Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Article 57(3) of the UK GDPR (performance of Commissioner’s tasks…

CHAPTER 2 The UK GDPR

Meaning of certain terms used in the UK GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Relevant international law

9A Processing in reliance on relevant international law

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

14 Automated decision-making authorised by law: safeguards

Exemptions etc

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Certification

17 Accreditation of certification providers

17A Transfers based on adequacy regulations

17B Transfers based on adequacy regulations: review etc

17C Standard data protection clauses

18 Transfers of personal data to third countries etc : public interest

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Exemptions for manual unstructured processing and for national security and defence purposes

Definitions

21 Definitions

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the UK GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

42A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Data subject’s rights to information

44 … Controller’s general duties

45 Right of access by the data subject

45A Exemption from sections 44 and 45: legal professional privilege

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

50A Automated processing and significant decisions

50B Restrictions on automated decision-making based on sensitive processing

50C Safeguards for automated decision-making

50D Further provision about automated decision-making

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

Codes of conduct

71A Codes of conduct

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

74A Transfers based on adequacy regulations

74AA Transfers approved by regulations

74AB The data protection test

74B Transfers approved by regulations: monitoring

75 Transfers subject to appropriate safeguards

76 Transfers based on special circumstances

Additional conditions

77 Additional conditions for transfers in reliance on section 73(4)(b)

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

78A National security exemption

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

82A Designation of processing by a qualifying competent authority

82B Duration of designation notice

82C Review and withdrawal of designation notice

82D Records of designation notices

82E Appeal against designation notice

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

91A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

114A The Information Commission

115 General functions under the UK GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation between parties to the Data Protection Convention

119 Inspection of personal data in accordance with international obligations

119A Standard clauses for transfers to third countries etc

120 Further international role

120A Principal objective

120B Duties in relation to functions under the data protection legislation

120C Strategy

120D Duty to consult other regulators

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

124A Other codes of practice

124B Panels to consider codes of practice

124C Impact assessments for codes of practice

125 Approval of codes prepared under sections 121 to 124A

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

139A Analysis of performance

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

146A Assessment notices: approval of person to prepare report etc

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

148A Interview notices

148B Interview notices: restrictions

148C False statements made in response to interview notices

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

161A Annual report on regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

164A Complaints by data subjects to controllers

164B Controllers to notify the Commissioner of the number of complaints

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the UK GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

180A Procedure in connection with subject access requests

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

183A Protection of prohibitions and restrictions etc on processing: relevant enactments

183B Protection of prohibitions and restrictions etc on processing: other enactments

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Protection of data subject’s rights

186A Protection of data subject’s rights: further provision

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

Schedule A1 Processing in reliance on relevant international law

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the UK GDPR

SCHEDULE 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

Schedule 12A The Information Commission

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

SCHEDULE 21 Further transitional provision etc

Changes to legislation:

Data Protection Act 2018, SCHEDULE 21 is up to date with all changes known to be in force on or before 01 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

SCHEDULES

F1SCHEDULE 21Further transitional provision etc


Section 213

Part 1Interpretation

The applied GPDR

1

In this Schedule, “the applied GDPR” means the EU GDPR as applied by Chapter 3 of Part 2 before IP completion day.

Part 2Continuation of existing acts etc

Merger of the directly applicable GDPR and the applied GDPR

2

(1)

On and after IP completion day, references in an enactment to the UK GDPR (including the reference in the definition of “the data protection legislation” in section 3(9)) include—

(a)

the EU GDPR as it was directly applicable to the United Kingdom before IP completion day, read with Chapter 2 of Part 2 of this Act as it had effect before IP completion day, and

(b)

the applied GDPR, read with Chapter 3 of Part 2 of this Act as it had effect before IP completion day.

(2)

On and after IP completion day, references in an enactment to, or to a provision of, Chapter 2 of Part 2 of this Act (including general references to this Act or to Part 2 of this Act) include that Chapter or that provision as applied by Chapter 3 of Part 2 of this Act as it had effect before IP completion day.

(3)

Sub-paragraphs (1) and (2) have effect—

(a)

in relation to references in this Act, except as otherwise provided;

(b)

in relation to references in other enactments, unless the context otherwise requires.

3

(1)

Anything done in connection with the EU GDPR as it was directly applicable to the United Kingdom before IP completion day, the applied GDPR or this Act—

(a)

if in force or effective immediately before IP completion day, continues to be in force or effective on and after IP completion day, and

(b)

if in the process of being done immediately before IP completion day, continues to be done on and after IP completion day.

(2)

References in this paragraph to anything done include references to anything omitted to be done.

Part 3Transfers to third countries and international organisations

UK GDPR: F2transfers approved by regulations

4

(1)

On and after IP completion day, for the purposes of the UK GDPR and Part 2 of this Act, a transfer of personal data to a third country or an international organisation is F3to be treated as approved by regulations made under Article 45A of the UK GDPR if, at the time of the transfer, paragraph 5 specifies, or specifies a description which includes—

(a)

in the case of a third country, the country or a relevant territory or sector within the country, or

(b)

in the case of an international organisation, the organisation.

(2)

Sub-paragraph (1) has effect subject to provision in paragraph 5 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 5 for the purposes of sub-paragraph (1).

(3)

The Secretary of State may by regulations—

(a)

repeal sub-paragraphs (1) and (2) and paragraph 5;

(b)

amend paragraph 5 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;

(c)

amend paragraph 5 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and making provision described in sub-paragraph (2).

(4)

Regulations under this paragraph may, among other things——

(a)

identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, F4schemes, lists or other arrangements or documents, as they have effect from time to time;

(b)

confer a discretion on a person.

(5)

Regulations under this paragraph are subject to the negative resolution procedure.

F5(6)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5

(1)

The following are specified for the purposes of paragraph 4(1)—

(a)

an EEA state;

(b)

Gibraltar;

(c)

a Union institution, body, office or agency set up by, or on the basis of, the Treaty on the European Union, the Treaty on the Functioning of the European Union or the Euratom Treaty;

(d)

an equivalent institution, body, office or agency set up by, or on the basis of, the Treaties establishing the European Economic Area;

(e)

a third country which is the subject of a decision listed in sub-paragraph (2), other than a decision that, immediately before IP completion day, had been repealed or was suspended;

(f)

a third country, territory or sector within a third country or international organisation which is the subject of an adequacy decision made by the European Commission before IP completion day on the basis of Article 45(3) of the EU GDPR, other than a decision that, immediately before IP completion day, had been repealed or was suspended.

(2)

The decisions mentioned in sub-paragraph (1)(e) are the following—

(a)

Commission Decision 2000/518/EC of 26th July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland;

(b)

Commission Decision 2002/2/EC of 20th December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act;

(c)

Commission Decision 2003/490/EC of 30th June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina;

(d)

Commission Decision 2003/821/EC of 21st November 2003 on the adequate protection of personal data in Guernsey;

(e)

Commission Decision 2004/411/EC of 28th April 2004 on the adequate protection of personal data in the Isle of Man;

(f)

Commission Decision 2008/393/EC of 8th May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey;

(g)

Commission Decision 2010/146/EU of 5th March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data;

(h)

Commission Decision 2010/625/EU of 19th October 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Andorra;

(i)

Commission Decision 2011/61/EU of 31st January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data;

(j)

Commission Implementing Decision 2012/484/EU of 21st August 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data;

(k)

Commission Implementing Decision 2013/65/EU of 19th December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand;

(m)

Commission Implementing Decision (EU) 2019/419 of 23rd January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information.

(3)

Where a decision described in sub-paragraph (1)(e) or (f) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 4(1).

(4)

The references to a decision in sub-paragraphs (1)(e) and (f) and (2) are to the decision as it had effect in EU law immediately before IP completion day, subject to sub-paragraphs (5) and (6).

(5)

For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(e) or (f) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.

(6)

For the purposes of this paragraph, where a decision described in sub-paragraph (1)(e) or (f) relates to—

(a)

transfers from the European Union (or the European Community) or the European Economic Area, or

(b)

transfers to which the EU GDPR applies,

it is to be treated as relating to equivalent transfers to or from the United Kingdom or transfers to which the UK GDPR applies (as appropriate).

6

(1)

In the provisions listed in sub-paragraph (2)—

(a)

references to regulations made under F6Article 45A of the UK GDPR (other than references to making such regulations) include the provision made in paragraph 5;

(b)

references to the revocation of such regulations include the repeal of all or part of paragraph 5.

F7(2)

Those provisions are Articles 13(1)(f), 14(1)(f), 45C, 49(1) and 49A(1) of the UK GDPR.

F8(3)

In its application to transfers treated as approved by virtue of paragraph 1, Article 45C(5) of the UK GDPR (transfers approved by regulations: monitoring) has effect as if the reference to Article 45A(4)(b) were omitted.

UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses

F97

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F108

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

UK GDPR: transfers subject to appropriate safeguards provided by binding corporate rules

9

(1)

F11The requirement for safeguards to be provided under Article 46(1A)(a)(i) of the UK GDPR may be satisfied on and after IP completion day as described F12in sub-paragraphs (2) to (4), subject to sub-paragraph (5).

(2)

The safeguards may be provided for by any binding corporate rules authorised by the Commissioner which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR.

(3)

The safeguards may be provided for by a version of binding corporate rules described in sub-paragraph (2) incorporating changes where—

(a)

all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU F13, of provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 F14or of the amendment of Chapter 5 of the UK GDPR by the Data (Use and Access) Act 2025, and

(b)

none of the changes alters the effect of the rules.

(4)

The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—

(a)

changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;

F15(aa)

changing references to provision made by regulations under section 17A into references to provision made by regulations made under Article 45A of the UK GDPR;

(b)

changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.

(5)

Sub-paragraphs (2) to (4) cease to apply in relation to binding corporate rules if, on or after IP completion day, the Commissioner withdraws the authorisation of the rules (or, where sub-paragraph (3) is relied on, the authorisation of the rules mentioned in sub-paragraph (2)).

(5A)

For the purposes of sub-paragraph (2), binding corporate rules which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR but which were authorised other than by the Commissioner are to be treated as authorised by the Commissioner where—

(a)

a valid notification of the rules has been made to the Commissioner,

(b)

the Commissioner has approved them, and

(c)

that approval has not been withdrawn.

(5B)

A notification is valid if it—

(a)

is made by a controller or processor established in the United Kingdom,

(b)

is made to the Commissioner before the end of the period of 6 months beginning with IP completion day, and

(c)

includes—

(i)

the name and contact details of the data protection officer or other contact point for the controller or processor, and

(ii)

such other information as the Commissioner may reasonably require.

(5C)

Where a valid notification is made the Commissioner must, without undue delay—

(a)

decide whether or not to approve the rules, and

(b)

notify the controller or processor of that decision.

(6)

The Commissioner must keep the operation of this paragraph under review.

(7)

In this paragraph—

adequacy decision” means a decision made on the basis of—

(a)

Article 45(3) of the EU GDPR, or

(b)

Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

binding corporate rules” has the meaning given in Article 4(20) of the UK GDPR.

(8)

This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.

Part 3 (law enforcement processing): F16transfers approved by regulations

10

(1)

On and after IP completion day, for the purposes of Part 3 of this Act, a transfer of personal data to a third country or an international organisation is F17to be treated as approved by regulations made under section 74AA if, at the time of the transfer, paragraph 11 specifies, or specifies a description which includes—

(a)

in the case of a third country, the country or a relevant territory or sector within the country, or

(b)

in the case of an international organisation, the organisation.

(2)

Sub-paragraph (1) has effect subject to provision in paragraph 11 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 11 for the purposes of sub-paragraph (1).

(3)

The Secretary of State may by regulations—

(a)

repeal sub-paragraphs (1) and (2) and paragraph 11;

(b)

amend paragraph 11 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;

(c)

amend paragraph 11 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and by making provision described in sub-paragraph (2).

(4)

Regulations under this paragraph may, among other things—

(a)

identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, F18schemes, lists or other arrangements or documents, as they have effect from time to time;

(b)

confer a discretion on a person.

(5)

Regulations under this paragraph are subject to the negative resolution procedure.

F19(6)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11

(1)

The following are specified for the purposes of paragraph 10(1)—

(a)

an EEA state;

(aa)

Switzerland;

(b)

Gibraltar;

(c)

a third country, a territory or sector within a third country or an international organisation which is the subject of an adequacy decision made by the European Commission before IP completion day on the basis of Article 36(3) of the Law Enforcement Directive, other than a decision that, immediately before IP completion day, had been repealed or was suspended.

(2)

Where a decision described in sub-paragraph (1)(c) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 10(1).

(3)

The reference to a decision in sub-paragraph (1)(c) is to the decision as it had effect in EU law immediately before IP completion day, subject to sub-paragraphs (4) and (5).

(4)

For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(c) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.

(5)

For the purposes of this paragraph, where a decision described in sub-paragraph (1)(c) relates to—

(a)

transfers from the European Union (or the European Community) or the European Economic Area, or

(b)

transfers to which the Law Enforcement Directive applies,

it is to be treated as relating to equivalent transfers from the United Kingdom or transfers to which Part 3 of this Act applies (as appropriate).

12

F20(1)

F21In sections 74B and 76(A1)—

(a)

references to regulations made under section F2274AA (other than references to making such regulations) include the provision made in paragraph 11;

(b)

references to the revocation of such regulations include the repeal of all or part of paragraph 11.

F23(2)

In its application to transfers treated as approved by virtue of paragraph 10, section 74B(7) (transfers approved by regulations: monitoring) has effect as if the reference to section 74AA(4)(b) were omitted.

Part 4Repeal of provisions in Chapter 3 of Part 2

Applied GDPR: power to make provision in consequence of GDPR regulations

13

(1)

Regulations made under section 23 before IP completion day continue in force until they are revoked, despite the repeal of that section by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

(2)

The provisions listed in section 186(3) include regulations made under section 23 before IP completion day (and not revoked).

(3)

Sub-paragraphs (1) and (2) do not have effect so far as otherwise provided by the law of England and Wales, Scotland or Northern Ireland.

Applied GDPR: national security certificates

14

(1)

This paragraph applies to a certificate issued under section 27 of this Act which has effect immediately before IP completion day.

(2)

A reference in the certificate to a provision of the applied GDPR has effect, on and after IP completion day, as it if were a reference to the corresponding provision of the UK GDPR or this Act.

Part 5The Information Commissioner

Confidentiality of information

15

The repeal of section 132(2)(d) by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 has effect only in relation to a disclosure of information made on or after IP completion day.

Part 6Enforcement

GDPR: maximum amount of penalties

16

In relation to an infringement, before IP completion day, of a provision of the EU GDPR (as it was directly applicable to the United Kingdom) or the applied GDPR—

(a)

Article 83(5) and (6) of the UK GDPR and section 157(5)(a) and (b) of this Act have effect as if for “£17,500,000” there were substituted
20 million Euros
;

(b)

Article 83(4) of the UK GDPR and section 157(6)(a) and (b) of this Act have effect as if for “£8,700,000” there were substituted
10 million Euros
;

(c)

the maximum amount of a penalty in sterling must be determined by applying the spot rate of exchange set by the Bank of England on the day on which the penalty notice is given under section 155 of this Act.

GDPR: right to an effective remedy against the Commissioner

17

(1)

This paragraph applies where—

(a)

proceedings are brought against a decision made by the Commissioner before IP completion day, and

(b)

the Commissioner’s decision was preceded by an opinion or decision of the European Data Protection Board in accordance with the consistency mechanism referred to in Article 63 of the EU GDPR.

(2)

The Commissioner must forward the Board’s opinion or decision to the court or tribunal dealing with the proceedings.