(1)The Commissioner is to be the supervisory authority in the United Kingdom for the purposes of Article 51 of the GDPR.
(2)General functions are conferred on the Commissioner by—
(a)Article 57 of the GDPR (tasks), and
(b)Article 58 of the GDPR (powers),
(and see also the Commissioner’s duty under section 2).
(3)The Commissioner’s functions in relation to the processing of personal data to which the GDPR applies include—
(a)a duty to advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data, and
(b)a power to issue, on the Commissioner’s own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.
(4)The Commissioner’s functions under Article 58 of the GDPR are subject to the safeguards in subsections (5) to (9).
(5)The Commissioner’s power under Article 58(1)(a) of the GDPR (power to require a controller or processor to provide information that the Commissioner requires for the performance of the Commissioner’s tasks under the GDPR) is exercisable only by giving an information notice under section 142.
(6)The Commissioner’s power under Article 58(1)(b) of the GDPR (power to carry out data protection audits) is exercisable only in accordance with section 146.
(7)The Commissioner’s powers under Article 58(1)(e) and (f) of the GDPR (power to obtain information from controllers and processors and access to their premises) are exercisable only—
(a)in accordance with Schedule 15 (see section 154), or
(b)to the extent that they are exercised in conjunction with the power under Article 58(1)(b) of the GDPR, in accordance with section 146.
(8)The following powers are exercisable only by giving an enforcement notice under section 149—
(a)the Commissioner’s powers under Article 58(2)(c) to (g) and (j) of the GDPR (certain corrective powers);
(b)the Commissioner’s powers under Article 58(2)(h) to order a certification body to withdraw, or not to issue, a certification under Articles 42 and 43 of the GDPR.
(9)The Commissioner’s powers under Articles 58(2)(i) and 83 of the GDPR (administrative fines) are exercisable only by giving a penalty notice under section 155.
(10)This section is without prejudice to other functions conferred on the Commissioner, whether by the GDPR, this Act or otherwise.
(1)The Commissioner—
(a)is to be the supervisory authority in the United Kingdom for the purposes of Article 41 of the Law Enforcement Directive, and
(b)is to continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Data Protection Convention.
(2)Schedule 13 confers general functions on the Commissioner in connection with processing to which the GDPR does not apply (and see also the Commissioner’s duty under section 2).
(3)This section and Schedule 13 are without prejudice to other functions conferred on the Commissioner, whether by this Act or otherwise.
Nothing in this Act permits or requires the Commissioner to exercise functions in relation to the processing of personal data by—
(a)an individual acting in a judicial capacity, or
(b)a court or tribunal acting in its judicial capacity,
(and see also Article 55(3) of the GDPR).