Legislation – Data (Use and Access) Act 2025

New Search

Introduction

Part 1
Access to customer data and business data

1 Customer data and business data

2 Power to make provision in connection with customer data

3 Customer data: supplementary

4 Power to make provision in connection with business data

5 Business data: supplementary

6 Decision-makers

7 Interface bodies

8 Enforcement of regulations under this Part

9 Restrictions on powers of investigation etc

10 Financial penalties

11 Fees

12 Levy

13 Financial assistance

14 The FCA and financial services interfaces

15 The FCA and financial services interfaces: supplementary

16 The FCA and financial services interfaces: penalties and levies

17 The FCA and co-ordination with other regulators

18 Liability in damages

19 Duty to review regulations

20 Restrictions on processing and data protection

21 Regulations under this Part: supplementary

22 Regulations under this Part: Parliamentary procedure and consultation

23 Related subordinate legislation

24 Repeal of provisions relating to supply of customer data

25 Other defined terms

26 Index of defined terms for this Part

Part 2
Digital verification services

27 Introductory

28 DVS trust framework

29 Supplementary codes

30 Withdrawal of a supplementary code

31 Review of DVS trust framework and supplementary codes

32 DVS register

33 Registration in the DVS register

34 Power to refuse registration in the DVS register

35 Registration of additional services

36 Supplementary notes

37 Addition of services to supplementary notes

38 Applications for registration, supplementary notes, etc

39 Fees for applications for registration, supplementary notes, etc

40 Duty to remove person from the DVS register

41 Power to remove person from the DVS register

42 Duty to remove services from the DVS register

43 Duty to remove supplementary notes from the DVS register

44 Duty to remove services from supplementary notes

45 Power of public authority to disclose information to registered person

46 Information disclosed by the Revenue and Customs

47 Information disclosed by the Welsh Revenue Authority

48 Information disclosed by Revenue Scotland

49 Code of practice about the disclosure of information

50 Trust mark for use by registered persons

51 Power of Secretary of State to require information

52 Arrangements for third party to exercise functions

53 Report on the operation of this Part

54 Index of defined terms for this Part

55 Powers relating to verification of identity or status

Part 3
National Underground Asset Register

56 National Underground Asset Register: England and Wales

57 Information in relation to apparatus: England and Wales

58 National Underground Asset Register: Northern Ireland

59 Information in relation to apparatus: Northern Ireland

60 Pre-commencement consultation

Part 4
Registers of births and deaths

61 Form in which registers of births and deaths are to be kept

62 Provision of equipment and facilities by local authorities

63 Requirements to sign register

64 Treatment of existing registers and records

65 Minor and consequential amendments

Part 5
Data protection and privacy

Chapter 1 Data protection

Terms used in this Chapter

66 The 2018 Act and the UK GDPR

Definitions in the UK GDPR and the 2018 Act

67 Meaning of research and statistical purposes

68 Consent to processing for the purposes of scientific research

69 Consent to law enforcement processing

Data protection principles

70 Lawfulness of processing

71 The purpose limitation

72 Processing in reliance on relevant international law

Processing of special categories of personal data

73 Elected representatives responding to requests

74 Processing of special categories of personal data

Data subject’s rights

75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

76 Time limits for responding to data subjects’ requests

77 Information to be provided to data subjects

78 Searches in response to data subjects’ requests

79 Data subjects’ rights to information: legal professional privilege exemption

Automated decision-making

80 Automated decision-making

Obligations of controllers

81 Data protection by design: children’s higher protection matters

Logging of law enforcement processing

82 Logging of law enforcement processing

Codes of conduct

83 General processing and codes of conduct

84 Law enforcement processing and codes of conduct

International transfers of personal data

85 Transfers of personal data to third countries and international organisations

Safeguards for processing for research etc purposes

86 Safeguards for processing for research etc purposes

87 Section 86: consequential provision

National security

88 National security exemption

Intelligence services

89 Joint processing by intelligence services and competent authorities

90 Joint processing: consequential amendments

Information Commissioner’s role

91 Duties of the Commissioner in carrying out functions

92 Codes of practice for the processing of personal data

93 Codes of practice: panels and impact assessments

94 Manifestly unfounded or excessive requests to the Commissioner

95 Analysis of performance

96 Notices from the Commissioner

Enforcement

97 Power of the Commissioner to require documents

98 Power of the Commissioner to require a report

99 Assessment notices: removal of OFSTED restriction

100 Interview notices

101 Penalty notices

102 Annual report on regulatory action

103 Complaints by data subjects

104 Court procedure in connection with subject access requests

105 Consequential amendments to the EITSET Regulations

Protection of prohibitions, restrictions and data subject’s rights

106 Protection of prohibitions, restrictions and data subject’s rights

Miscellaneous

107 Regulations under the UK GDPR

108 Further minor provision about data protection

Chapter 2 Privacy and electronic communications

109 The PEC Regulations

110 Interpretation of the PEC Regulations

111 Duty to notify the Commissioner of personal data breach: time periods

112 Storing information in the terminal equipment of a subscriber or user

113 Emergency alerts: interpretation of time periods

114 Use of electronic mail for direct marketing by charities

115 Commissioner’s enforcement powers

116 Codes of conduct

Part 6
The Information Commission

117 The Information Commission

118 Abolition of the office of Information Commissioner

119 Transfer of functions to the Information Commission

120 Transfer of property etc to the Information Commission

Part 7
Other provision about use of, or access to, data

121 Information standards for health and adult social care in England

122 Grant of smart meter communication licences

123 Disclosure of information to improve public service delivery to undertakings

124 Retention of information by providers of internet services in connection with death of child

125 Information for research about online safety matters

126 Retention of biometric data and recordable offences

127 Retention of pseudonymised biometric data

128 Retention of biometric data from INTERPOL

129 The eIDAS Regulation

130 Recognition of EU conformity assessment bodies

131 Removal of recognition of EU standards etc

132 Recognition of overseas trust products

133 Co-operation between supervisory authority and overseas authorities

134 Time periods: the eIDAS Regulation and the EITSET Regulations

135 Economic impact assessment

136 Report on the use of copyright works in the development of AI systems

137 Progress statement

138 Creating, or requesting the creation of, purported intimate image of adult

Part 8
Final provisions

139 Power to make consequential amendments

140 Regulations

141 Extent

142 Commencement

143 Transitional, transitory and saving provision

144 Short title

SCHEDULES

Schedule 1 National Underground Asset Register (England and Wales): monetary penalties

Schedule 2 National Underground Asset Register (Northern Ireland): monetary penalties

Schedule 3 Registers of births and deaths: minor and consequential amendments

Schedule 4 Lawfulness of processing: recognised legitimate interests

Schedule 5 Purpose limitation: processing to be treated as compatible with original purpose

Schedule 6 Automated decision-making: minor and consequential amendments

Schedule 7 Transfers of personal data to third countries etc: general processing

Schedule 8 Transfers of personal data to third countries etc: law enforcement processing

Schedule 9 Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

Schedule 10 Complaints: minor and consequential amendments

Schedule 11 Further minor provision about data protection

Schedule 12 Storing information in the terminal equipment of a subscriber or user

Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers

Schedule 14 The Information Commission

Schedule 15 Information standards for health and adult social care in England

Schedule 16 Grant of smart meter communication licences

Part 5Data protection and privacy

Chapter 1Data protection

Enforcement

97Power of the Commissioner to require documents

(1)

The 2018 Act is amended as follows.

(2)

In section 142 (information notices)—

(a)

in subsection (1)—

(i)

in paragraph (a), after “information” insert “or documents”, and

(ii)

in paragraph (b), after “information” insert “or documents”,

(b)

in subsection (2)(b), after “information” insert “or documents”,

(c)

in subsection (3)—

(i)

in paragraph (a), after “information”, in both places it occurs, insert “or documents”,

(ii)

in paragraph (b), after “information” insert “or documents”,

(iii)

in paragraph (c), after “information” insert “or documents”, and

(iv)

in paragraph (d), after “information” insert “or documents”,

(d)

in subsection (5), after “information”, in the second place it occurs, insert “or documents”,

(e)

in subsection (6), after “information”, in the second place it occurs, insert “or documents”, and

(f)

in subsection (7)—

(i)

in paragraph (a), for “is” substitute “or documents are”, and

(ii)

in the words after paragraph (b), after “information” insert “or documents”.

(3)

In section 143 (information notices: restrictions)—

(a)

in subsection (1)(b)(ii), for “is” substitute “or documents are”,

(b)

in subsection (2), after “information”, in the second place it occurs, insert “or documents”,

(c)

in subsection (3), for “in respect” substitute “or documents to the extent that requiring the person to do so would result in the disclosure”,

(d)

in subsection (4), for “in respect” substitute “or documents to the extent that requiring the person to do so would result in the disclosure”, and

(e)

in subsection (6), after “information”, in the second place it occurs, insert “or documents”.

(4)

In section 145 (information orders)—

(a)

in subsection (2)—

(i)

in paragraph (a), after “information”, in the first place it occurs, insert “or documents”, and

(ii)

in paragraph (b), after “information” insert “or documents”, and

(b)

in subsection (3)—

(i)

in paragraph (a), after “information” insert “or documents”,

(ii)

in paragraph (b), after “information” insert “or documents”, and

(iii)

in paragraph (c), after “information” insert “or documents”.

(5)

In section 148(1) (destroying or falsifying information and documents etc), in paragraph (a), after “information”, in the second place it occurs, insert “or a document”.

(6)

In section 160 (guidance about regulatory action), in subsection (3)(a), for “is” substitute “or documents are”.

(7)

In Schedule 17 (review of processing of personal data for the purposes of journalism), in paragraph 2(2) (information notices)—

(a)

in paragraph (a), for “is” substitute “or documents are”, and

(b)

in the words after paragraph (b), after “information” insert “or documents”.

98Power of the Commissioner to require a report

(1)

The 2018 Act is amended as follows.

(2)

In section 146 (assessment notices)—

(a)

in subsection (2), after paragraph (i), insert—

“(j)

make arrangements for an approved person to prepare a report on a specified matter;

(k)

provide to the Commissioner a report prepared in pursuance of such arrangements.”,

(b)

after subsection (3) insert—

“(3A)

An assessment notice that requires a controller or processor to make arrangements for an approved person to prepare a report may require the arrangements to include specified terms as to—

(a)

the preparation of the report;

(b)

the contents of the report;

(c)

the form in which the report is to be provided;

(d)

the date by which the report is to be completed.”,

(c)

after subsection (11) insert—

“(11A)

Where the Commissioner gives an assessment notice that requires the controller or processor to make arrangements for an approved person to prepare a report, the controller or processor is liable for the payment of the approved person’s remuneration and expenses under the arrangements.”, and

(d)

in subsection (12), before the definition of “domestic premises” insert—

““approved person”, in relation to a report, means a person approved to prepare the report in accordance with section 146A;”.

(3)

After section 146 insert—

“146AAssessment notices: approval of person to prepare report etc

(1)

This section applies where an assessment notice requires a controller or processor to make arrangements for an approved person to prepare a report.

(2)

The controller or processor must, within such period as is specified in the assessment notice, nominate to the Commissioner a person to prepare the report.

(3)

If the Commissioner is satisfied that the nominated person is a suitable person to prepare the report, the Commissioner must by written notice to the controller or processor approve the nominated person to prepare the report.

(4)

If the Commissioner is not satisfied that the nominated person is a suitable person to prepare the report, the Commissioner must by written notice to the controller or processor—

(a)

inform the controller or processor that the Commissioner has decided not to approve the nominated person to prepare the report,

(b)

inform the controller or processor of the reasons for that decision, and

(c)

approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so.

(5)

If the controller or processor does not nominate a person within the period specified in the assessment notice, the Commissioner must by written notice to the controller or processor approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so.

(6)

It is the duty of the controller or processor to give the person approved to prepare the report all such assistance as the person may reasonably require to prepare the report.”

(4)

In section 155 (penalty notices), in subsection (1)—

(a)

omit the “or” at the end of paragraph (a), and

(b)

at the end of paragraph (b) insert “, or

(c)

has failed to comply with a duty imposed on the person by section 146A(6).”

(5)

In section 160 (guidance about regulatory action), in subsection (4), after paragraph (a) insert—

“(aa)

provision specifying factors to be considered in determining whether to give an assessment notice to a person that imposes a requirement of a sort mentioned in section 146(2)(j);

(ab)

provision about the factors the Commissioner may take into account when determining the suitability of a person to prepare a report of a sort mentioned in section 146(2)(j);”.

99Assessment notices: removal of OFSTED restriction

In section 147 of the 2018 Act (assessment notices: restrictions), in subsection (6), omit paragraph (b) and the “or” before it.

100Interview notices

(1)

The 2018 Act is amended as follows.

(2)

After section 148 insert—

“Interview notices

148AInterview notices

(1)

This section applies where the Commissioner suspects that a controller or processor—

(a)

has failed or is failing as described in section 149(2), or

(b)

has committed or is committing an offence under this Act.

(2)

For the purpose of investigating the suspected failure or offence, the Commissioner may, by written notice (an “interview notice”), require an individual within subsection (3) to—

(a)

attend at a place specified in the notice, and

(b)

answer questions with respect to any matter relevant to the investigation.

(3)

An individual is within this subsection if the individual—

(a)

is the controller or processor,

(b)

is or was at any time employed by, or otherwise working for, the controller or processor, or

(c)

is or was at any time concerned in the management or control of the controller or processor.

(4)

An interview notice must specify the time at which the individual must attend at the specified place and answer questions (but see the restrictions in subsections (6) and (7)).

(5)

An interview notice must—

(a)

indicate the nature of the suspected failure or offence that is the subject of the investigation,

(b)

provide information about the consequences of failure to comply with the notice, and

(c)

provide information about the rights under sections 162 and 164 (appeals etc).

(6)

An interview notice may not require an individual to attend at the specified place and answer questions before the end of the period within which an appeal can be brought against the notice.

(7)

If an appeal is brought against an interview notice, the individual to whom the notice is given need not attend at the specified place and answer questions pending the determination or withdrawal of the appeal.

(8)

If an interview notice—

(a)

states that, in the Commissioner’s opinion, it is necessary for the individual to attend at the specified place and answer questions urgently, and

(b)

gives the Commissioner’s reasons for reaching that opinion,

subsections (6) and (7) do not apply but the notice must not require the individual to attend at the specified place and answer questions before the end of the period of 24 hours beginning when the notice is given.

(9)

The Commissioner may cancel or vary an interview notice by written notice to the individual to whom it was given.

148BInterview notices: restrictions

(1)

An interview notice does not require an individual to answer questions to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament.

(2)

An interview notice does not require an individual to answer questions in respect of a communication which is made—

(a)

between a professional legal adviser and the adviser’s client, and

(b)

in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.

(3)

An interview notice does not require an individual to answer questions in respect of a communication which is made—

(a)

between a professional legal adviser and the adviser’s client or between such an adviser or client and another person,

(b)

in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and

(c)

for the purposes of such proceedings.

(4)

In subsections (2) and (3), references to the client of a professional legal adviser include references to a person acting on behalf of the client.

(5)

An interview notice does not require an individual to answer questions if doing so would, by revealing evidence of the commission of an offence, expose the individual to proceedings for that offence.

(6)

The reference to an offence in subsection (5) does not include an offence under—

(a)

this Act;

(b)

section 5 of the Perjury Act 1911 (false statements made otherwise than on oath);

(c)

section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath);

(d)

Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).

(7)

A statement made by an individual in response to an interview notice may not be used in evidence against that individual on a prosecution for an offence under this Act (other than an offence under section 148C) unless in the proceedings—

(a)

in giving evidence the individual provides information inconsistent with the statement, and

(b)

evidence relating to the statement is adduced, or a question relating to it is asked, by that individual or on that individual’s behalf.

(8)

The Commissioner may not give an interview notice with respect to the processing of personal data for the special purposes.

(9)

The Commissioner may not give an interview notice to an individual for the purpose of investigating a suspected failure or offence if the controller or processor suspected of the failure or offence is a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters).

148CFalse statements made in response to interview notices

It is an offence for an individual, in response to an interview notice—

(a)

to make a statement which the individual knows to be false in a material respect, or

(b)

recklessly to make a statement which is false in a material respect.”

(3)

In section 149 (enforcement notices), in subsection (9)(b)—

(a)

after “an assessment notice” insert “, an interview notice”, and

(b)

after “147” insert “, 148A, 148B.

(4)

In section 155 (penalty notices), in subsection (1)(b), after “assessment notice” insert “, an interview notice”.

(5)

In section 157 (maximum amount of penalty), in subsection (4), after “assessment notice” insert “, an interview notice”.

(6)

In section 160 (guidance about regulatory action)—

(a)

in subsection (1), after paragraph (b) insert—

“(ba)

interview notices,”, and

(b)

after subsection (5) insert—

“(5A)

In relation to interview notices, the guidance must include—

(a)

provision specifying factors to be considered in determining whether to give an interview notice to an individual;

(b)

provision about the circumstances in which the Commissioner would consider it appropriate to give an interview notice to an individual in reliance on section 148A(8) (urgent cases);

(c)

provision about the circumstances in which the Commissioner would consider it appropriate to vary the place or time specified in an interview notice at the request of the individual to whom the notice is given;

(d)

provision about the nature of interviews carried out in accordance with an interview notice;

(e)

provision about how the Commissioner will determine how to proceed if an individual does not comply with an interview notice.”

(7)

In section 162 (rights of appeal), in subsection (1), after paragraph (b) insert—

“(ba)

an interview notice;”.

(8)

In section 164 (applications in respect of urgent notices)—

(a)

in subsection (1), after “assessment notice” insert “, an interview notice”, and

(b)

in subsection (5), after paragraph (b) (but before the “and” at the end of that paragraph) insert—

“(ba)

in relation to an interview notice, a statement under section 148A(8)(a),”.

(9)

In section 181 (interpretation of Part 6), at the appropriate place, insert—

““interview notice” has the meaning given in section 148A;”.

(10)

In section 196 (penalties for offences), in subsection (2), after “148,” insert 148C,”.

(11)

In section 206 (index of defined expressions), at the appropriate place, insert—

“interview notice (in Part 6)

section 181”.

(12)

In Schedule 17 (review of processing of personal data for the purposes of journalism)—

(a)

after paragraph 3 insert—

“Interview notices

3A

(1)

Sub-paragraph (2) applies where the Commissioner gives an interview notice to an individual during a relevant period.

(2)

If the interview notice—

(a)

states that, in the Commissioner’s opinion, it is necessary for the individual to comply with a requirement in the notice for the purposes of the relevant review, and

(b)

gives the Commissioner’s reasons for reaching that opinion,

subsections (6) and (7) of section 148A do not apply but the notice must not require the individual to comply with the requirement before the end of the period of 24 hours beginning when the notice is given.

(3)

During a relevant period, section 148B has effect as if for subsection (8) there were substituted—

“(8)

The Commissioner may not give an individual an interview notice with respect to the processing of personal data for the special purposes unless a determination under section 174 with respect to the data or the processing has taken effect.”

(b)

in paragraph 4 (applications in respect of urgent notices)—

(i)

for “or assessment notice” substitute “, assessment notice or interview notice”,

(ii)

for “or 3(2)(a)” substitute “, 3(2)(a) or 3A(2)(a)”, and

(iii)

for “or 146(8)(a)” substitute “, 146(8)(a) or 148A(8)(a).

101Penalty notices

(1)

The 2018 Act is amended as follows.

(2)

In paragraph 2 of Schedule 16 (notice of intent to impose penalty), omit sub-paragraphs (2) and (3).

(3)

In paragraph 4 of that Schedule (giving a penalty notice)—

(a)

before sub-paragraph (1) insert—

“A1

This paragraph applies where the Commissioner gives a notice of intent to a person.

A2

Within the period of 6 months beginning when the notice is given, or as soon as reasonably practicable thereafter, the Commission must give to the person—

(a)

a penalty notice, or

(b)

written notice that the Commissioner has decided not to give a penalty notice to the person.”,

(b)

in sub-paragraph (1)—

(i)

at the beginning, insert “But”, and

(ii)

after “penalty notice” insert “to the person”, and

(c)

in sub-paragraph (2), for “a person” substitute “the person”.

(4)

In section 160 (guidance about regulatory action), in subsection (7), after paragraph (d) insert—

“(e)

provision about the circumstances in which the Commissioner would consider it necessary to comply with the duty in paragraph 4(A2) of Schedule 16 after the period of 6 months mentioned in that paragraph.”

102Annual report on regulatory action

(1)

The 2018 Act is amended as follows.

(2)

In section 139 (reporting to Parliament), before subsection (3) insert—

“(2A)

The report under this section may include the annual report under section 161A.”

(3)

In the italic heading before section 160, at the end insert “and report”.

(4)

After section 161 insert—

“161AAnnual report on regulatory action

(1)

The Commissioner must produce and publish an annual report containing the information described in subsections (2) to (5).

(2)

The report must include the following information about UK GDPR investigations—

(a)

the number of investigations begun, continued or completed by the Commissioner during the reporting period,

(b)

the different types of act and omission that were the subject matter of the investigations,

(c)

the enforcement powers exercised by the Commissioner in the reporting period in connection with the investigations,

(d)

the duration of investigations that ended in the reporting period, and

(e)

the different types of outcome in investigations that ended in that period.

(3)

The report must include information about the enforcement powers exercised by the Commissioner in the reporting period in connection with—

(a)

processing of personal data by a competent authority for any of the law enforcement purposes, and

(b)

processing of personal data to which Part 4 applies.

(4)

The information included in the report in accordance with subsections (2) and (3) must include information about—

(a)

the number of penalty notices given in the reporting period that were given more than 6 months after the notice of intent was given under paragraph 2 of Schedule 16, and

(b)

the reasons why that happened.

(5)

The report must include a review of how the Commissioner had regard to the guidance published under section 160 when exercising the Commissioner’s enforcement powers as described in subsections (2)(c) and (3).

(6)

In this section—

enforcement powers” means the powers under—

(a)

Article 58(1)(c) and (d) and (2)(a) and (b) of the UK GDPR,

(b)

sections 142 to 159 of this Act,

(c)

paragraph 2(a), (b) and (c) of Schedule 13 to this Act, and

(d)

Schedules 15 and 16 to this Act;

the law enforcement purposes” has the meaning given in section 31 of this Act;

the reporting period” means the period to which the report relates;

UK GDPR investigation” means an investigation required under Article 57(1)(h) of the UK GDPR (investigations on the application of the UK GDPR).”

103Complaints by data subjects

(1)

The 2018 Act is amended in accordance with subsections (2) and (3).

(2)

Before section 165 (but after the italic heading before it) insert—

“164AComplaints by data subjects to controllers

(1)

A data subject may make a complaint to the controller if the data subject considers that, in connection with personal data relating to the data subject, there is an infringement of the UK GDPR or Part 3 of this Act.

(2)

A controller must facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means.

(3)

If a controller receives a complaint under this section, the controller must acknowledge receipt of the complaint within the period of 30 days beginning when the complaint is received.

(4)

If a controller receives a complaint under this section, the controller must without undue delay—

(a)

take appropriate steps to respond to the complaint, and

(b)

inform the complainant of the outcome of the complaint.

(5)

The reference in subsection (4)(a) to taking appropriate steps to respond to the complaint includes—

(a)

making enquiries into the subject matter of the complaint, to the extent appropriate, and

(b)

informing the complainant about progress on the complaint.

164BControllers to notify the Commissioner of the number of complaints

(1)

The Secretary of State may by regulations require a controller to notify the Commissioner of the number of complaints made to the controller under section 164A in periods specified or described in the regulations.

(2)

Regulations under this section may provide that a controller is required to make a notification to the Commissioner in respect of a period only in circumstances specified in the regulations.

(3)

Regulations under this section may include—

(a)

provision about a matter listed in subsection (4), or

(b)

provision conferring power on the Commissioner to determine those matters.

(4)

The matters are—

(a)

the form and manner in which a notification must be made,

(b)

the time at which, or period within which, a notification must be made, and

(c)

how the number of complaints made to a controller during a period is to be calculated.

(5)

Regulations under this section are subject to the negative resolution procedure.”

(3)

In section 165 (complaints by data subjects to the Commissioner)—

(a)

omit subsection (1), and

(b)

in subsection (2), after “infringement of” insert “the UK GDPR or”.

(4)

The UK GDPR is amended in accordance with subsections (5) and (6).

(5)

In Article 57 (Commissioner’s tasks)—

(a)

in paragraph 1, omit point (f), and

(b)

omit paragraph 2.

(6)

Omit Article 77 (right to lodge a complaint with the Commissioner).

(7)

Schedule 10 to this Act contains minor and consequential amendments.

104Court procedure in connection with subject access requests

(1)

The 2018 Act is amended as follows.

(2)

For the italic heading before section 180 substitute—

“Jurisdiction and court procedure”.

(3)

After section 180 insert—

“180AProcedure in connection with subject access requests

(1)

This section applies where a court is required to determine whether a data subject is entitled to information by virtue of a right under—

(a)

Article 15 of the UK GDPR (right of access by the data subject);

(b)

Article 20 of the UK GDPR (right to data portability);

(c)

section 45 of this Act (law enforcement processing: right of access by the data subject);

(d)

section 94 of this Act (intelligence services processing: right of access by the data subject).

(2)

The court may require the controller to make available for inspection by the court so much of the information as is available to the controller.

(3)

But, unless and until the question in subsection (1) has been determined in the data subject’s favour, the court may not require the information to be disclosed to the data subject or the data subject’s representatives, whether by discovery (or, in Scotland, recovery) or otherwise.

(4)

Where the question in subsection (1) relates to a right under a provision listed in subsection (1)(a), (c) or (d), this section does not confer power on the court to require the controller to carry out a search for information that is more extensive than the reasonable and proportionate search required by that provision.”

105Consequential amendments to the EITSET Regulations

(1)

Schedule 2 to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696) (Commissioner’s enforcement powers) is amended as follows.

(2)

In paragraph 1 (provisions of the 2018 Act applied for enforcement purposes)—

(a)

after paragraph (g) insert—

“(ga)

section 146A (assessment notices: approval of person to prepare report etc);”, and

(b)

after paragraph (i) insert—

“(ia)

section 148A (interview notices);

(ib)

section 148B (interview notices: restrictions);

(ic)

section 148C (false statements made in response to interview notices);”.

(3)

In paragraph 4(2) (modification of section 143 (information notices: restrictions))—

(a)

in paragraph (b), for “or 148” substitute “, 148 or 148C, and

(b)

in paragraph (c), after “148” insert “or 148C.

(4)

In paragraph 6 (modification of section 146 (assessment notices)), in sub-paragraph (2)—

(a)

for paragraph (b) substitute—

“(b)

subsection (2) has effect as if—

(i)

for “controller or processor” there were substituted “trust service provider”;

(ii)

paragraphs (h) and (i) were omitted;”,

(b)

in paragraph (c), for “subsections (7), (8), (9) and (10)” substitute “subsections (3A), (7), (8), (9), (10) and (11A)”, and

(c)

in paragraph (d), for “or 148” substitute “, 148 or 148C.

(5)

After paragraph 6 insert—

“Modification of section 146A (assessment notices: approval of person to prepare report etc)

6A

Section 146A has effect as if for “controller or processor” (in each place) there were substituted “trust service provider”.”

(6)

After paragraph 7 insert—

“Modification of section 148A (interview notices)

7A

Section 148A has effect as if—

(a)

in subsection (1)—

(i)

for “controller or processor” there were substituted “trust service provider”;

(ii)

in paragraph (a), for “as described in section 149(2)” there were substituted “to comply with the eIDAS requirements”;

(iii)

in paragraph (b), for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(b)

in subsection (3), for “controller or processor” (in each place) there were substituted “trust service provider”.

Modification of section 148B (interview notices: restrictions)

7B

(1)

Section 148B has effect as if subsections (8) and (9) were omitted.

(2)

In that section—

(a)

subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”;

(b)

subsection (6)(a) has effect as if for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(c)

subsection (7) has effect as if for “this Act (other than an offence under section 148C)” there were substituted “section 144 or 148 or paragraph 15 of Schedule 15”.”

(7)

In paragraph 12 (modification of Schedule 15 (powers of entry and inspection)), in sub-paragraph (2), in the substituted paragraph (a), for “or 148” substitute “, 148 or 148C”.

(8)

In paragraph 13 (modification of section 155 (penalty notices)), in sub-paragraph (3)(c), for “for “data subjects”” there were substituted “for the words from “data subjects” to the end”.

(9)

Omit paragraph 21 (modification of section 182 (regulations and consultation)) and the heading before it.

(10)

In paragraph 22 (modification of section 196 (penalties for offences)), in sub-paragraph (2)(b)—

(a)

after “148”, in the first place it occurs, insert “, 148C, and

(b)

for “or 148” substitute “, 148 or 148C.