of articles 1 to 5 of that Order after the relevant time in relation to a request described in those articles which was made before that time.
- (2) The references in paragraph 9 of Schedule 14 to this Act (Data Protection Convention: restrictions on use of information) to requests made or received by the Commissioner under paragraph 6 or 7 of that Schedule include a request made or received by the Commissioner under article 3 or 4 of the Data Protection (Functions of Designated Authority) Order 2000 ([S.I. 2000/186](https://www.legislation.gov.uk/uksi/2000/186)).
- (1) The repeal of section 54(2) of the 1998 Act (functions to be discharged by the Commissioner for the purposes of Article 13 of the Data Protection Convention), and the revocation of the Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186), do not affect the application of articles 1 to 5 of that Order after the relevant time in relation to a request described in those articles which was made before that time.
- (2) The references in paragraph 9 of Schedule 14 to this Act (Data Protection Convention: restrictions on use of information) to requests made or received by the Commissioner under paragraph 6 or 7 of that Schedule include a request made or received by the Commissioner under article 3 or 4 of the Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186).
- (3) The repeal of section 54(7) of the 1998 Act (duty to notify the European Commission of certain approvals and authorisations) does not affect the application of that provision after the relevant time in relation to an approval or authorisation granted before the relevant time.
@@ -16232,19 +16162,19 @@
##### 25
- (1) The repeal of section 54(3) of the 1998 Act (co-operation by the Commissioner with the European Commission etc), and the revocation of the Data Protection (International Co-operation) Order 2000 ([S.I. 2000/190](https://www.legislation.gov.uk/uksi/2000/190)), do not affect the application of articles 1 to 4 of that Order after the relevant time in relation to transfers that took place before the relevant time.
- (1) The repeal of section 54(3) of the 1998 Act (co-operation by the Commissioner with the European Commission etc), and the revocation of the Data Protection (International Co-operation) Order 2000 (S.I. 2000/190), do not affect the application of articles 1 to 4 of that Order after the relevant time in relation to transfers that took place before the relevant time.
- (2) In this paragraph—
- “*the relevant time*” means the time when the repeal of section 54 of the 1998 Act comes into force;
- “*transfer*” has the meaning given in article 2 of the Data Protection (International Co-operation) Order 2000 ([S.I. 2000/190](https://www.legislation.gov.uk/uksi/2000/190)).
- “*transfer*” has the meaning given in article 2 of the Data Protection (International Co-operation) Order 2000 (S.I. 2000/190).
#### Charges payable to the Commissioner by controllers
##### 26
- (1) The Data Protection (Charges and Information) Regulations 2018 ([S.I. 2018/480](https://www.legislation.gov.uk/uksi/2018/480)) have effect after the relevant time (until revoked) as if they were made under section 137 of this Act.
- (1) The Data Protection (Charges and Information) Regulations 2018 (S.I. 2018/480) have effect after the relevant time (until revoked) as if they were made under section 137 of this Act.
- (2) In this paragraph, “*the relevant time*” means the time when section 137 of this Act comes into force.
@@ -16262,7 +16192,7 @@
##### 28
- (1) The repeal of section 52E of the 1998 Act (effect of codes of practice) does not affect the application of that section after the relevant time in relation to legal proceedings or to the exercise of the Commissioner’s functions under the 1998 Act as it has effect by virtue of this Schedule.
- (1) The repeal of section 52E of the 1998 Act (effect of codes of practice) does not affect the application of that section after the relevant time in relation to legal proceedings or to the exercise of the Commissioner's functions under the 1998 Act as it has effect by virtue of this Schedule.
- (2) In section 52E of the 1998 Act, as it has effect by virtue of this paragraph, the references to the 1998 Act include that Act as it has effect by virtue of this Schedule.
@@ -16344,13 +16274,13 @@
- (ii) whether a data controller complied with the sixth data protection principle sections after that time.
- (2) The revocation of the Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 ([S.I. 2014/3282](https://www.legislation.gov.uk/uksi/2014/3282)), and the repeals mentioned in sub-paragraph (1), do not affect the application of that Order in a case described in sub-paragraph (1).
- (2) The revocation of the Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 (S.I. 2014/3282), and the repeals mentioned in sub-paragraph (1), do not affect the application of that Order in a case described in sub-paragraph (1).
- (3) Sub-paragraph (1) does not enable the Secretary of State, after the relevant time, to make an order under section 41A(2)(b) or (c) of the 1998 Act (data controllers on whom an assessment notice may be served) designating a public authority or person for the purposes of that section.
- (4) Section 41A of the 1998 Act, as it has effect by virtue of sub-paragraph (1), has effect as if subsections (8) and (11) (duty to review designation orders) were omitted.
- (5) The repeal of section 41C of the 1998 Act (code of practice about assessment notice) does not affect the application, after the relevant time, of the code issued under that section and in force immediately before the relevant time in relation to the exercise of the Commissioner’s functions under and in connection with section 41A of the 1998 Act, as it has effect by virtue of sub-paragraph (1).
- (5) The repeal of section 41C of the 1998 Act (code of practice about assessment notice) does not affect the application, after the relevant time, of the code issued under that section and in force immediately before the relevant time in relation to the exercise of the Commissioner's functions under and in connection with section 41A of the 1998 Act, as it has effect by virtue of sub-paragraph (1).
- (6) In this paragraph, “*the relevant time*” means the time when the repeal of section 41A of the 1998 Act comes into force.
@@ -16414,9 +16344,9 @@
- (a) a warrant issued under that Schedule was in force immediately before the relevant time,
- (b) before the relevant time, the Commissioner supplied information on oath for the purposes of obtaining a warrant under that Schedule but that had not been considered by a circuit judge or a District Judge (Magistrates’ Courts), or
- (c) after the relevant time, the Commissioner supplies information on oath to a circuit judge or a District Judge (Magistrates’ Courts) in respect of—
- (b) before the relevant time, the Commissioner supplied information on oath for the purposes of obtaining a warrant under that Schedule but that had not been considered by a circuit judge or a District Judge (Magistrates' Courts), or
- (c) after the relevant time, the Commissioner supplies information on oath to a circuit judge or a District Judge (Magistrates' Courts) in respect of—
- (i) a contravention of the old data protection principles before the relevant time;
@@ -16450,11 +16380,11 @@
- (2) The revocation of the relevant subordinate legislation, and the repeals mentioned in sub-paragraph (1), do not affect the application of the relevant subordinate legislation (or of provisions of the 1998 Act applied by them) after the relevant time in a case described in sub-paragraph (1).
- (3) Guidance issued under section 55C of the 1998 Act (guidance about monetary penalty notices) which is in force immediately before the relevant time continues in force after that time for the purposes of the Commissioner’s exercise of functions under sections 55A and 55B of the 1998 Act as they have effect by virtue of this paragraph.
- (3) Guidance issued under section 55C of the 1998 Act (guidance about monetary penalty notices) which is in force immediately before the relevant time continues in force after that time for the purposes of the Commissioner's exercise of functions under sections 55A and 55B of the 1998 Act as they have effect by virtue of this paragraph.
- (4) In this paragraph—
- “*the relevant subordinate legislation*” means— the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 ([S.I. 2010/31](https://www.legislation.gov.uk/uksi/2010/31)); the Data Protection (Monetary Penalties) Order 2010 ([S.I. 2010/910](https://www.legislation.gov.uk/uksi/2010/910));
- “*the relevant subordinate legislation*” means—the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31);the Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910);
- “*the relevant time*” means the time when the repeal of section 55A of the 1998 Act comes into force.
@@ -16546,17 +16476,17 @@
- (c) section 18A(1)(a) of the Health Service Commissioners Act 1993 (disclosure of information by Health Service Commissioner);
- (d) paragraph 1 of the entry for the Information Commissioner in Schedule 5 to the Scottish Public Services Ombudsman Act [2002 (asp 11)](https://www.legislation.gov.uk/asp/2002/11) (disclosure of information by the Ombudsman);
- (d) paragraph 1 of the entry for the Information Commissioner in Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (asp 11) (disclosure of information by the Ombudsman);
- (e) section 34X(3)(a) of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information by the Ombudsman);
- (f) section 18(6)(a) of the Commissioner for Older People (Wales) Act 2006 (disclosure of information by the Commissioner);
- (g) section 22(3)(a) of the [Welsh Language (Wales) Measure 2011 (nawm 1)](https://www.legislation.gov.uk/mwa/2011/1) (disclosure of information by the Welsh Language Commissioner);
- (h) section 49(3)(a) of the [Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))](https://www.legislation.gov.uk/nia/2016/4)(disclosure of information by the Ombudsman);
- (i) section 44(3)(a) of the [Justice Act (Northern Ireland) 2016 (c. 21 (N.I.))](https://www.legislation.gov.uk/nia/2016/21) (disclosure of information by the Prison Ombudsman for Northern Ireland).
- (g) section 22(3)(a) of the Welsh Language (Wales) Measure 2011 (nawm 1) (disclosure of information by the Welsh Language Commissioner);
- (h) section 49(3)(a) of the Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))(disclosure of information by the Ombudsman);
- (i) section 44(3)(a) of the Justice Act (Northern Ireland) 2016 (c. 21 (N.I.)) (disclosure of information by the Prison Ombudsman for Northern Ireland).
- (2) The following provisions (as amended by Schedule 19 to this Act) have effect after the relevant time as if the offences they refer to included an offence under any provision of the 1998 Act other than paragraph 12 of Schedule 9 to that Act (obstruction of execution of warrant)—
@@ -16566,17 +16496,17 @@
- (c) section 18A(1)(b) of the Health Service Commissioners Act 1993;
- (d) paragraph 2 of the entry for the Information Commissioner in Schedule 5 to the Scottish Public Services Ombudsman Act [2002 (asp 11)](https://www.legislation.gov.uk/asp/2002/11);
- (d) paragraph 2 of the entry for the Information Commissioner in Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (asp 11);
- (e) section 34X(5) of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information by the Ombudsman);
- (f) section 18(8) of the Commissioner for Older People (Wales) Act 2006;
- (g) section 22(5) of the [Welsh Language (Wales) Measure 2011 (nawm 1)](https://www.legislation.gov.uk/mwa/2011/1);
- (h) section 49(5) of the [Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))](https://www.legislation.gov.uk/nia/2016/4);
- (i) section 44(3)(b) of the [Justice Act (Northern Ireland) 2016 (c. 21 (N.I.))](https://www.legislation.gov.uk/nia/2016/21).
- (g) section 22(5) of the Welsh Language (Wales) Measure 2011 (nawm 1);
- (h) section 49(5) of the Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.));
- (i) section 44(3)(b) of the Justice Act (Northern Ireland) 2016 (c. 21 (N.I.)).
- (3) In this paragraph, “*the relevant time*”, in relation to a provision of a section or Schedule listed in sub-paragraph (1) or (2), means the time when the amendment of the section or Schedule by Schedule 19 to this Act comes into force.
@@ -19909,2073 +19839,3 @@
[^M_M_100d5e1f-b281-4bd6-b29d-52e0bf479375]: S. 118 in force at 25.5.2018 by [S.I. 2018/625](https://www.legislation.gov.uk/uksi/2018/625), [reg. 2(1)(e)](https://www.legislation.gov.uk/uksi/2018/625/regulation/2/1/e)
[^M_M_f6f013bc-e682-4221-98d0-89a96fe3e5ce]: Pt. 5 applied in part (with modifications) by [S.I. 2016/696](https://www.legislation.gov.uk/uksi/2016/696), [Sch. 2](https://www.legislation.gov.uk/uksi/2016/696/schedule/2) (as substituted (25.5.2018) by [Data Protection Act 2018 (c. 12)](https://www.legislation.gov.uk/ukpga/2018/12), [s. 212(1)](https://www.legislation.gov.uk/ukpga/2018/12/section/212/1), [Sch. 19 para. 406](https://www.legislation.gov.uk/ukpga/2018/12/schedule/19/paragraph/406) (with [ss. 117](https://www.legislation.gov.uk/ukpga/2018/12/section/117), [209](https://www.legislation.gov.uk/ukpga/2018/12/section/209), [210](https://www.legislation.gov.uk/ukpga/2018/12/section/210)); [S.I. 2018/625](https://www.legislation.gov.uk/uksi/2018/625), [reg. 2(1)(g)](https://www.legislation.gov.uk/uksi/2018/625/regulation/2/1/g) (with [reg. 4](https://www.legislation.gov.uk/uksi/2018/625/regulation/4)))
#### Special categories of personal data etc: supplementary
##### 17A
- (1) The Secretary of State may by regulations specify any of the following which the Secretary of State considers ensures an adequate level of protection of personal data—
- (a) a third country,
- (b) a territory or one or more sectors within a third country,
- (c) an international organisation, or
- (d) a description of such a country, territory, sector or organisation.
- (2) For the purposes of the UK GDPR and this Part of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, regulations made under this section are in force which specify, or specify a description which includes—
- (a) in the case of a third country, the country or a relevant territory or sector within the country, or
- (b) in the case of an international organisation, the organisation.
- (3) Regulations under this section may specify that the Secretary of State considers that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations and, if they do so, only such a transfer may rely on those regulations for the purposes of subsection (2).
- (4) Article 45(2) of the UK GDPR makes provision about the assessment of the adequacy of the level of protection for the purposes of this section and section 17B.
- (5) Regulations under this section—
- (a) where they relate to a third country, must specify their territorial and sectoral application;
- (b) where applicable, must specify the independent supervisory authority or authorities referred to in Article 45(2)(b) of the UK GDPR.
- (6) Regulations under this section may, among other things—
- (a) provide that in relation to a country, territory, sector, organisation or transfer specified, or falling within a description specified, in the regulations, section 17B(1) has effect as if it required the reviews described there to be carried out at such shorter intervals as are specified in the regulations;
- (b) identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;
- (c) confer a discretion on a person.
- (7) Regulations under this section are subject to the negative resolution procedure.
##### 17B
- (1) For so long as regulations under section 17A are in force which specify, or specify a description which includes, a third country, a territory or sector within a third country or an international organisation, the Secretary of State must carry out a review of whether the country, territory, sector or organisation ensures an adequate level of protection of personal data at intervals of not more than 4 years.
- (2) Each review under subsection (1) must take into account all relevant developments in the third country or international organisation.
- (3) The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under section 17A or to amend or revoke such regulations.
- (4) Where the Secretary of State becomes aware that a country, territory, sector or organisation specified, or falling within a description specified, in regulations under section 17A no longer ensures an adequate level of protection of personal data, whether as a result of a review under this section or otherwise, the Secretary of State must, to the extent necessary, amend or revoke the regulations.
- (5) Where regulations under section 17A are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to remedying the lack of an adequate level of protection.
- (6) The Secretary of State must publish—
- (a) a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which are for the time being specified in regulations under section 17A, and
- (b) a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which have been but are no longer specified in such regulations.
- (7) In the case of regulations under section 17A which specify that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations—
- (a) the duty under subsection (1) is only to carry out a review of the level of protection ensured for such a transfer, and
- (b) the lists published under subsection (6) must specify or describe the relevant transfers.
##### 17C
- (1) The Secretary of State may by regulations specify standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR (and see also section 119A).
- (2) The Secretary of State must keep under review the standard data protection clauses specified in regulations under this section that are for the time being in force.
- (3) Regulations under this section are subject to the negative resolution procedure.
#### Manual unstructured data used in longstanding historical research
##### 74A
- (1) The Secretary of State may by regulations specify any of the following which the Secretary of State considers ensures an adequate level of protection of personal data—
- (a) a third country,
- (b) a territory or one or more sectors within a third country,
- (c) an international organisation, or
- (d) a description of such a country, territory, sector or organisation.
- (2) For the purposes of this Part of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, regulations made under this section are in force which specify, or specify a description which includes—
- (a) in the case of a third country, the country or a relevant territory or sector within the country, and
- (b) in the case of an international organisation, the organisation,
and such a transfer does not require specific authorisation.
- (3) Regulations under this section may specify that the Secretary of State considers that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations and, if they do so, only such a transfer may rely on those regulations for the purposes of subsection (2).
- (4) When assessing the adequacy of the level of protection for the purposes of this section or section 74B, the Secretary of State must, in particular, take account of—
- (a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation, which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is transferred,
- (b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with data protection rules, including adequate enforcement powers, for assisting and advising data subjects in exercising their rights and for cooperation with the Commissioner, and
- (c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
- (5) Regulations under this section—
- (a) where they relate to a third country, must specify their territorial and sectoral application;
- (b) where applicable, must specify the independent supervisory authority or authorities referred to in subsection (4)(b).
- (6) Regulations under this section may, among other things—
- (a) provide that, in relation to a country, territory, sector, organisation or territory specified, or falling within a description specified, in the regulations, section 74B(1) has effect as if it required the reviews described there to be carried out at such shorter intervals as are specified in the regulations;
- (b) identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;
- (c) confer a discretion on a person.
- (7) Regulations under this section are subject to the negative resolution procedure.
##### 74B
- (1) For so long as regulations under section 74A are in force which specify, or specify a description which includes, a third country, a territory or sector within a third country or an international organisation, the Secretary of State must carry out a review of whether the country, territory, sector or organisation ensures an adequate level of protection of personal data at intervals of not more than 4 years.
- (2) Each review under subsection (1) must take into account all relevant developments in the third country or international organisation.
- (3) The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under section 74A or to amend or revoke such regulations.
- (4) Where the Secretary of State becomes aware that a country, territory, sector or organisation specified, or falling within a description specified, in regulations under section 74A no longer ensures an adequate level of protection of personal data, whether as a result of a review under this section or otherwise, the Secretary of State must, to the extent necessary, amend or revoke the regulations.
- (5) Where regulations under section 74A are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to remedying the lack of an adequate level of protection.
- (6) The Secretary of State must publish—
- (a) a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which are for the time being specified in regulations under section 74A, and
- (b) a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which have been but are no longer specified in such regulations.
- (7) In the case of regulations under section 74A which specify that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations—
- (a) the duty under subsection (1) is only to carry out a review of the level of protection ensured for such a transfer, and
- (b) the lists published under subsection (6) must specify or describe the relevant transfers.
##### 119A
- (1) The Commissioner may issue a document specifying standard data protection clauses which the Commissioner considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR (and see also section 17C).
- (2) The Commissioner may issue a document that amends or withdraws a document issued under subsection (1).
- (3) A document issued under this section—
- (a) must specify when it comes into force,
- (b) may make different provision for different purposes, and
- (c) may include transitional provision or savings.
- (4) Before issuing a document under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—
- (a) trade associations;
- (b) data subjects;
- (c) persons who appear to the Commissioner to represent the interests of data subjects.
- (5) After a document is issued under this section—
- (a) the Commissioner must send a copy to the Secretary of State, and
- (b) the Secretary of State must lay it before Parliament.
- (6) If, within the 40-day period, either House of Parliament resolves not to approve the document then, with effect from the end of the day on which the resolution is passed, the document is to be treated as not having been issued under this section (so that the document, and any amendment or withdrawal made by the document, is to be disregarded for the purposes of Article 46(2)(d) of the UK GDPR).
- (7) Nothing in subsection (6)—
- (a) affects any transfer of personal data previously made in reliance on the document, or
- (b) prevents a further document being laid before Parliament.
- (8) The Commissioner must publish—
- (a) a document issued under this section, and
- (b) a notice identifying any document which, under subsection (6), is treated as not having been issued under this section.
- (9) The Commissioner must keep under review the clauses specified in a document issued under this section for the time being in force.
- (10) In this section, “*the 40-day period*” means—
- (a) if the document is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or
- (b) if the document is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.
- (11) In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.
- (12) In this section, “*trade association*” includes a body representing controllers or processors.
## SCHEDULE 21
## Part 1 — Interpretation
#### The applied GPDR
##### 1
In this Schedule, “*the applied GDPR*” means the EU GDPR as applied by Chapter 3 of Part 2 before IP completion day.
## Part 2 — Continuation of existing acts etc
##### 2
- (1) On and after IP completion day, references in an enactment to the UK GDPR (including the reference in the definition of “the data protection legislation” in section 3(9)) include—
- (a) the EU GDPR as it was directly applicable to the United Kingdom before IP completion day, read with Chapter 2 of Part 2 of this Act as it had effect before IP completion day, and
- (b) the applied GDPR, read with Chapter 3 of Part 2 of this Act as it had effect before IP completion day.
- (2) On and after IP completion day, references in an enactment to, or to a provision of, Chapter 2 of Part 2 of this Act (including general references to this Act or to Part 2 of this Act) include that Chapter or that provision as applied by Chapter 3 of Part 2 of this Act as it had effect before IP completion day.
- (3) Sub-paragraphs (1) and (2) have effect—
- (a) in relation to references in this Act, except as otherwise provided;
- (b) in relation to references in other enactments, unless the context otherwise requires.
##### 3
- (1) Anything done in connection with the EU GDPR as it was directly applicable to the United Kingdom before IP completion day, the applied GDPR or this Act—
- (a) if in force or effective immediately before IP completion day, continues to be in force or effective on and after IP completion day, and
- (b) if in the process of being done immediately before IP completion day, continues to be done on and after IP completion day.
- (2) References in this paragraph to anything done include references to anything omitted to be done.
## Part 3 — Transfers to third countries and international organisations
##### 4
- (1) On and after IP completion day, for the purposes of the UK GDPR and Part 2 of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, paragraph 5 specifies, or specifies a description which includes—
- (a) in the case of a third country, the country or a relevant territory or sector within the country, or
- (b) in the case of an international organisation, the organisation.
- (2) Sub-paragraph (1) has effect subject to provision in paragraph 5 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 5 for the purposes of sub-paragraph (1).
- (3) The Secretary of State may by regulations—
- (a) repeal sub-paragraphs (1) and (2) and paragraph 5;
- (b) amend paragraph 5 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;
- (c) amend paragraph 5 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and making provision described in sub-paragraph (2).
- (4) Regulations under this paragraph may, among other things——
- (a) identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;
- (b) confer a discretion on a person.
- (5) Regulations under this paragraph are subject to the negative resolution procedure.
- (6) Sub-paragraphs (1) and (2) have effect in addition to section 17A(2) and (3).
##### 5
- (1) The following are specified for the purposes of paragraph 4(1)—
- (a) an EEA state;
- (b) Gibraltar;
- (c) a Union institution, body, office or agency set up by, or on the basis of, the Treaty on the European Union, the Treaty on the Functioning of the European Union or the Euratom Treaty;
- (d) an equivalent institution, body, office or agency set up by, or on the basis of, the Treaties establishing the European Economic Area;
- (e) a third country which is the subject of a decision listed in sub-paragraph (2), other than a decision that, immediately before IP completion day, had been repealed or was suspended;
- (f) a third country, territory or sector within a third country or international organisation which is the subject of an adequacy decision made by the European Commission before IP completion day on the basis of Article 45(3) of the EU GDPR, other than a decision that, immediately before IP completion day, had been repealed or was suspended.
- (2) The decisions mentioned in sub-paragraph (1)(e) are the following—
- (a) Commission Decision [2000/518/EC](https://www.legislation.gov.uk/eudn/2000/518) of 26th July 2000 pursuant to Directive [95/46/EC](https://www.legislation.gov.uk/eudr/1995/46) of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland;
- (b) Commission Decision [2002/2/EC](https://www.legislation.gov.uk/eudn/2002/2) of 20th December 2001 pursuant to Directive [95/46/EC](https://www.legislation.gov.uk/eudr/1995/46) of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act;
- (c) Commission Decision [2003/490/EC](https://www.legislation.gov.uk/eudn/2003/490) of 30th June 2003 pursuant to Directive [95/46/EC](https://www.legislation.gov.uk/eudr/1995/46) of the European Parliament and of the Council on the adequate protection of personal data in Argentina;
- (d) Commission Decision [2003/821/EC](https://www.legislation.gov.uk/eudn/2003/821) of 21st November 2003 on the adequate protection of personal data in Guernsey;
- (e) Commission Decision [2004/411/EC](https://www.legislation.gov.uk/eudn/2004/411) of 28th April 2004 on the adequate protection of personal data in the Isle of Man;
- (f) Commission Decision [2008/393/EC](https://www.legislation.gov.uk/eudn/2008/393) of 8th May 2008 pursuant to Directive [95/46/EC](https://www.legislation.gov.uk/eudr/1995/46) of the European Parliament and of the Council on the adequate protection of personal data in Jersey;
- (g) Commission Decision 2010/146/EU of 5th March 2010 pursuant to Directive [95/46/EC](https://www.legislation.gov.uk/eudr/1995/46) of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data;
- (h) Commission Decision 2010/625/EU of 19th October 2010 pursuant to Directive [95/46/EC](https://www.legislation.gov.uk/eudr/1995/46) of the European Parliament and of the Council on the adequate protection of personal data in Andorra;
- (i) Commission Decision 2011/61/EU of 31st January 2011 pursuant to Directive [95/46/EC](https://www.legislation.gov.uk/eudr/1995/46) of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data;
- (j) Commission Implementing Decision 2012/484/EU of 21st August 2012 pursuant to Directive [95/46/EC](https://www.legislation.gov.uk/eudr/1995/46) of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data;
- (k) Commission Implementing Decision 2013/65/EU of 19th December 2012 pursuant to Directive [95/46/EC](https://www.legislation.gov.uk/eudr/1995/46) of the European Parliament and of the Council on the adequate protection of personal data by New Zealand;
- (m) Commission Implementing Decision (EU) 2019/419 of 23rd January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information.
- (3) Where a decision described in sub-paragraph (1)(e) or (f) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 4(1).
- (4) The references to a decision in sub-paragraphs (1)(e) and (f) and (2) are to the decision as it had effect in EU law immediately before IP completion day, subject to sub-paragraphs (5) and (6).
- (5) For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(e) or (f) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.
- (6) For the purposes of this paragraph, where a decision described in sub-paragraph (1)(e) or (f) relates to—
- (a) transfers from the European Union (or the European Community) or the European Economic Area, or
- (b) transfers to which the EU GDPR applies,
it is to be treated as relating to equivalent transfers to or from the United Kingdom or transfers to which the UK GDPR applies (as appropriate).
##### 6
- (1) In the provisions listed in sub-paragraph (2)—
- (a) references to regulations made under section 17A (other than references to making such regulations) include the provision made in paragraph 5;
- (b) references to the revocation of such regulations include the repeal of all or part of paragraph 5.
- (2) Those provisions are—
- (a) Articles 13(1)(f), 14(1)(f), 45(1) and (7), 46(1) and 49(1) of the UK GDPR;
- (b) sections 17B(1), (3), (6) and (7) and 18(2) of this Act.
##### 7
- (1) Subject to paragraph 8, the appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after IP completion day as described in this paragraph.
- (2) The safeguards may be provided for by any standard data protection clauses included in an arrangement which, if the arrangement had been entered into immediately before IP completion day, would have provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(2)(c) or (d) or (5) of the EU GDPR.
- (3) The safeguards may be provided for by a version of standard data protection clauses described in sub-paragraph (2) incorporating changes where—
- (a) all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and
- (b) none of the changes alters the effect of the clauses.
- (4) The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—
- (a) changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;
- (b) changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.
- (5) In the case of a transfer of personal data made under arrangements entered into before IP completion day, the safeguards may be provided for on and after IP completion day by standard data protection clauses not falling within sub-paragraph (2) which—
- (a) formed part of the arrangements immediately before IP completion day, and
- (b) at that time, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(2)(c) or (d) or (5) of the EU GDPR.
- (6) The Secretary of State and the Commissioner must keep the operation of this paragraph under review.
- (7) In this paragraph, “*adequacy decision*” means a decision made on the basis of—
- (a) Article 45(3) of the EU GDPR, or
- (b) Article 25(6) of Directive [95/46/EC](https://www.legislation.gov.uk/eudr/1995/46) of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- (8) This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.
##### 8
- (1) Paragraph 7 does not apply to the extent that it has been disapplied by—
- (a) regulations made by the Secretary of State, or
- (b) a document issued by the Commissioner.
- (2) Regulations under this paragraph are subject to the negative resolution procedure.
- (3) Subsections (3) to (8) and (10) to (12) of section 119A apply in relation to a document issued by the Commissioner under this paragraph as they apply to a document issued by the Commissioner under section 119A(2).
##### 9
- (1) The appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after IP completion day as described sub-paragraphs (2) to (4), subject to sub-paragraph (5).
- (2) The safeguards may be provided for by any binding corporate rules authorised by the Commissioner which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR.
- (3) The safeguards may be provided for by a version of binding corporate rules described in sub-paragraph (2) incorporating changes where—
- (a) all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and
- (b) none of the changes alters the effect of the rules.
- (4) The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—
- (a) changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;
- (b) changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.
- (5) Sub-paragraphs (2) to (4) cease to apply in relation to binding corporate rules if, on or after IP completion day, the Commissioner withdraws the authorisation of the rules (or, where sub-paragraph (3) is relied on, the authorisation of the rules mentioned in sub-paragraph (2)).
- (5A) For the purposes of sub-paragraph (2), binding corporate rules which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR but which were authorised other than by the Commissioner are to be treated as authorised by the Commissioner where—
- (a) a valid notification of the rules has been made to the Commissioner,
- (b) the Commissioner has approved them, and
- (c) that approval has not been withdrawn.
- (5B) A notification is valid if it—
- (a) is made by a controller or processor established in the United Kingdom,
- (b) is made to the Commissioner before the end of the period of 6 months beginning with IP completion day, and
- (c) includes—
- (i) the name and contact details of the data protection officer or other contact point for the controller or processor, and
- (ii) such other information as the Commissioner may reasonably require.
- (5C) Where a valid notification is made the Commissioner must, without undue delay—
- (a) decide whether or not to approve the rules, and
- (b) notify the controller or processor of that decision.
- (6) The Commissioner must keep the operation of this paragraph under review.
- (7) In this paragraph—
- “*adequacy decision*” means a decision made on the basis of—Article 45(3) of the EU GDPR, orArticle 25(6) of Directive [95/46/EC](https://www.legislation.gov.uk/eudr/1995/46) of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- “*binding corporate rules*” has the meaning given in Article 4(20) of the UK GDPR.
- (8) This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.
##### 10
- (1) On and after IP completion day, for the purposes of Part 3 of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, paragraph 11 specifies, or specifies a description which includes—
- (a) in the case of a third country, the country or a relevant territory or sector within the country, or
- (b) in the case of an international organisation, the organisation.
- (2) Sub-paragraph (1) has effect subject to provision in paragraph 11 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 11 for the purposes of sub-paragraph (1).
- (3) The Secretary of State may by regulations—
- (a) repeal sub-paragraphs (1) and (2) and paragraph 11;
- (b) amend paragraph 11 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;
- (c) amend paragraph 11 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and by making provision described in sub-paragraph (2).
- (4) Regulations under this paragraph may, among other things—
- (a) identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;
- (b) confer a discretion on a person.
- (5) Regulations under this paragraph are subject to the negative resolution procedure.
- (6) Sub-paragraphs (1) and (2) have effect in addition to section 74A(2) and (3).
##### 11
- (1) The following are specified for the purposes of paragraph 10(1)—
- (a) an EEA state;
- (aa) Switzerland;
- (b) Gibraltar;
- (c) a third country, a territory or sector within a third country or an international organisation which is the subject of an adequacy decision made by the European Commission before IP completion day on the basis of Article 36(3) of the Law Enforcement Directive, other than a decision that, immediately before IP completion day, had been repealed or was suspended.
- (2) Where a decision described in sub-paragraph (1)(c) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 10(1).
- (3) The reference to a decision in sub-paragraph (1)(c) is to the decision as it had effect in EU law immediately before IP completion day, subject to sub-paragraphs (4) and (5).
- (4) For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(c) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.
- (5) For the purposes of this paragraph, where a decision described in sub-paragraph (1)(c) relates to—
- (a) transfers from the European Union (or the European Community) or the European Economic Area, or
- (b) transfers to which the Law Enforcement Directive applies,
it is to be treated as relating to equivalent transfers from the United Kingdom or transfers to which Part 3 of this Act applies (as appropriate).
##### 12
In section 74B(1), (3), (6) and (7)—
- (a) references to regulations made under section 74A (other than references to making such regulations) include the provision made in paragraph 11;
- (b) references to the revocation of such regulations include the repeal of all or part of paragraph 11.
## Part 4 — Repeal of provisions in Chapter 3 of Part 2
##### 13
- (1) Regulations made under section 23 before IP completion day continue in force until they are revoked, despite the repeal of that section by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
- (2) The provisions listed in section 186(3) include regulations made under section 23 before IP completion day (and not revoked).
- (3) Sub-paragraphs (1) and (2) do not have effect so far as otherwise provided by the law of England and Wales, Scotland or Northern Ireland.
##### 14
- (1) This paragraph applies to a certificate issued under section 27 of this Act which has effect immediately before IP completion day.
- (2) A reference in the certificate to a provision of the applied GDPR has effect, on and after IP completion day, as it if were a reference to the corresponding provision of the UK GDPR or this Act.
## Part 5 — The Information Commissioner
##### 15
The repeal of section 132(2)(d) by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 has effect only in relation to a disclosure of information made on or after IP completion day.
## Part 6 — Enforcement
##### 16
In relation to an infringement, before IP completion day, of a provision of the EU GDPR (as it was directly applicable to the United Kingdom) or the applied GDPR—
- (a) Article 83(5) and (6) of the UK GDPR and section 157(5)(a) and (b) of this Act have effect as if for “£17,500,000” there were substituted “ 20 million Euros ”;
- (b) Article 83(4) of the UK GDPR and section 157(6)(a) and (b) of this Act have effect as if for “£8,700,000” there were substituted “ 10 million Euros ”;
- (c) the maximum amount of a penalty in sterling must be determined by applying the spot rate of exchange set by the Bank of England on the day on which the penalty notice is given under section 155 of this Act.
#### GDPR: right to an effective remedy against the Commissioner
##### 17
- (1) This paragraph applies where—
- (a) proceedings are brought against a decision made by the Commissioner before IP completion day, and
- (b) the Commissioner's decision was preceded by an opinion or decision of the European Data Protection Board in accordance with the consistency mechanism referred to in Article 63 of the EU GDPR.
- (2) The Commissioner must forward the Board's opinion or decision to the court or tribunal dealing with the proceedings.
### Immigration: additional safeguard: decisions for the purposes of paragraph 4(1) and requirement to have regard to immigration exemption policy document
##### 4A
- (1) The Secretary of State must—
- (a) determine the extent to which the application of the relevant UK GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b) on a case by case basis, and
- (b) have regard, when making such a determination, to the immigration exemption policy document.
- (2) The Secretary of State must also—
- (a) review the immigration exemption policy document and (if appropriate) update it from time to time;
- (b) publish it, and any update to it, in such manner as the Secretary of State considers appropriate.
- (3) In this paragraph and paragraph 4B “*the relevant UK GDPR provisions*” means the provisions of the UK GDPR listed in paragraph 4(2).
### Immigration: additional safeguard: record etc of decision that exemption applies
##### 4B
- (1) Where the Secretary of State determines in any particular case that the application of any of the relevant UK GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b), the Secretary of State must—
- (a) keep a record of that determination and the reasons for it, and
- (b) inform the data subject of that determination.
- (2) But the Secretary of State is not required to comply with sub-paragraph (1)(b) if doing so may be prejudicial to any of the matters mentioned in paragraph 4(1)(a) and (b).
##### 15A
The Provost Marshal for serious crime.
##### 18A
The Service Police Complaints Commissioner.
#### The applied GPDR
#### GDPR: right to an effective remedy against the Commissioner
#### GDPR: right to an effective remedy against the Commissioner
##### 183B
- (1) This section is about the relationship between—
- (a) a pre-commencement enactment which imposes a duty, or confers a power, to process personal data, and
- (b) a provision of the main data protection legislation containing a requirement relating to the processing of personal data.
- (2) The relationship is not changed by section 5(A1) of the European Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act).
- (3) Where the provision described in subsection (1)(b) is a provision of, or made under, the UK GDPR, section 5(A2) of the European Union (Withdrawal) Act 2018 (assimilated direct legislation subject to domestic enactments) does not apply to the relationship.
- (4) Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision with similar effect to section 183A(1) (or applying that provision) is made in connection with one such relationship but not another.
- (5) In this section—
- (a) “*the main data protection legislation*” and “*requirement*” have the same meaning as in section 183A, and
- (b) “*pre-commencement enactment*” means an enactment so far as passed or made before the day on which section 106(2) of the Data (Use and Access) Act 2025 comes into force.
- (6) Section 183A(5) applies for the purposes of subsection (1)(a) of this section as it applies for the purposes of section 183A(1).
##### 186A
- (1) This section is about the relationship between—
- (a) a pre-commencement enactment which prohibits or restricts the disclosure of information or authorises the withholding of information, and
- (b) a provision of the UK GDPR or this Act listed in section 186(2).
- (2) The relationship is not changed by section 5(A1) of the European Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act).
- (3) Subsection (1) of section 186 does not apply to the relationship so far as there is a contrary intention, whether express or implied (taking account of, among other things, subsection (2) of this section).
- (4) Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision stating that section 186(1) applies (or with similar effect) is made in connection with one such relationship but not another.
- (5) In this section, “*pre-commencement enactment*” means an enactment so far as passed or made before the day on which section 106(4) of the Data (Use and Access) Act 2025 comes into force, other than an enactment contained in, or made under, a provision listed in section 186(2) or (3).
#### Overview
### Relevant international law
##### 9A
- (1) Processing of personal data meets the requirement in Article 6(3), 8A(3)(e), 9(2)(g) or 10(1) of the UK GDPR for a basis in, or authorisation by, relevant international law only if it meets a condition in Schedule A1.
- (2) A condition in Schedule A1 may be relied on for the purposes of any of those provisions, unless that Schedule provides otherwise.
- (3) The Secretary of State may by regulations amend Schedule A1 by adding, varying or omitting—
- (a) conditions,
- (b) provision about the purposes for which a condition may be relied on, and
- (c) safeguards in connection with processing carried out in reliance on a condition in the Schedule.
- (4) Regulations under this section may only add a condition relating entirely or partly to a treaty ratified by the United Kingdom.
- (5) Regulations under this section are subject to the affirmative resolution procedure.
- (6) In this section, “*treaty*” and “*ratified*” have the same meaning as in Part 2 of the Constitutional Reform and Governance Act 2010 (see section 25 of that Act).
#### Special categories of personal data etc: supplementary
#### Manual unstructured data used in longstanding historical research
##### 42A
- (1) The Secretary of State may by regulations—
- (a) make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part,
- (b) make provision so that added processing is not sensitive processing for the purposes of this Part,
- (c) make provision so that a protected condition in Schedule 8 may or may not be relied on in connection with added processing, and
- (d) make provision varying such a condition as it relates to added processing.
- (2) In subsection [(1)](#p08307)—
- “*added processing*” means a description of processing which is sensitive processing by virtue of provision made under subsection [(1)](#p08307)[(a)](#p08310);
- “*protected condition in Schedule 8*” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 35(6).
- (3) Regulations under this section may amend this Part and sections 205 and 206.
- (4) Regulations under this section are subject to the affirmative resolution procedure.
##### 50A
- (1) For the purposes of sections [50B](#p09376) and [50C](#p09391)—
- (a) a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and
- (b) a decision is a significant decision, in relation to a data subject, if—
- (i) it produces an adverse legal effect for the data subject, or
- (ii) it has a similarly significant adverse effect for the data subject.
- (2) When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.
##### 50B
- (1) A significant decision based entirely or partly on sensitive processing may not be taken based solely on automated processing, unless one of the following conditions is met.
- (2) The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.
- (3) The second condition is that the decision is required or authorised by law.
##### 50C
- (1) Subject to subsection [(3)](#p09432), where a significant decision taken by or on behalf of a controller in relation to a data subject is—
- (a) based entirely or partly on personal data, and
- (b) based solely on automated processing,
the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with subsection [(2)](#p09411) and any regulations under section 50D(4).
- (2) The safeguards must consist of or include measures which—
- (a) provide the data subject with information about decisions described in subsection [(1)](#p09393) taken in relation to the data subject;
- (b) enable the data subject to make representations about such decisions;
- (c) enable the data subject to obtain human intervention on the part of the controller in relation to such decisions;
- (d) enable the data subject to contest such decisions.
- (3) Subsections (1) and (2) do not apply in relation to a significant decision if—
- (a) exemption from those provisions is required for a reason listed in subsection [(4)](#p09451),
- (b) the controller reconsiders the decision as soon as reasonably practicable, and
- (c) there is meaningful human involvement in the reconsideration of the decision.
- (4) Those reasons are—
- (a) to avoid obstructing an official or legal inquiry, investigation or procedure;
- (b) to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
- (c) to protect public security;
- (d) to safeguard national security;
- (e) to protect the rights and freedoms of others.
- (5) When considering whether there is meaningful human involvement in the reconsideration of a decision, a person must consider, among other things, the extent to which the conclusion reached on reconsideration is reached by means of profiling.
##### 50D
- (1) The Secretary of State may by regulations provide that, for the purposes of sections 50A(1)(a) and 50C(3)(c), there is, or is not, to be taken to be meaningful human involvement in the taking or reconsideration of a decision in cases described in the regulations.
- (2) The Secretary of State may by regulations provide that, for the purposes of section 50A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant adverse effect for the data subject.
- (3) Regulations under subsection (1) or (2) may amend section 50A.
- (4) The Secretary of State may by regulations make the following types of provision about the safeguards required under section 50C(1)—
- (a) provision requiring the safeguards to include measures in addition to those described in section 50C(2),
- (b) provision imposing requirements which supplement what section 50C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in section 50C(2) must be done or be capable of being done), and
- (c) provision about measures which are not to be taken to satisfy one or more of paragraphs (a) to [(d)](#p09427) of section 50C(2).
- (5) Regulations under this section are subject to the affirmative resolution procedure.
##### 74AA
- (1) For the purposes of section 73, the Secretary of State may by regulations approve transfers of personal data to—
- (a) a third country, or
- (b) an international organisation.
- (2) The Secretary of State may only make regulations under this section approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see [section 74AB](#p19276)).
- (3) In making regulations under this section, the Secretary of State may have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom.
- (4) Regulations under this section may, among other things—
- (a) make provision by reference to a third country or international organisation specified in the regulations or a description of country or organisation;
- (b) approve all transfers of personal data to a third country or international organisation or only transfers specified or described in the regulations;
- (c) identify a transfer of personal data by any means, including by reference to—
- (i) a sector or geographic area within a third country,
- (ii) the controller or processor,
- (iii) the recipient of the personal data,
- (iv) the personal data transferred,
- (v) the means by which the transfer is made, or
- (vi) relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time;
- (d) confer a discretion on a person.
- (5) Regulations under this section are subject to the negative resolution procedure.
##### 74AB
- (1) For the purposes of section 74AA, the data protection test is met in relation to transfers to a third country or international organisation if the standard of the protection provided for data subjects with regard to law enforcement processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under—
- (a) this Part, and
- (b) Parts 5 to 7, so far as relevant to law enforcement processing.
- (2) In considering whether the data protection test is met in relation to transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things—
- (a) respect for the rule of law and for human rights in the country or by the organisation,
- (b) the existence, and powers, of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation,
- (c) arrangements for judicial or non-judicial redress for data subjects in connection with such processing,
- (d) rules about the transfer of personal data from the country or by the organisation to other countries or international organisations,
- (e) relevant international obligations of the country or organisation, and
- (f) the constitution, traditions and culture of the country or organisation.
- (3) In subsections (1) and (2)—
- (a) the references to the protection provided for data subjects are to that protection taken as a whole,
- (b) the references to law enforcement processing are to processing by a competent authority for any of the law enforcement purposes or equivalent types of processing in the third country or by the international organisation (as appropriate), and
- (c) the references to processing of personal data in the third country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Act applies as described in section 207(2).
- (4) When the data protection test is applied only to certain transfers to a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with section 74AA(4)(b))—
- (a) the references in subsections (1) to (3) to personal data are to be read as references only to personal data likely to be the subject of such transfers, and
- (b) the reference in subsection (2)(d) to transfer to other countries or international organisations is to be read as including transfer within the third country or international organisation.
##### 91A
- (1) The Secretary of State may by regulations—
- (a) make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part,
- (b) make provision so that added processing is not sensitive processing for the purposes of this Part,
- (c) make provision so that a protected condition in Schedule 10 may or may not be relied on in connection with added processing, and
- (d) make provision varying such a condition as it relates to added processing.
- (2) In subsection [(1)](#p08383)—
- “*added processing*” means a description of processing which is sensitive processing by virtue of provision made under subsection [(1)](#p08383)[(a)](#p08386);
- “*protected condition in Schedule 10*” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 86(3).
- (3) Regulations under this section may amend this Part and sections 205 and 206.
- (4) Regulations under this section are subject to the affirmative resolution procedure.
##### 124A
- (1) The Commissioner must prepare appropriate codes of practice giving guidance as to good practice in the processing of personal data if required to do so by regulations made by the Secretary of State.
- (2) Regulations under this section—
- (a) must describe the personal data or processing to which the code of practice is to relate, and
- (b) may describe the persons or classes of person to whom it is to relate.
- (3) Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.
- (4) Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—
- (a) trade associations;
- (b) data subjects;
- (c) persons who appear to the Commissioner to represent the interests of data subjects.
- (5) A code under this section may include transitional provision or savings.
- (6) Regulations under this section are subject to the negative resolution procedure.
- (7) In this section—
- “*good practice in the processing of personal data*” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation;
- “*trade association*” includes a body representing controllers or processors.
##### 124B
- (1) This section applies where a code is prepared under section 121, 122, 123, 124 or [124A](#p11128), subject to subsection [(11)](#p11428).
- (2) The Commissioner must establish a panel of individuals to consider the code.
- (3) The panel must consist of—
- (a) individuals the Commissioner considers have expertise in the subject matter of the code, and
- (b) individuals the Commissioner considers—
- (i) are likely to be affected by the code, or
- (ii) represent persons likely to be affected by the code.
- (4) Before the panel begins to consider the code, the Commissioner must—
- (a) publish the code in draft, and
- (b) publish a statement that—
- (i) states that a panel has been established to consider the code,
- (ii) identifies the members of the panel,
- (iii) explains the process by which they were selected, and
- (iv) explains the reasons for their selection.
- (5) Where at any time it appears to the Commissioner that a member of the panel is not willing or able to serve as a member of the panel, the Commissioner may select another individual to be a member of the panel.
- (6) Where the Commissioner selects an individual to be a member of the panel under subsection [(5)](#p11361), the Commissioner must publish a statement that—
- (a) identifies the member of the panel,
- (b) explains the process by which the member was selected, and
- (c) explains the reasons for the member’s selection.
- (7) The Commissioner must make arrangements—
- (a) for the members of the panel to consider the code with one another (whether in person or otherwise), and
- (b) for the panel to prepare and submit to the Commissioner a report on the code within such reasonable period as is determined by the Commissioner.
- (8) If the panel submits to the Commissioner a report on the code within the period determined by the Commissioner, the Commissioner must as soon as reasonably practicable—
- (a) make any alterations to the code that the Commissioner considers appropriate in the light of the report, and
- (b) publish—
- (i) the code in draft,
- (ii) the report or a summary of it, and
- (iii) in a case where a recommendation in the report to alter the code has not been accepted by the Commissioner, an explanation of why it has not been accepted.
- (9) The Commissioner may pay remuneration and expenses to the members of the panel.
- (10) This section applies in relation to amendments prepared under section 121, 122, 123, 124 or [124A](#p11128) as it applies in relation to codes prepared under those sections, subject to subsection [(11)](#p11428).
- (11) The Secretary of State may by regulations provide that this section does not apply, or applies with modifications, in the case of—
- (a) a code prepared under section [124A](#p11128), or
- (b) an amendment of such a code,
that is specified or described in the regulations.
- (12) Regulations under this section are subject to the negative resolution procedure.
##### 124C
- (1) Where a code is prepared under section 121, 122, 123, 124 or [124A](#p11128), the Commissioner must carry out and publish an assessment of—
- (a) who would be likely to be affected by the code, and
- (b) the effect the code would be likely to have on them.
- (2) This section applies in relation to amendments prepared under section 121, 122, 123, 124 or [124A](#p11128) as it applies in relation to codes prepared under those sections.
##### 164A
- (1) A data subject may make a complaint to the controller if the data subject considers that, in connection with personal data relating to the data subject, there is an infringement of the UK GDPR or Part 3 of this Act.
- (2) A controller must facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means.
- (3) If a controller receives a complaint under this section, the controller must acknowledge receipt of the complaint within the period of 30 days beginning when the complaint is received.
- (4) If a controller receives a complaint under this section, the controller must without undue delay—
- (a) take appropriate steps to respond to the complaint, and
- (b) inform the complainant of the outcome of the complaint.
- (5) The reference in [subsection (4)](#p12640)[(a)](#p12643) to taking appropriate steps to respond to the complaint includes—
- (a) making enquiries into the subject matter of the complaint, to the extent appropriate, and
- (b) informing the complainant about progress on the complaint.
##### 164B
- (1) The Secretary of State may by regulations require a controller to notify the Commissioner of the number of complaints made to the controller under [section 164A](#p12626) in periods specified or described in the regulations.
- (2) Regulations under this section may provide that a controller is required to make a notification to the Commissioner in respect of a period only in circumstances specified in the regulations.
- (3) Regulations under this section may include—
- (a) provision about a matter listed in [subsection (4)](#p12691), or
- (b) provision conferring power on the Commissioner to determine those matters.
- (4) The matters are—
- (a) the form and manner in which a notification must be made,
- (b) the time at which, or period within which, a notification must be made, and
- (c) how the number of complaints made to a controller during a period is to be calculated.
- (5) Regulations under this section are subject to the negative resolution procedure.
## Schedule 12A
#### Status
##### 1
- (1) The Commission is not to be regarded—
- (a) as a servant or agent of the Crown, or
- (b) as enjoying any status, immunity or privilege of the Crown.
- (2) The Commission’s property is not to be regarded—
- (a) as property of the Crown, or
- (b) as property held on behalf of the Crown.
##### 2
- (1) The number of members of the Commission is to be determined by the Secretary of State.
- (2) That number must not be—
- (a) less than 3, or
- (b) more than 14.
- (3) The Secretary of State may by regulations substitute a different number for the number for the time being specified in sub-paragraph [(2)](#p22309)[(b)](#p22316).
- (4) Regulations under this paragraph are subject to the negative resolution procedure.
##### 3
- (1) The Commission is to consist of—
- (a) the non-executive members, and
- (b) the executive members.
- (2) The non-executive members are—
- (a) a chair appointed by His Majesty by Letters Patent on the recommendation of the Secretary of State, and
- (b) such other members as the Secretary of State may appoint.
- (3) The executive members are—
- (a) a chief executive appointed by the non-executive members or in accordance with paragraph [25](#p23058), and
- (b) such other members, if any, as the non-executive members may appoint.
- (4) The Secretary of State must consult the chair of the Commission before appointing a non-executive member.
- (5) The non-executive members must consult the Secretary of State before appointing the chief executive.
- (6) The non-executive members must consult the chief executive about whether there should be any executive members within sub-paragraph [(3)](#p22359)[(b)](#p22367) and, if so, how many there should be.
- (7) The Secretary of State may by direction set a maximum and a minimum number of executive members.
- (8) The Commission may appoint one of the non-executive members as a deputy to the chair.
##### 4
The Secretary of State must exercise the powers conferred on the Secretary of State by paragraphs [2](#p22304) and [3](#p22334) so as to secure that the number of non-executive members of the Commission is, so far as practicable, at all times greater than the number of executive members.
##### 5
- (1) The Secretary of State may not recommend a person for appointment as the chair of the Commission unless the person has been selected on merit on the basis of fair and open competition.
- (2) A person may not be appointed as a member of the Commission unless the person has been selected on merit on the basis of fair and open competition.
##### 6
- (1) Before—
- (a) recommending a person for appointment as the chair of the Commission, or
- (b) appointing a person as a non-executive member of the Commission,
the Secretary of State must be satisfied that the person does not have a conflict of interest.
- (2) The Secretary of State must check from time to time that none of the non-executive members has a conflict of interest.
- (3) The Secretary of State may require a non-executive member to provide whatever information the Secretary of State considers necessary for the purpose of checking that the member does not have a conflict of interest.
- (4) A non-executive member who is required to provide information under sub-paragraph [(3)](#p22436) must provide it within such period as may be specified by the Secretary of State.
- (5) In this Schedule, “*conflict of interest*”, in relation to a person, means a financial or other interest which is likely to affect prejudicially the discharge by the person of the person’s functions as a member of the Commission.
##### 7
- (1) The chair of the Commission holds and vacates office in accordance with the terms of the chair’s appointment, subject to the provisions of this paragraph.
- (2) The chair must be appointed for a term of not more than 7 years.
- (3) On the recommendation of the Secretary of State, His Majesty may by Letters Patent extend the term of the chair’s appointment but not so the term as extended is more than 7 years.
- (4) A person cannot be appointed as the chair more than once.
- (5) The chair may be relieved from office by His Majesty at the chair’s own request.
- (6) The chair may be removed from office by His Majesty on an Address from both Houses of Parliament.
- (7) No motion is to be made in either House of Parliament for such an Address unless the Secretary of State has presented a report to that House stating that the Secretary of State is satisfied that—
- (a) the chair is guilty of serious misconduct,
- (b) the chair has a conflict of interest (see paragraph [6](#p22417)[(5)](#p22445)),
- (c) the chair has failed to comply with paragraph [6](#p22417)[(4)](#p22440), or
- (d) the chair is unable, unfit or unwilling to carry out the chair’s functions.
##### 8
- (1) A deputy chair of the Commission may resign that office by giving written notice to the Commission.
- (2) A deputy chair of the Commission ceases to hold that office on ceasing to be a non-executive member of the Commission.
- (3) A deputy chair of the Commission may be removed from that office by the Commission.
##### 9
- (1) This paragraph applies to a non-executive member of the Commission appointed by the Secretary of State.
- (2) The member holds and vacates office in accordance with the terms of their appointment, subject to the provisions of this paragraph.
- (3) The member must be appointed for a term of not more than 7 years.
- (4) The Secretary of State may extend the term of the member’s appointment but not so that the term as extended is more than 7 years.
- (5) The Secretary of State may not appoint the member as a non-executive member of the Commission on a subsequent occasion.
- (6) The member may resign from office by giving written notice to the Secretary of State and the Commission.
- (7) The Secretary of State may remove the member from office by written notice if satisfied that—
- (a) the member is guilty of serious misconduct,
- (b) the member has a conflict of interest (see paragraph [6](#p22417)[(5)](#p22445)),
- (c) the member has failed to comply with paragraph [6](#p22417)[(4)](#p22440), or
- (d) the member is unable, unfit or unwilling to carry out the member’s functions.
- (8) At the time of removing the member from office the Secretary of State must make public the decision to do so.
- (9) The Secretary of State must—
- (a) give the member a statement of reasons for the removal, and
- (b) if asked to do so by the member, publish the statement.
##### 10
- (1) The Commission may pay to the non-executive members of the Commission such remuneration and allowances as the Secretary of State may determine.
- (2) The Commission may pay, or make provision for paying, to or in respect of the non-executive members of the Commission, such sums by way of pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of office) as the Secretary of State may determine.
- (3) The Commission may make a payment to a person of such amount as the Secretary of State may determine where—
- (a) the person ceases to be a non-executive member of the Commission otherwise than on the expiry of the person’s term of office, and
- (b) it appears to the Secretary of State that there are special circumstances which make it appropriate for the person to receive compensation.
##### 11
- (1) The executive members of the Commission are to be employees of the Commission.
- (2) The executive members are to be employed by the Commission on such terms and conditions, including those as to remuneration, as the non-executive members of the Commission may determine.
- (3) The Commission must—
- (a) pay to or in respect of the executive members of the Commission such pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of office) as the non-executive members of the Commission may determine, and
- (b) provide and maintain for them such pension schemes (whether contributory or not) as the non-executive members of the Commission may determine.
##### 12
- (1) The Commission may—
- (a) appoint other employees, and
- (b) make such other arrangements for the staffing of the Commission as it considers appropriate.
- (2) In appointing an employee, the Commission must have regard to the principle of selection on merit on the basis of fair and open competition.
- (3) Employees appointed by the Commission are to be appointed on such terms and conditions, including those as to remuneration, as the Commission may determine.
- (4) The Commission may—
- (a) pay to or in respect of those employees such pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of employment) as the Commission may determine, and
- (b) provide and maintain for them such pension schemes (whether contributory or not) as the Commission may determine.
##### 13
- (1) The Commission may establish committees.
- (2) A committee of the Commission may consist of or include persons who are neither members nor employees of the Commission.
- (3) But a committee of the Commission to which functions are delegated under paragraph [14](#p22695)[(1)](#p22696)[(c)](#p22707) must include at least one person who is either a member or an employee of the Commission.
- (4) Where a person who is neither a member nor an employee of the Commission is a member of a committee of the Commission, the Commission may pay to that person such remuneration and expenses as it may determine.
##### 14
- (1) The Commission may delegate any of its functions to—
- (a) a member of the Commission,
- (b) an employee of the Commission, or
- (c) a committee of the Commission.
- (2) A function is delegated under sub-paragraph [(1)](#p22696) to the extent and on the terms that the Commission determines.
- (3) A committee of the Commission may delegate any function delegated to it to a member of the committee.
- (4) A function is delegated under sub-paragraph [(3)](#p22717) to the extent and on the terms that the committee determines.
- (5) The power of a committee of the Commission to delegate a function, and to determine the extent and terms of the delegation, is subject to the Commission’s power to direct what a committee established by it may and may not do.
- (6) The delegation of a function by the Commission or a committee of the Commission under this paragraph does not prevent the Commission or the committee from exercising that function.
##### 15
The Commission may require a committee of the Commission to give the Commission advice about matters relating to the discharge of the Commission’s functions.
##### 16
- (1) The Commission may make arrangements for regulating—
- (a) its own procedure, and
- (b) the procedure of a committee of the Commission.
- (2) The non-executive members of the Commission may by majority make arrangements for regulating the procedure for the carrying out of the separate functions which are conferred on them under this Schedule.
- (3) Arrangements under this paragraph may include arrangements as to quorum and the making of decisions by a majority.
- (4) The Commission must publish arrangements which it makes under this paragraph.
- (5) This paragraph is subject to paragraph [18](#p22806).
##### 17
The Commission must make arrangements for the keeping of proper records of—
- (a) its proceedings,
- (b) the proceedings of a committee of the Commission,
- (c) the proceedings at a meeting of the non-executive members of the Commission,
- (d) anything done by a member or employee of the Commission under paragraph [14](#p22695)[(1)](#p22696), and
- (e) anything done by a member of a committee of the Commission under paragraph [14](#p22695)[(3)](#p22717).
##### 18
- (1) This paragraph applies if—
- (a) a member of the Commission has a direct or indirect interest in a matter falling to be considered at a meeting of the Commission,
- (b) a non-executive member of the Commission has a direct or indirect interest in a matter falling to be considered at a meeting of the non-executive members, or
- (c) a member of a committee of the Commission has a direct or indirect interest in a matter falling to be considered at a meeting of the committee.
- (2) The member with the interest must declare it.
- (3) The declaration must be recorded in the minutes of the meeting.
- (4) The member with the interest may not take part in a discussion or decision at the meeting relating to the matter, unless—
- (a) in the case of a meeting of the Commission, the other members of the Commission who are present have resolved unanimously that the interest is to be disregarded,
- (b) in the case of a meeting of the non-executive members, the other non-executive members who are present have resolved unanimously that the interest is to be disregarded, or
- (c) in the case of a meeting of a committee, the other members of the committee who are present have, in the manner authorised by the Commission, resolved that the interest is to be disregarded.
- (5) In giving authorisation for the purposes of sub-paragraph [(4)](#p22831)[(c)](#p22842), the Commission must secure that a resolution for those purposes does not allow a member to take part in a discussion or decision at a meeting of a committee to which functions are delegated under paragraph [14](#p22695)[(1)](#p22696)[(c)](#p22707) unless the number of other members of the committee in favour of the resolution—
- (a) is not less than two thirds of those who are both present and entitled to vote on the resolution, and
- (b) is not less than its quorum.
- (6) For the purposes of this paragraph, a notification given at or sent to a meeting of the Commission that a person—
- (a) is a member of a company or firm, and
- (b) is to be regarded as interested in any matter involving that company or firm,
is to be regarded as compliance with sub-paragraph [(2)](#p22823) in relation to any such matter for the purposes of that meeting and subsequent meetings of the Commission, of the non-executive members or of a committee.
- (7) For the purposes of this paragraph, a notification given at or sent to a meeting of the non-executive members of the Commission or of a committee of the Commission that—
- (a) a person is a member of a company or firm, and
- (b) is to be regarded as interested in any matter involving that company or firm,
is to be regarded as compliance with sub-paragraph [(2)](#p22823) in relation to any such matter for the purposes of that meeting and subsequent meetings of the non-executive members or (as the case may be) of the committee.
- (8) A notification described in sub-paragraph [(6)](#p22864) or [(7)](#p22879) remains in force until it is withdrawn.
- (9) A person required to make a declaration for the purposes of this paragraph in relation to any meeting—
- (a) is not required to attend the meeting, but
- (b) is to be taken to have complied with the requirements of this paragraph if the person takes reasonable steps to secure that notice of the person’s interest is read out, and taken into consideration, at the meeting in question.
##### 19
- (1) The validity of proceedings of the Commission, of the non-executive members of the Commission or of a committee of the Commission is not affected by—
- (a) a vacancy in the membership of the Commission or of the committee,
- (b) a defect in the appointment of a member of the Commission,
- (c) a failure of the Secretary of State to comply with the requirements of paragraph [4](#p22397), or
- (d) a failure to comply with arrangements under paragraph [16](#p22743) or with a requirement under paragraph [18](#p22806).
- (2) Nothing in sub-paragraph [(1)](#p22916)[(d)](#p22932) validates proceedings of a meeting which is inquorate unless it is inquorate by reason only of a matter within sub-paragraph [(1)](#p22916)[(b)](#p22923) or [(c)](#p22927).
##### 20
The Secretary of State may make payments to the Commission.
##### 21
- (1) All fees, charges, penalties and other sums received by the Commission in carrying out its functions are to be paid to the Secretary of State.
- (2) Sub-paragraph [(1)](#p22958) does not apply where the Secretary of State otherwise directs.
- (3) Any sums received by the Secretary of State under this paragraph are to be paid into the Consolidated Fund.
##### 22
- (1) The Commission must keep proper accounts and proper records in relation to them.
- (2) The Commission must prepare a statement of accounts in respect of each financial year in the form specified by the Secretary of State.
- (3) The Commission must send a copy of each statement of accounts to the Secretary of State and the Comptroller and Auditor General before the end of August next following the financial year to which the statement relates.
- (4) The Comptroller and Auditor General must—
- (a) examine, certify and report on the statement of accounts, and
- (b) send a copy of the certified statement and the report to the Secretary of State.
- (5) The Secretary of State must lay before Parliament each document received under sub-paragraph [(4)](#p22987)[(b)](#p22994).
- (6) In this paragraph “*financial year*” means—
- (a) the period beginning with the date on which the Commission is established and ending with the 31 March following that date, and
- (b) each successive period of 12 months.
##### 23
- (1) The application of the Commission’s seal must be authenticated by the signature of—
- (a) the chair of the Commission, or
- (b) another person authorised for that purpose by the Commission.
- (2) A document purporting to be duly executed under the Commission’s seal or signed on its behalf—
- (a) is to be received in evidence, and
- (b) is to be taken to be executed or signed in that way, unless the contrary is shown.
- (3) This paragraph does not extend to Scotland.
##### 24
The Commission may do anything it thinks appropriate for the purposes of, or in connection with, its functions.
##### 25
- (1) The first chief executive of the Commission is to be appointed by the chair of the Commission.
- (2) Before making the appointment the chair must consult the Secretary of State.
- (3) The appointment must be for a term of not more than 2 years.
- (4) The chair may extend the term of the appointment but not so the term as extended is more than 2 years.
- (5) For the term of appointment, the person appointed under sub-paragraph [(1)](#p23059) is “the interim chief executive”.
- (6) Until the expiry of the term of appointment, the powers conferred on the non-executive members by paragraph [11](#p22612)[(2)](#p22617) and [(3)](#p22621) are exercisable in respect of the interim chief executive by the chair (instead of by the non-executive members).
- (7) In sub-paragraphs [(5)](#p23075) and [(6)](#p23080), the references to the term of appointment are to the term of appointment described in sub-paragraph [(3)](#p23067), including any extension of the term under sub-paragraph [(4)](#p23071).
##### 26
In this Schedule—
- (a) references to pensions, allowances or gratuities include references to any similar benefits provided on death or retirement, and
- (b) references to the payment of pensions, allowances or gratuities to or in respect of a person include references to the making of payments towards the provision of pensions, allowances or gratuities to be paid to or in respect of a person.
#### The applied GPDR
#### GDPR: right to an effective remedy against the Commissioner
##### 40A
- (1) This section is about processing of personal data that is carried out in reliance on the consent of the data subject.
- (2) The controller must be able to demonstrate that the data subject consented to the processing.
- (3) If the data subject’s consent is given in writing as part of a document which also concerns other matters, the request for consent must be made—
- (a) in a manner which clearly distinguishes the request from the other matters,
- (b) in an intelligible and easily accessible form, and
- (c) in clear and plain language.
- (4) Any part of a document described in subsection (3) which constitutes an infringement of this Part is not binding.
- (5) The data subject may withdraw the consent at any time (but the withdrawal of consent does not affect the lawfulness of processing in reliance on the consent before its withdrawal).
- (6) Processing may only be carried out in reliance on consent if—
- (a) before the consent is given, the controller or processor informs the data subject of the right to withdraw it, and
- (b) it is as easy for the data subject to withdraw the consent as to give it.
- (7) When assessing whether consent is freely given, account must be taken of, among other things, whether the provision of a service is conditional on consent to the processing of personal data that is not necessary for the provision of that service.
##### 141A
- (1) This section applies in relation to a notice authorised or required by this Act to be given to a person by the Commissioner.
- (2) The notice may be given to the person by—
- (a) delivering it by hand to a relevant individual,
- (b) leaving it at the person’s proper address,
- (c) sending it by post to the person at that address, or
- (d) sending it by email to the person’s email address.
- (3) A “*relevant individual*” means—
- (a) in the case of a notice to an individual, that individual;
- (b) in the case of a notice to a body corporate (other than a partnership), an officer of that body;
- (c) in the case of a notice to a partnership, a partner in the partnership or a person who has the control or management of the partnership business;
- (d) in the case of a notice to an unincorporated body (other than a partnership), a member of its governing body.
- (4) For the purposes of subsection (2)(b) and (c), and section 7 of the Interpretation Act 1978 (services of documents by post) in its application to those provisions, a person’s proper address is—
- (a) in a case where the person has specified an address as one at which the person, or someone acting on the person’s behalf, will accept service of notices or other documents, that address;
- (b) in any other case, the address determined in accordance with subsection (5).
- (5) The address is—
- (a) in a case where the person is a body corporate with a registered office in the United Kingdom, that office;
- (b) in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office;
- (c) in any other case, an address in the United Kingdom at which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of the person.
- (6) A person’s email address is—
- (a) an email address published for the time being by that person as an address for contacting that person, or
- (b) if there is no such published address, an email address by means of which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of that person.
- (7) A notice sent by email is treated as given 48 hours after it was sent, unless the contrary is proved.
- (8) In this section, “*officer*”, in relation to a body corporate, means a director, manager, secretary or other similar officer of the body.
- (9) This section does not limit other lawful means of giving a notice.
##### 45A
- (1) Sections 44(2) and 45(1) do not require the controller to give the data subject—
- (a) information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications could be maintained in legal proceedings, or
- (b) information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.
- (2) A controller relying on the exemption in subsection (1) must inform the data subject in writing without undue delay of—
- (a) the decision to rely on the exemption,
- (b) the reason for the decision,
- (c) the data subject’s right to make a request to the Commissioner under section 51,
- (d) the data subject’s right to lodge a complaint with the Commissioner under section 165, and
- (e) the data subject’s right to apply to a court under section 167.
- (3) Subsection (2)(a) and (b) do not apply to the extent that complying with them would—
- (a) undermine a claim described in subsection (1)(a), or
- (b) conflict with a duty described in subsection (1)(b).
- (4) The controller must—
- (a) record the reason for a decision to rely on the exemption in subsection (1), and
- (b) if requested to do so by the Commissioner, make the record available to the Commissioner.
- (5) The reference in subsection (1) to sections 44(2) and 45(1) includes sections 35 to 40 so far as their provisions correspond to the rights and obligations provided for in sections 44(2) and 45(1).
### Codes of conduct
##### 71A
- (1) The Commissioner must encourage expert public bodies to produce codes of conduct intended to contribute to compliance with this Part.
- (2) Under subsection (1), the Commissioner must, among other things, encourage the production of codes which take account of the specific features of the various processing sectors.
- (3) For the purposes of this section—
- (a) “*public body*” means a body or other person whose functions are, or include, functions of a public nature, and
- (b) a public body is “expert” if, in the Commissioner’s opinion, the body has the knowledge and experience needed to produce a code of conduct described in subsection (1).
- (4) A code of conduct described in subsection (1) may, for example, make provision with regard to—
- (a) lawful and fair processing;
- (b) the collection of personal data;
- (c) the information provided to the public and to data subjects;
- (d) the exercise of the rights of data subjects;
- (e) the measures and procedures referred to in sections 56, 57 and 62;
- (f) the notification of personal data breaches to the Commissioner and the communication of personal data breaches to data subjects;
- (g) the transfer of personal data to third countries or international organisations;
- (h) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing.
- (5) The Commissioner must encourage expert public bodies to submit codes of conduct described in subsection (1) to the Commissioner in draft.
- (6) Where an expert public body does so, the Commissioner must—
- (a) provide the body with an opinion on whether the code correctly reflects the requirements of this Part,
- (b) decide whether to approve the code, and
- (c) if the code is approved, register and publish the code.
- (7) Subsections (5) and (6) apply in relation to amendments of a code of conduct that is for the time being approved under this section as they apply in relation to a code.
##### 78A
- (1) A provision mentioned in subsection (2) does not apply to personal data processed for law enforcement purposes if exemption from the provision is required for the purposes of safeguarding national security.
- (2) The provisions are—
- (a) Chapter 2 of this Part (principles), except for the provisions listed in subsection (3);
- (b) Chapter 3 of this Part (rights of the data subject);
- (c) in Chapter 4 of this Part—
- (i) section 67 (notification of personal data breach to the Commissioner);
- (ii) section 68 (communication of personal data breach to the data subject);
- (d) Chapter 5 of this Part (transfers of personal data to third countries etc), except for the provisions listed in subsection (4);
- (e) in Part 5—
- (i) section 119 (inspection in accordance with international obligations);
- (ii) in Schedule 13 (other general functions of the Commissioner), paragraphs 1(1)(a) and (g) and 2;
- (f) in Part 6—
- (i) sections 142 to 154 and Schedule 15 (Commissioner’s notices and powers of entry and inspection);
- (ii) sections 170 to 173 (offences relating to personal data);
- (g) in Part 7, section 187 (representation of data subjects).
- (3) The provisions of Chapter 2 of this Part (principles) which are excepted from the list in subsection (2) are—
- (a) section 35(1) (the first data protection principle) so far as it requires processing of personal data to be lawful;
- (b) section 35(2) to (5) (lawfulness of processing and restrictions on sensitive processing);
- (c) section 42 (safeguards: sensitive processing);
- (d) Schedule 8 (conditions for sensitive processing).
- (4) The provisions of Chapter 5 of this Part (transfers of personal data to third countries etc) which are excepted from the list in subsection (2) are—
- (a) the following provisions of section 73—
- (i) subsection (1)(a) (conditions for transfer), so far as it relates to the condition in subsection (2) of that section, and subsection (2) (transfer must be necessary for a law enforcement purpose);
- (ii) subsections (1)(b), (5) and (6) (conditions for transfer of personal data originally made available by a member State);
- (b) section 78 (subsequent transfers).
##### 82A
- (1) For the purposes of this Part, the Secretary of State may give a notice designating processing of personal data by a qualifying competent authority (a “designation notice”) where—
- (a) an application for designation of the processing is made in accordance with this section, and
- (b) the Secretary of State considers that designation of the processing is required for the purposes of safeguarding national security.
- (2) The Secretary of State may only designate processing by a qualifying competent authority that is carried out by the authority as a joint controller with at least one intelligence service.
- (3) The Secretary of State may not designate processing by a qualifying competent authority that consists of the transfer of personal data to—
- (a) a country or territory outside the United Kingdom, or
- (b) an international organisation.
- (4) A designation notice must—
- (a) specify or describe the processing and qualifying competent authority that are designated, and
- (b) be given to the applicants for the designation (and see also section 82D).
- (5) An application for designation of processing of personal data by a qualifying competent authority must be made jointly by—
- (a) the qualifying competent authority, and
- (b) the intelligence service with which the processing is to be carried out.
- (6) An application may be made in respect of more than one qualifying competent authority and in respect of processing with more than one intelligence service.
- (7) The application must—
- (a) describe the processing, including the intended purposes and means of processing, and
- (b) explain why the applicants consider that designation is required for the purposes of safeguarding national security.
- (8) Before giving a designation notice, the Secretary of State must consult the Commissioner.
- (9) In this section, “*joint controller*”, in relation to processing of personal data, means a controller whose responsibilities for compliance with this Part in relation to the processing are determined in an arrangement under section 104.
##### 82B
- (1) A designation notice must state when it comes into force.
- (2) A designation notice ceases to be in force at the earliest of the following times—
- (a) at the end of the period of 5 years beginning when the notice comes into force;
- (b) (if relevant) at the end of a shorter period specified in the notice;
- (c) when the notice is withdrawn under section 82C.
- (3) The Secretary of State may give a further designation notice in respect of processing that is, or has been, the subject of a previous designation notice.
##### 82C
- (1) Subsections (2) to (4) apply where processing is the subject of a designation notice for the time being in force.
- (2) A person who applied for the designation of the processing must notify the Secretary of State without undue delay if the person considers that the designation is no longer required for the purposes of safeguarding national security.
- (3) A person who applied for the designation of the processing must, on a request from the Secretary of State, provide—
- (a) a description of the processing that is being, or is intended to be, carried out in reliance on the notice, and
- (b) an explanation of why the person considers that designation of the processing continues to be required for the purposes of safeguarding national security.
- (4) The Secretary of State must at least annually—
- (a) review each designation notice that is for the time being in force, and
- (b) consider whether designation of the processing which is the subject of the notice continues to be required for the purposes of safeguarding national security.
- (5) The Secretary of State—
- (a) may withdraw a designation notice by giving a further notice (a “withdrawal notice”) to the persons who applied for the designation, and
- (b) must give a withdrawal notice if the Secretary of State considers that designation of some or all of the processing to which the notice applies is no longer required for the purposes of safeguarding national security (whether as a result of a review required under subsection (4) or otherwise).
- (6) A withdrawal notice must—
- (a) withdraw the designation notice completely, and
- (b) state when it comes into force.
- (7) In determining when a withdrawal notice required under subsection (5)(b) comes into force, the Secretary of State must consider—
- (a) the desirability of the processing ceasing to be designated as soon as possible, and
- (b) where relevant, the time needed to effect an orderly transition to new arrangements for the processing of personal data.
##### 82D
- (1) Where the Secretary of State gives a designation notice—
- (a) the Secretary of State must send a copy of the notice to the Commissioner, and
- (b) the Commissioner must publish a record of the notice.
- (2) The record must contain—
- (a) the Secretary of State’s name,
- (b) the date on which the notice was given,
- (c) the date on which the notice ceases to have effect (if not previously withdrawn), and
- (d) subject to subsection (3), the rest of the text of the notice.
- (3) The Commissioner must not publish the text, or a part of the text, of the notice if—
- (a) the Secretary of State has determined that publishing the text or that part of the text—
- (i) would be against the interests of national security,
- (ii) would be contrary to the public interest, or
- (iii) might jeopardise the safety of any person, and
- (b) the Secretary of State has notified the Commissioner of that determination.
- (4) The Commissioner must keep the record of the notice available to the public while the notice is in force.
- (5) Where the Secretary of State gives a withdrawal notice, the Secretary of State must send a copy of the notice to the Commissioner.
##### 82E
- (1) A person directly affected by a designation notice may appeal to the Tribunal against the notice.
- (2) If, on an appeal under this section, the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Secretary of State did not have reasonable grounds for giving the notice, the Tribunal may—
- (a) allow the appeal, and
- (b) quash the notice.
### The Information Commission
##### 114A
- (1) A body corporate called the Information Commission is established.
- (2) Schedule 12A makes further provision about the Commission.
### Duties in carrying out functions
##### 120A
It is the principal objective of the Commissioner, in carrying out functions under the data protection legislation—
- (a) to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and
- (b) to promote public trust and confidence in the processing of personal data.
##### 120B
In carrying out functions under the data protection legislation, the Commissioner must have regard to such of the following as appear to the Commissioner to be relevant in the circumstances—
- (a) the desirability of promoting innovation;
- (b) the desirability of promoting competition;
- (c) the importance of the prevention, investigation, detection and prosecution of criminal offences;
- (d) the need to safeguard public security and national security;
- (e) the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.
##### 120C
- (1) The Commissioner must prepare a strategy for carrying out the Commissioner’s functions under the data protection legislation in accordance with the Commissioner’s duties under—
- (a) sections 120A and 120B,
- (b) section 108 of the Deregulation Act 2015 (exercise of regulatory functions: economic growth), and
- (c) section 21 of the Legislative and Regulatory Reform Act 2006 (exercise of regulatory functions: principles).
- (2) The Commissioner must—
- (a) review the strategy from time to time, and
- (b) revise the strategy as appropriate.
- (3) The Commissioner must publish the strategy and any revised strategy.
##### 120D
- (1) The Commissioner must, at such times as the Commissioner considers appropriate, consult the persons mentioned in subsection (2) about how the manner in which the Commissioner exercises functions under the data protection legislation may affect economic growth, innovation and competition.
- (2) The persons are—
- (a) such persons exercising regulatory functions as the Commissioner considers appropriate;
- (b) such other persons as the Commissioner considers appropriate.
- (3) In this section, “*regulatory function*” has the meaning given by section 111 of the Deregulation Act 2015.
##### 139A
- (1) The Commissioner must prepare and publish an analysis of the Commissioner’s performance using key performance indicators.
- (2) The analysis must be prepared and published at least annually.
- (3) In this section, “*key performance indicators*” means factors by reference to which the Commissioner’s performance can be measured most effectively.
### Documents and notices
##### 161A
- (1) The Commissioner must produce and publish an annual report containing the information described in subsections (2) to (5).
- (2) The report must include the following information about UK GDPR investigations—
- (a) the number of investigations begun, continued or completed by the Commissioner during the reporting period,
- (b) the different types of act and omission that were the subject matter of the investigations,
- (c) the enforcement powers exercised by the Commissioner in the reporting period in connection with the investigations,
- (d) the duration of investigations that ended in the reporting period, and
- (e) the different types of outcome in investigations that ended in that period.
- (3) The report must include information about the enforcement powers exercised by the Commissioner in the reporting period in connection with—
- (a) processing of personal data by a competent authority for any of the law enforcement purposes, and
- (b) processing of personal data to which Part 4 applies.
- (4) The information included in the report in accordance with subsections (2) and (3) must include information about—
- (a) the number of penalty notices given in the reporting period that were given more than 6 months after the notice of intent was given under paragraph 2 of Schedule 16, and
- (b) the reasons why that happened.
- (5) The report must include a review of how the Commissioner had regard to the guidance published under section 160 when exercising the Commissioner’s enforcement powers as described in subsections (2)(c) and (3).
- (6) In this section—
- “*enforcement powers*” means the powers under—Article 58(1)(c) and (d) and (2)(a) and (b) of the UK GDPR,sections 142 to 159 of this Act,paragraph 2(a), (b) and (c) of Schedule 13 to this Act, andSchedules 15 and 16 to this Act;
- “*the law enforcement purposes*” has the meaning given in section 31 of this Act;
- “*the reporting period*” means the period to which the report relates;
- “*UK GDPR investigation*” means an investigation required under Article 57(1)(h) of the UK GDPR (investigations on the application of the UK GDPR).
##### 180A
- (1) This section applies where a court is required to determine whether a data subject is entitled to information by virtue of a right under—
- (a) Article 15 of the UK GDPR (right of access by the data subject);
- (b) Article 20 of the UK GDPR (right to data portability);
- (c) section 45 of this Act (law enforcement processing: right of access by the data subject);
- (d) section 94 of this Act (intelligence services processing: right of access by the data subject).
- (2) The court may require the controller to make available for inspection by the court so much of the information as is available to the controller.
- (3) But, unless and until the question in subsection (1) has been determined in the data subject’s favour, the court may not require the information to be disclosed to the data subject or the data subject’s representatives, whether by discovery (or, in Scotland, recovery) or otherwise.
- (4) Where the question in subsection (1) relates to a right under a provision listed in subsection (1)(a), (c) or (d), this section does not confer power on the court to require the controller to carry out a search for information that is more extensive than the reasonable and proportionate search required by that provision.
### Prohibitions and restrictions etc on processing
##### 183A
- (1) A relevant enactment or rule of law which imposes a duty, or confers a power, to process personal data does not override a requirement under the main data protection legislation relating to the processing of personal data.
- (2) Subsection (1) does not apply—
- (a) to a relevant enactment forming part of the main data protection legislation, or
- (b) to the extent that an enactment makes express provision to the contrary referring to this section or to the main data protection legislation (or a provision of that legislation).
- (3) Subsection (1) does not prevent a duty or power to process personal data from being taken into account for the purpose of determining whether it is possible to rely on an exception to a requirement under the main data protection legislation that is available where there is such a duty or power.
- (4) In this section—
- “*the main data protection legislation*” means the data protection legislation other than provision of or made under—Chapter 6 or 8 of the UK GDPR, orParts 5 to 7 of this Act;
- “*relevant enactment*” means an enactment so far as passed or made on or after 20th August 2025;
- “*requirement*” includes a prohibition or restriction.
- (5) The reference in subsection (1) to an enactment or rule of law which imposes a duty, or confers a power, to process personal data is a reference to an enactment or rule of law which, directly or indirectly, requires or authorises the processing of personal data, including (for example)—
- (a) by authorising one person to require another person to process personal data, or
- (b) by removing restrictions on processing personal data,
and the references in subsection (3) to a duty or power are to be read accordingly.
## Schedule A1
This condition is met where the processing is necessary for the purposes of responding to a request made in accordance with the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 3 October 2019.
##### 57
The Border Security Commander.
##### 146A
- (1) This section applies where an assessment notice requires a controller or processor to make arrangements for an approved person to prepare a report.
- (2) The controller or processor must, within such period as is specified in the assessment notice, nominate to the Commissioner a person to prepare the report.
- (3) If the Commissioner is satisfied that the nominated person is a suitable person to prepare the report, the Commissioner must by written notice to the controller or processor approve the nominated person to prepare the report.
- (4) If the Commissioner is not satisfied that the nominated person is a suitable person to prepare the report, the Commissioner must by written notice to the controller or processor—
- (a) inform the controller or processor that the Commissioner has decided not to approve the nominated person to prepare the report,
- (b) inform the controller or processor of the reasons for that decision, and
- (c) approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so.
- (5) If the controller or processor does not nominate a person within the period specified in the assessment notice, the Commissioner must by written notice to the controller or processor approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so.
- (6) It is the duty of the controller or processor to give the person approved to prepare the report all such assistance as the person may reasonably require to prepare the report.
### Interview notices
##### 148A
- (1) This section applies where the Commissioner suspects that a controller or processor—
- (a) has failed or is failing as described in section 149(2), or
- (b) has committed or is committing an offence under this Act.
- (2) For the purpose of investigating the suspected failure or offence, the Commissioner may, by written notice (an “interview notice”), require an individual within subsection (3) to—
- (a) attend at a place specified in the notice, and
- (b) answer questions with respect to any matter relevant to the investigation.
- (3) An individual is within this subsection if the individual—
- (a) is the controller or processor,
- (b) is or was at any time employed by, or otherwise working for, the controller or processor, or
- (c) is or was at any time concerned in the management or control of the controller or processor.
- (4) An interview notice must specify the time at which the individual must attend at the specified place and answer questions (but see the restrictions in subsections (6) and (7)).
- (5) An interview notice must—
- (a) indicate the nature of the suspected failure or offence that is the subject of the investigation,
- (b) provide information about the consequences of failure to comply with the notice, and
- (c) provide information about the rights under sections 162 and 164 (appeals etc).
- (6) An interview notice may not require an individual to attend at the specified place and answer questions before the end of the period within which an appeal can be brought against the notice.
- (7) If an appeal is brought against an interview notice, the individual to whom the notice is given need not attend at the specified place and answer questions pending the determination or withdrawal of the appeal.
- (8) If an interview notice—
- (a) states that, in the Commissioner’s opinion, it is necessary for the individual to attend at the specified place and answer questions urgently, and
- (b) gives the Commissioner’s reasons for reaching that opinion,
subsections (6) and (7) do not apply but the notice must not require the individual to attend at the specified place and answer questions before the end of the period of 24 hours beginning when the notice is given.
- (9) The Commissioner may cancel or vary an interview notice by written notice to the individual to whom it was given.
##### 148B
- (1) An interview notice does not require an individual to answer questions to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament.
- (2) An interview notice does not require an individual to answer questions in respect of a communication which is made—
- (a) between a professional legal adviser and the adviser’s client, and
- (b) in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
- (3) An interview notice does not require an individual to answer questions in respect of a communication which is made—
- (a) between a professional legal adviser and the adviser’s client or between such an adviser or client and another person,
- (b) in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
- (c) for the purposes of such proceedings.
- (4) In subsections (2) and (3), references to the client of a professional legal adviser include references to a person acting on behalf of the client.
- (5) An interview notice does not require an individual to answer questions if doing so would, by revealing evidence of the commission of an offence, expose the individual to proceedings for that offence.
- (6) The reference to an offence in subsection (5) does not include an offence under—
- (a) this Act;
- (b) section 5 of the Perjury Act 1911 (false statements made otherwise than on oath);
- (c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath);
- (d) Article 10 of the Perjury (Northern Ireland) Order 1979 ([S.I. 1979/1714 (N.I. 19))](https://www.legislation.gov.uk/nisi/1979/1714) (false statutory declarations and other false unsworn statements).
- (7) A statement made by an individual in response to an interview notice may not be used in evidence against that individual on a prosecution for an offence under this Act (other than an offence under section 148C) unless in the proceedings—
- (a) in giving evidence the individual provides information inconsistent with the statement, and
- (b) evidence relating to the statement is adduced, or a question relating to it is asked, by that individual or on that individual’s behalf.
- (8) The Commissioner may not give an interview notice with respect to the processing of personal data for the special purposes.
- (9) The Commissioner may not give an interview notice to an individual for the purpose of investigating a suspected failure or offence if the controller or processor suspected of the failure or offence is a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters).
##### 148C
It is an offence for an individual, in response to an interview notice—
- (a) to make a statement which the individual knows to be false in a material respect, or
- (b) recklessly to make a statement which is false in a material respect.
### Interview notices
##### 3A
- (1) Sub-paragraph (2) applies where the Commissioner gives an interview notice to an individual during a relevant period.
- (2) If the interview notice—
- (a) states that, in the Commissioner’s opinion, it is necessary for the individual to comply with a requirement in the notice for the purposes of the relevant review, and
- (b) gives the Commissioner’s reasons for reaching that opinion,
subsections (6) and (7) of section 148A do not apply but the notice must not require the individual to comply with the requirement before the end of the period of 24 hours beginning when the notice is given.
- (3) During a relevant period, section 148B has effect as if for subsection (8) there were substituted—
> (8) The Commissioner may not give an individual an interview notice with respect to the processing of personal data for the special purposes unless a determination under section 174 with respect to the data or the processing has taken effect.
##### 13A
- (1) The Secretary of State may by regulations amend the table in Article 17(5) of the UK GDPR.
- (2) Regulations under this section are subject to the affirmative resolution procedure.
#### The applied GPDR
#### GDPR: right to an effective remedy against the Commissioner
2018-05-23
Data Protection Act 2018
original version
Text at this date