Legislation – Data Protection Act 2018

This Chapter also applies to the manual unstructured processing of personal data held by an FOI public authority.

This Chapter does not apply to the processing of personal data by an individual in the course of a purely personal or household activity.

The GDPR applies to the processing of personal data to which this Chapter applies but as if its Articles were part of an Act extending to England and Wales, Scotland and Northern Ireland.

Chapter 2 of this Part applies for the purposes of the applied GDPR as it applies for the purposes of the GDPR.

In this Chapter, “the applied Chapter 2 ” means Chapter 2 of this Part as applied by this Chapter.

A question as to the meaning or effect of a provision of the applied GDPR, or the applied Chapter 2 , is to be determined consistently with the interpretation of the equivalent provision of the GDPR, or Chapter 2 of this Part, as it applies otherwise than by virtue of this Chapter, except so far as Schedule 6 requires a different interpretation.

The Secretary of State may by regulations make provision in connection with the processing of personal data to which this Chapter applies which is equivalent to that made by GDPR regulations, subject to such modifications as the Secretary of State considers appropriate.

In this section, “GDPR regulations” means regulations made under section 2(2) of the European Communities Act 1972 which make provision relating to the GDPR.

Regulations under subsection (1) may apply a provision of GDPR regulations, with or without modification.

Regulations under this section are subject to the affirmative resolution procedure.

The provisions of the applied GDPR and this Act listed in subsection (2) do not apply to personal data to which this Chapter applies by virtue of section 21(2) (manual unstructured personal data held by FOI public authorities).

Subsection (5)(b) does not remove the controller’s obligation to confirm whether or not personal data concerning the data subject is being processed unless the estimated cost of complying with that obligation alone in relation to the personal data would exceed the appropriate maximum.

An estimate for the purposes of this section must be made in accordance with regulations under section 12(5) of the Freedom of Information Act 2000.

In subsections (5) and (6), “the appropriate maximum” means the maximum amount specified by the Secretary of State by regulations.

Regulations under subsection (8) are subject to the negative resolution procedure.

The exemptions in this section apply in addition to the exemptions in section 24.

Subject to subsection (3), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions listed in section 26(2) is, or at any time was, required in relation to any personal data for the purpose of safeguarding national security is conclusive evidence of that fact.

Any person directly affected by a certificate under subsection (1) may appeal to the Tribunal against the certificate.

Where, in any proceedings under or by virtue of the applied GDPR or this Act, it is claimed by a controller that a certificate under subsection (1) which identifies the personal data to which it applies by means of a general description applies to any personal data, another party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question.

But, subject to any determination under subsection (7), the certificate is to be conclusively presumed so to apply.

On an appeal under subsection (5), the Tribunal may determine that the certificate does not so apply.

Where Article 32 of the applied GDPR does not apply, the controller or the processor must implement security measures appropriate to the risks arising from the processing of the personal data.