Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Definitions

CHAPTER 2 The GDPR

Meaning of certain terms used in the GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

14 Automated decision-making authorised by law: safeguards

Restrictions on data subject’s rights

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Accreditation of certification providers

17 Accreditation of certification providers

Transfers of personal data to third countries etc

18 Transfers of personal data to third countries etc

Specific processing situations

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Other general processing

Scope

21 Processing to which this Chapter applies

Application of the GDPR

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the applied GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Information: controller’s general duties

44 Information: controller’s general duties

Data subject’s right of access

45 Right of access by the data subject

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

75 Transfers on the basis of appropriate safeguards

76 Transfers on the basis of special circumstances

Transfers to particular recipients

77 Transfers of personal data to persons other than relevant authorities

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

115 General functions under the GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation and mutual assistance

119 Inspection of personal data in accordance with international obligations

120 Further international role

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

125 Approval of codes prepared under sections 121 to 124

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Data subject’s rights and other prohibitions and restrictions

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the GDPR

SCHEDULE 3 Exemptions etc from the GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

SCHEDULES

SCHEDULE 6The applied GDPR and the applied Chapter 2

Section 22

PART 1Modifications to the GDPR

Introductory

1

In its application by virtue of section 22(1), the GDPR has effect as if it were modified as follows.

References to the GDPR and its provisions

2

(1)

References to “this Regulation” and to provisions of the GDPR have effect as references to the applied GDPR and to the provisions of the applied GDPR.

(2)

But sub-paragraph (1) does not have effect—

(a)

in the case of the references which are modified or inserted by paragraphs 9(f)(ii), 15(b), 16(a)(ii), 35, 36(a) and (e)(ii) and 38(a)(i);

(b)

in relation to the references in points (a) and (b) of paragraph 2 of Article 61, as inserted by paragraph 49.

References to Union law and Member State law

3

(1)

References to “Union law”, “Member State law”, “the law of a Member State” and “Union or Member State law” have effect as references to domestic law.

(2)

Sub-paragraph (1) is subject to the specific modifications made in this Part of this Schedule.

(3)

In this paragraph, “domestic law” means the law of the United Kingdom, or of a part of the United Kingdom, and includes law in the form of an enactment, an instrument made under Her Majesty’s prerogative or a rule of law.

References to the Union and to Member States

4

(1)

References to “the Union”, “a Member State” and “Member States” have effect as references to the United Kingdom.

(2)

Sub-paragraph (1) is subject to the specific modifications made in this Part of this Schedule (including paragraph 3(1)).

References to supervisory authorities

5

(1)

References to a “supervisory authority”, a “competent supervisory authority” or “supervisory authorities”, however expressed, have effect as references to the Commissioner.

(2)

Sub-paragraph (1) does not apply to the references in—

(a)

Article 4(21) as modified by paragraph 9(f);

(b)

Article 57(1)(h);

(c)

Article 61(1) inserted by paragraph 49.

(3)

Sub-paragraph (1) is also subject to the specific modifications made in this Part of this Schedule.

References to the national parliament

6

References to “the national parliament” have effect as references to both Houses of Parliament.

Chapter I of the GDPR (general provisions)

7

For Article 2 (material scope) substitute—

“2

This Regulation applies to the processing of personal data to which Chapter 3 of Part 2 of the 2018 Act applies (see section 21 of that Act).”

8

For Article 3 substitute—

“Article 3Territorial application

Subsections (1), (2) and (7) of section 207 of the 2018 Act have effect for the purposes of this Regulation as they have effect for the purposes of that Act but as if the following were omitted—

(a)

in subsection (1), the reference to subsection (3), and

(b)

in subsection (7), the words following paragraph (d).”

9

In Article 4 (definitions)—

(a)

in paragraph (7) (meaning of “controller”), for “; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” substitute “, subject to section 6 of the 2018 Act (meaning of “controller”)”;

(b)

after paragraph (7) insert—

“(7A)

the 2018 Act” means the Data Protection Act 2018 as applied by section 22 of that Act and further modified by section 3 of that Act.”;

(c)

omit paragraph (16) (meaning of “main establishment”);

(d)

omit paragraph (17) (meaning of “representative”);

(e)

in paragraph (20) (meaning of “binding corporate rules”), for “on the territory of a Member State” substitute “in the United Kingdom”;

(f)

in paragraph (21) (meaning of “supervisory authority”)—

(i)

after “a Member State” insert “(other than the United Kingdom)”;

(ii)

for “Article 51” substitute “Article 51 of the GDPR”;

(g)

after paragraph (21) insert—

“(21A)

the Commissioner” means the Information Commissioner (see section 114 of the 2018 Act);”;

(h)

omit paragraph (22) (meaning of “supervisory authority concerned”);

(i)

omit paragraph (23) (meaning of “cross-border processing”);

(j)

omit paragraph (24) (meaning of “relevant and reasoned objection”);

(k)

after paragraph (26) insert—

“(27)

the GDPR” has the meaning given in section 3(10) of the 2018 Act.

(28)

domestic law” has the meaning given in paragraph 3(3) of Schedule 6 to the 2018 Act.”

Chapter II of the GDPR (principles)

10

In Article 6 (lawfulness of processing)—

(a)

omit paragraph 2;

(b)

in paragraph 3, for the first subparagraph substitute—

“In addition to the provision made in section 15 of and Part 1 of Schedule 2 to the 2018 Act, a legal basis for the processing referred to in point (c) and (e) of paragraph 1 may be laid down by the Secretary of State in regulations (see section 16 of the 2018 Act).”;

(c)

in paragraph 3, in the second subparagraph, for “The Union or the Member State law shall” substitute “The regulations must”.

11

In Article 8 (conditions applicable to child’s consent in relation to information society services)—

(a)

in paragraph 1, for the second subparagraph substitute—

“This paragraph is subject to section 9 of the 2018 Act.”;

(b)

in paragraph 3, for “the general contract law of Member States” substitute “the general law of contract as it operates in domestic law”.

12

In Article 9 (processing of special categories of personal data)—

(a)

in paragraph 2(a), omit “, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject”;

(b)

in paragraph 2(b), for “Union or Member State law” substitute “domestic law (see section 10 of the 2018 Act)”;

(c)

in paragraph 2, for point (g) substitute—

“(g)

processing is necessary for reasons of substantial public interest and is authorised by domestic law (see section 10 of the 2018 Act);”;

(d)

in paragraph 2(h), for “Union or Member State law” substitute “domestic law (see section 10 of the 2018 Act)”;

(e)

in paragraph 2(i), for “Union or Member State law” insert “domestic law (see section 10 of the 2018 Act);”;

(f)

in paragraph 2, for point (j) substitute—

“(j)

processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) (as supplemented by section 19 of the 2018 Act) and is authorised by domestic law (see section 10 of that Act).”;

(g)

in paragraph 3, for “national competent bodies”, in both places, substitute “a national competent body of the United Kingdom”;

(h)

omit paragraph 4.

13

In Article 10 (processing of personal data relating to criminal convictions and offences), in the first sentence, for “Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects” substitute “domestic law (see section 10 of the 2018 Act)”.

Section 1 of Chapter III of the GDPR (rights of the data subject: transparency and modalities)

14

In Article 12 (transparent information etc for the exercise of the rights of the data subject), omit paragraph 8.

Section 2 of Chapter III of the GDPR (rights of the data subject: information and access to personal data)

15

In Article 13 (personal data collected from data subject: information to be provided), in paragraph 1—

(a)

in point (a), omit “and, where applicable, of the controller’s representative”;

(b)

in point (f), after “the Commission” insert “pursuant to Article 45(3) of the GDPR”.

16

In Article 14 (personal data collected other than from data subject: information to be provided)—

(a)

in paragraph 1—

(i)

in point (a), omit “and, where applicable, of the controller’s representative”;

(ii)

in point (f), after “the Commission” insert “pursuant to Article 45(3) of the GDPR”;

(b)

in paragraph 5(c), for “Union or Member State law to which the controller is subject” substitute “a rule of domestic law”.

Section 3 of Chapter III of the GDPR (rights of the data subject: rectification and erasure)

17

In Article 17 (right to erasure (‘right to be forgotten’))—

(a)

in paragraph 1(e), for “in Union or Member State law to which the controller is subject” substitute “under domestic law”;

(b)

in paragraph 3(b), for “by Union or Member State law to which the controller is subject” substitute “under domestic law”.

18

In Article 18 (right to restriction of processing), in paragraph 2, for “of the Union or of a Member State” substitute “of the United Kingdom”.

Section 4 of Chapter III of the GDPR (rights of the data subject: right to object and automated individual decision-making)

19

In Article 21 (right to object), in paragraph 5, omit “, and notwithstanding Directive 2002/58/EC,”.

20

In Article 22 (automated individual decision-making, including profiling), for paragraph 2(b) substitute—

“(b)

is a qualifying significant decision for the purposes of section 14 of the 2018 Act; or”.

Section 5 of Chapter III of the GDPR (rights of the data subject: restrictions)

21

In Article 23 (restrictions), in paragraph 1—

(a)

for “Union or Member State law to which the data controller or processor is subject” substitute “In addition to the provision made by section 15 of and Schedules 2, 3 and 4 to the 2018 Act, the Secretary of State”;

(b)

in point (e), for “of the Union or of a Member State”, in both places, substitute “of the United Kingdom”;

(c)

after point (j) insert—

“See section 16 of the 2018 Act.”

Section 1 of Chapter IV of the GDPR (controller and processor: general obligations)

22

In Article 26 (joint controllers), in paragraph 1, for “Union or Member State law to which the controllers are subject” substitute “domestic law”.

23

Omit Article 27 (representatives of controllers or processors not established in the Union).

24

In Article 28 (processor)—

(a)

in paragraph 3, in point (a), for “Union or Member State law to which the processor is subject” substitute “domestic law”;

(b)

in paragraph 3, in the second subparagraph, for “other Union or Member State data protection provisions” substitute “any other rule of domestic law relating to data protection”;

(c)

in paragraph 6, for “paragraphs 7 and 8” substitute “paragraph 8”;

(d)

omit paragraph 7;

(e)

in paragraph 8, omit “and in accordance with the consistency mechanism referred to in Article 63”.

25

In Article 30 (records of processing activities)—

(a)

in paragraph 1, in the first sentence, omit “and, where applicable, the controller’s representative,”;

(b)

in paragraph 1, in point (a), omit “, the controller’s representative”;

(c)

in paragraph 1, in point (g), after “32(1)” insert “or section 28(3) of the 2018 Act”;

(d)

in paragraph 2, in the first sentence, omit “and, where applicable, the processor’s representative”;

(e)

in paragraph 2, in point (a), omit “the controller’s or the processor’s representative, and”;

(f)

in paragraph 2, in point (d), after “32(1)” insert “or section 28(3) of the 2018 Act”;

(g)

in paragraph 4, omit “and, where applicable, the controller’s or the processor’s representative,”.

26

In Article 31 (co-operation with the supervisory authority), omit “and, where applicable, their representatives,”.

Section 3 of Chapter IV of the GDPR (controller and processor: data protection impact assessment and prior consultation)

27

In Article 35 (data protection impact assessment), omit paragraphs 4, 5, 6 and 10.

28

In Article 36 (prior consultation)—

(a)

for paragraph 4 substitute—

“4

The Secretary of State must consult the Commissioner during the preparation of any proposal for a legislative measure which relates to processing.”;

(b)

omit paragraph 5.

Section 4 of Chapter IV of the GDPR (controller and processor: data protection officer)

29

In Article 37 (designation of data protection officers), omit paragraph 4.

30

In Article 39 (tasks of the data protection officer), in paragraph 1(a) and (b), for “other Union or Member State data protection provisions” substitute “other rules of domestic law relating to data protection”.

Section 5 of Chapter IV of the GDPR (controller and processor: codes of conduct and certification)

31

In Article 40 (codes of conduct)—

(a)

in paragraph 1, for “The Member States, the supervisory authorities, the Board and the Commission shall” substitute “The Commissioner must”;

(b)

omit paragraph 3;

(c)

in paragraph 6, omit “, and where the code of conduct concerned does not relate to processing activities in several Member States”;

(d)

omit paragraphs 7 to 11.

32

In Article 41 (monitoring of approved codes of conduct), omit paragraph 3.

33

In Article 42 (certification)—

(a)

in paragraph 1—

(i)

for “The Member States, the supervisory authorities, the Board and the Commission” substitute “The Commissioner”;

(ii)

omit “, in particular at Union level,”;

(b)

omit paragraph 2;

(c)

in paragraph 5, omit “or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal”;

(d)

omit paragraph 8.

34

In Article 43 (certification bodies)—

(a)

in paragraph 1, in the second sentence, for “Member States shall ensure that those certification bodies are” substitute “Those certification bodies must be”;

(b)

in paragraph 2, in point (b), omit “or by the Board pursuant to Article 63”;

(c)

in paragraph 3, omit “or by the Board pursuant to Article 63”;

(d)

in paragraph 6, omit the second and third sentences;

(e)

omit paragraphs 8 and 9.

Chapter V of the GDPR (transfers of data to third countries or international organisations)

35

In Article 45 (transfers on the basis of an adequacy decision)—

(a)

in paragraph 1, after “decided” insert “in accordance with Article 45 of the GDPR”;

(b)

after paragraph 1 insert—

“1A

But a transfer of personal data to a third country or international organisation must not take place under paragraph 1, if the Commission’s decision in relation to the third country (including a territory or sector within it) or the international organisation—

(a)

is suspended,

(b)

has been amended, or

(c)

has been repealed,

by the Commission under Article 45(5) of the GDPR.”;

(c)

omit paragraphs 2 to 8;

(d)

in paragraph 9, for “of this Article” substitute “of Article 45 of the GDPR”.

36

In Article 46 (transfers subject to appropriate safeguards)—

(a)

in paragraph 1, for “Article 45(3)” substitute “Article 45(3) of the GDPR”;

(b)

in paragraph 2, omit point (c);

(c)

in paragraph 2, in point (d), omit “and approved by the Commission pursuant to the examination procedure referred to in Article 93(2)”;

(d)

omit paragraph 4;

(e)

in paragraph 5—

(i)

in the first sentence, for “a Member State or supervisory authority” substitute “the Commissioner”;

(ii)

in the second sentence, for “this Article” substitute “Article 46 of the GDPR”.

37

In Article 47 (binding corporate rules)—

(a)

in paragraph 1, in the first sentence, omit “in accordance with the consistency mechanism set out in Article 63”;

(b)

in paragraph 2, in point (e), for “the competent courts of the Member States” substitute “a court”;

(c)

in paragraph 2, in point (f), for “on the territory of a Member State” substitute “in the United Kingdom”;

(d)

omit paragraph 3.

38

In Article 49 (derogations for specific situations)—

(a)

in paragraph 1, in the first sentence—

(i)

for “Article 45(3)” substitute “Article 45(3) of the GDPR”;

(ii)

for “Article 46” substitute “Article 46 of this Regulation”;

(b)

in paragraph 4, for “Union law or in the law of the Member State to which the controller is subject” substitute “domestic law (see section 18 of the 2018 Act which makes certain provision about the public interest)”;

(c)

for paragraph 5 substitute—

“5

Paragraph 1 is subject to any regulations made under section 18(2) of the 2018 Act.”

39

In Article 50 (international co-operation for the protection of personal data), omit “the Commission and”.

Section 1 of Chapter VI of the GDPR (independent supervisory authorities: independent status)

40

In Article 51 (supervisory authority)—

(a)

in paragraph 1—

(i)

for “Each Member State shall provide for one or more independent public authorities to be” substitute “The Commissioner is”;

(ii)

omit “and to facilitate the free flow of personal data within the Union (‘supervisory authority’)”;

(b)

omit paragraphs 2 to 4.

41

In Article 52 (independence)—

(a)

in paragraph 2—

(i)

for “The member or members of each supervisory authority” substitute “The Commissioner”;

(ii)

for “their”, in both places, substitute “the Commissioner’s”;

(b)

in paragraph 3—

(i)

for “Member or members of each supervisory authority” substitute “The Commissioner”;

(ii)

for “their”, in both places, substitute “the Commissioner’s”;

(c)

omit paragraphs 4 to 6.

42

Omit Article 53 (general conditions for the members of the supervisory authority).

43

Omit Article 54 (rules on the establishment of the supervisory authority).

Section 2 of Chapter VI of the GDPR (independent supervisory authorities: competence, tasks and powers)

44

In Article 55 (competence)—

(a)

in paragraph 1, omit “on the territory of its own Member State”;

(b)

omit paragraph 2.

45

Omit Article 56 (competence of the lead supervisory authority).

46

In Article 57 (tasks)—

(a)

in paragraph 1, in the first sentence, for “each supervisory authority shall on its territory” substitute “the Commissioner is to”;

(b)

in paragraph 1, in point (e), omit “and, if appropriate, cooperate with the supervisory authorities in other Member States to that end”;

(c)

in paragraph 1, in point (f), omit “or coordination with another supervisory authority”;

(d)

in paragraph 1, omit points (g), (k) and (t);

(e)

after paragraph 1 insert—

“1A

In this Article and Article 58, references to “this Regulation” have effect as references to this Regulation and section 28(3) of the 2018 Act.”

47

In Article 58 (powers)—

(a)

in paragraph 1, in point (a), omit “, and, where applicable, the controller’s or the processor’s representative”;

(b)

in paragraph 1, in point (f), for “Union or Member State procedural law” substitute “domestic law”;

(c)

in paragraph 3, in point (b), for “the Member State government” substitute “the Secretary of State”;

(d)

in paragraph 3, omit point (c);

(e)

omit paragraphs 4 to 6.

48

In Article 59 (activity reports)—

(a)

for “, the government and other authorities as designated by Member State law” substitute “and the Secretary of State”;

(b)

omit “, to the Commission and to the Board”.

Chapter VII of the GDPR (co-operation and consistency)

49

For Articles 60 to 76 substitute—

“Article 61Co-operation with other supervisory authorities etc

1

The Commissioner may, in connection with carrying out the Commissioner’s functions under this Regulation—

(a)

co-operate with, provide assistance to and seek assistance from other supervisory authorities;

(b)

conduct joint operations with other supervisory authorities, including joint investigations and joint enforcement measures.

2

The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, have regard to—

(a)

decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR;

(b)

any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).”

Chapter VIII of the GDPR (remedies, liability and penalties)

50

In Article 77 (right to lodge a complaint with a supervisory authority)—

(a)

in paragraph 1, omit “in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement”;

(b)

in paragraph 2, for “The supervisory authority with which the complaint has been lodged” substitute “The Commissioner”.

51

In Article 78 (right to an effective judicial remedy against a supervisory authority)—

(a)

omit paragraph 2;

(b)

for paragraph 3 substitute—

“3

Proceedings against the Commissioner are to be brought before a court in the United Kingdom.”;

(c)

omit paragraph 4.

52

In Article 79 (right to an effective judicial remedy against a controller or processor), for paragraph 2 substitute—

“2

Proceedings against a controller or a processor are to be brought before a court (see section 180 of the 2018 Act).”

53

In Article 80 (representation of data subjects)—

(a)

in paragraph 1, omit “where provided for by Member State law”;

(b)

in paragraph 2, for “Member States” substitute “The Secretary of State”;

(c)

after that paragraph insert—

“3

The power under paragraph 2 may only be exercised by making regulations under section 190 of the 2018 Act.”

54

Omit Article 81 (suspension of proceedings).

55

In Article 82 (right to compensation and liability), for paragraph 6 substitute—

“6

Proceedings for exercising the right to receive compensation are to be brought before a court (see section 180 of the 2018 Act).”

56

In Article 83 (general conditions for imposing administrative fines)—

(a)

in paragraph 5, in point (d), for “pursuant to Member State law adopted under Chapter IX” substitute “under Part 5 or 6 of Schedule 2 to the 2018 Act or under regulations made under section 16 of that Act”;

(b)

in paragraph 7—

(i)

for “each Member State” substitute “the Secretary of State”;

(ii)

for “that Member State” substitute “the United Kingdom”;

(c)

for paragraph 8 substitute—

“8

Section 115(9) of the 2018 Act makes provision about the exercise of the Commissioner’s powers under this Article.”;

(d)

omit paragraph 9.

57

In Article 84 (penalties)—

(a)

for paragraph 1 substitute—

“1

The rules on other penalties applicable to infringements of this Regulation are set out in the 2018 Act (see in particular Part 6 (enforcement)).”;

(b)

omit paragraph 2.

Chapter IX of the GDPR (provisions relating to specific processing situations)

58

In Article 85 (processing and freedom of expression and information)—

(a)

omit paragraph 1;

(b)

in paragraph 2, for “Member States shall” substitute “the Secretary of State, in addition to the relevant provisions, may by way of regulations (see section 16 of the 2018 Act),”;

(c)

in paragraph 2, at the end insert—

“In this paragraph, “the relevant provisions” means section 15 of and Part 5 of Schedule 2 to the 2018 Act.”;

(d)

omit paragraph 3.

59

In Article 86 (processing and public access to official documents), for “Union or Member State law to which the public authority or body is subject” substitute “domestic law”.

60

Omit Article 87 (processing of national identification number).

61

Omit Article 88 (processing in the context of employment).

62

In Article 89 (safeguards and derogations relating to processing for archiving purposes etc)—

(a)

in paragraph 2, for “Union or Member State law may” substitute “the Secretary of State, in addition to the relevant provisions, may in regulations (see section 16 of the 2018 Act)”;

(b)

in paragraph 3, for “Union or Member State law may” substitute “the Secretary of State, in addition to the relevant provisions, may in regulations (see section 16 of the 2018 Act)”;

(c)

after paragraph 3 insert—

“3A

In this Article “the relevant provisions” means section 15 of and Part 6 of Schedule 2 to the 2018 Act.”

63

Omit Article 90 (obligations of secrecy).

64

Omit Article 91 (existing data protection rules of churches and religious associations).

Chapter X of the GDPR (delegated acts and implementing acts)

65

Omit Article 92 (exercise of the delegation).

66

Omit Article 93 (committee procedure).

Chapter XI of the GDPR (final provisions)

67

Omit Article 94 (repeal of Directive 95/46/EC).

68

Omit Article 95 (relationship with Directive 2002/58/EC).

69

In Article 96 (relationship with previously concluded Agreements), for “by Member States” substitute “by the United Kingdom or the Commissioner”.

70

Omit Article 97 (Commission reports).

71

Omit Article 98 (Commission reviews).

72

Omit Article 99 (entry into force and application).

PART 2Modifications to Chapter 2 of Part 2

Introductory

73

In its application by virtue of section 22(2), Chapter 2 of Part 2 has effect as if it were modified as follows.

General modifications

74

(1)

References to Chapter 2 of Part 2 and the provisions of that Chapter have effect as references to the applied Chapter 2 and the provisions of the applied Chapter 2 .

(2)

References to the GDPR and to the provisions of the GDPR have effect as references to the applied GDPR and to the provisions of the applied GDPR, except in section 18(2)(a).

(3)

References to the processing of personal data to which Chapter 2 applies have effect as references to the processing of personal data to which Chapter 3 applies.

Exemptions

75

In section 16 (power to make further exemptions etc by regulations), in subsection (1)(a), for “Member State law” substitute “the Secretary of State”.