Search Legislation

Data Protection Act 2018

Status:

This is the original version (as it was originally enacted).

Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)

This section has no associated Explanatory Notes

406For Schedule 2 substitute—

SCHEDULE 2Information Commissioner’s enforcement powers
Provisions applied for enforcement purposes

1For the purposes of enforcing these Regulations and the eIDAS Regulation, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 26—

(a)section 140 (publication by the Commissioner);

(b)section 141 (notices from the Commissioner);

(c)section 142 (information notices);

(d)section 143 (information notices: restrictions);

(e)section 144 (false statements made in response to an information notice);

(f)section 145 (information orders);

(g)section 146 (assessment notices);

(h)section 147 (assessment notices: restrictions);

(i)section 148 (destroying or falsifying information and documents etc);

(j)section 149 (enforcement notices);

(k)section 150 (enforcement notices: supplementary);

(l)section 152 (enforcement notices: restrictions);

(m)section 153 (enforcement notices: cancellation and variation);

(n)section 154 and Schedule 15 (powers of entry and inspection);

(o)section 155 and Schedule 16 (penalty notices);

(p)section 156(4)(a) (penalty notices: restrictions);

(q)section 157 (maximum amount of penalty);

(r)section 159 (amount of penalties: supplementary);

(s)section 160 (guidance about regulatory action);

(t)section 161 (approval of first guidance about regulatory action);

(u)section 162 (rights of appeal);

(v)section 163 (determination of appeals);

(w)section 164 (applications in respect of urgent notices);

(x)section 180 (jurisdiction);

(y)section 182(1), (2), (5), (7) and (13) (regulations and consultation);

(z)section 196 (penalties for offences);

(z1)section 197 (prosecution);

(z2)section 202 (proceedings in the First-tier Tribunal: contempt);

(z3)section 203 (Tribunal Procedure Rules).

General modification of references to the Data Protection Act 2018

2The provisions listed in paragraph 1 have effect as if—

(a)references to the Data Protection Act 2018 were references to the provisions of that Act as applied by these Regulations;

(b)references to a particular provision of that Act were references to that provision as applied by these Regulations.

Modification of section 142 (information notices)

3(1)Section 142 has effect as if subsections (9) and (10) were omitted.

(2)In that section, subsection (1) has effect as if—

(a)in paragraph (a)—

(i)for “controller or processor” there were substituted “trust service provider”;

(ii)for “the data protection legislation” there were substituted “the eIDAS Regulation and the EITSET Regulations”;

(b)paragraph (b) were omitted.

(3)In that section, subsection (2) has effect as if paragraph (a) were omitted.

Modification of section 143 (information notices: restrictions)

4(1)Section 143 has effect as if subsections (1) and (9) were omitted.

(2)In that section—

(a)subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”;

(b)subsection (7)(a) has effect as if for “this Act” there were substituted “section 144 or 148 or paragraph 15 of Schedule 15”;

(c)subsection (8) has effect as if for “this Act (other than an offence under section 144)” there were substituted “section 148 or paragraph 15 of Schedule 15”.

Modification of section 145 (information orders)

5Section 145(2)(b) has effect as if for “section 142(2)(b)” there were substituted “section 142(2)”.

Modification of section 146 (assessment notices)

6(1)Section 146 has effect as if subsection (11) were omitted.

(2)In that section—

(a)subsection (1) has effect as if—

(i)for “controller or processor” (in both places) there were substituted “trust service provider”;

(ii)for “the data protection legislation” there were substituted “the eIDAS requirements”;

(b)subsection (2) has effect as if paragraphs (h) and (i) were omitted;

(c)subsections (7), (8), (9) and (10) have effect as if for “controller or processor” (in each place) there were substituted “trust service provider.

(d)subsection (9)(a) has effect as if for “as described in section 149(2) or that an offence under this Act” there were substituted “to comply with the eIDAS requirements or that an offence under section 144 or 148 or paragraph 15 of Schedule 15”.

Modification of section 147 (assessment notices: restrictions)

7(1)Section 147 has effect as if subsections (5) and (6) were omitted.

(2)In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.

Modification of section 149 (enforcement notices)

8(1)Section 149 has effect as if subsections (2) to (5) and (7) to (9) were omitted.

(2)In that section—

(a)subsection (1) has effect as if—

(i)for “as described in subsection (2), (3), (4) or (5)” there were substituted “to comply with the eIDAS requirements”;

(ii)for “sections 150 and 151” there were substituted “section 150”;

(b)subsection (6) has effect as if the words “given in reliance on subsection (2), (3) or (5)” were omitted.

Modification of section 150 (enforcement notices: supplementary)

9(1)Section 150 has effect as if subsection (3) were omitted.

(2)In that section, subsection (2) has effect as if the words “in reliance on section 149(2)” and “or distress” were omitted.

Modification of section 152 (enforcement notices: restrictions)

10Section 152 has effect as if subsections (1), (2) and (4) were omitted.

Withdrawal notices

11The provisions listed in paragraph 1 have effect as if after section 153 there were inserted—

Withdrawal notices
153AWithdrawal notices

(1)The Commissioner may, by written notice (a “withdrawal notice”), withdraw the qualified status from a trust service provider, or the qualified status of a service provided by a trust service provider, if—

(a)the Commissioner is satisfied that the trust service provider has failed to comply with an information notice or an enforcement notice, and

(b)the condition in subsection (2) or (3) is met.

(2)The condition in this subsection is met if the period for the trust service provider to appeal against the information notice or enforcement notice has ended without an appeal having been brought.

(3)The condition in this subsection is met if an appeal against the information notice or enforcement notice has been brought and—

(a)the appeal and any further appeal in relation to the notice has been decided or has otherwise ended, and

(b)the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.

(4)A withdrawal notice must—

(a)state when the withdrawal takes effect, and

(b)provide information about the rights of appeal under section 162.

Modification of Schedule 15 (powers of entry and inspection)

12(1)Schedule 15 has effect as if paragraph 3 were omitted.

(2)Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—

(a)there are reasonable grounds for suspecting that—

(i)a trust service provider has failed or is failing to comply with the eIDAS requirements, or

(ii)an offence under section 144 or 148 or paragraph 15 of Schedule 15 has been or is being committed,.

(3)Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—

(a)in sub-paragraphs (1) and (2), for “controller or processor” there were substituted “trust service provider”;

(b)in sub-paragraph (2), for “the data protection legislation” there were substituted “the eIDAS requirements”.

(4)Paragraph 5 of that Schedule (content of warrants) has effect as if—

(a)in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “the provision of trust services”;

(b)in sub-paragraph (2)(d)—

(i)for “controller or processor” there were substituted “trust service provider”;

(ii)for “as described in section 149(2)” there were substituted “to comply with the eIDAS requirements”;

(c)in sub-paragraph (3)(a) and (d)—

(i)for “controller or processor” there were substituted “trust service provider”;

(ii)for “the data protection legislation” there were substituted “the eIDAS requirements”.

(5)Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.

Modification of section 155 (penalty notices)

13(1)Section 155 has effect as if subsections (1)(a), (2)(a), (3)(g), (4) and (6) to (8) were omitted.

(2)Subsection (2) of that section has effect as if—

(a)the words “Subject to subsection (4),” were omitted;

(b)in paragraph (b), the words “to the extent that the notice concerns another matter,” were omitted.

(3)Subsection (3) of that section has effect as if—

(a)for “controller or processor”, in each place, there were substituted “trust services provider”;

(b)in paragraph (c), the words “or distress” were omitted;

(c)in paragraph (c), for “data subjects” there were substituted “relying parties”;

(d)in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “Article 19(1) of the eIDAS Regulation”.

Modification of Schedule 16 (penalties)

14Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.

Modification of section 157 (maximum amount of penalty)

15Section 157 has effect as if subsections (1) to (3) and (6) were omitted.

Modification of section 159 (amount of penalties: supplementary)

16Section 159 has effect as if—

(a)in subsection (1), the words “Article 83 of the GDPR and” were omitted;

(b)in subsection (2), the words “Article 83 of the GDPR” and “and section 158” were omitted.

Modification of section 160 (guidance about regulatory action)

17(1)Section 160 has effect as if subsections (5) and (12) were omitted.

(2)In that section, subsection (4)(f) has effect as if for “controllers and processors” there were substituted “trust service providers”.

Modification of section 162 (rights of appeal)

18(1)Section 162 has effect as if subsection (4) were omitted.

(2)In that section, subsection (1) has effect as if, after paragraph (c), there were inserted—

(ca)a withdrawal notice;.

Modification of section 163 (determination of appeals)

19Section 163 has effect as if subsection (6) were omitted.

Modification of section 180 (jurisdiction)

20(1)Section 180 has effect as if subsections (2)(d) and (e) and (3) were omitted.

(2)Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “subsection (4)”.

Modification of section 182 (regulations and consultation)

21Section 182 has effect as if subsections (3), (4), (6), (8) to (11) and (14) were omitted.

Modification of section 196 (penalties for offences)

22(1)Section 196 has effect as if subsections (3) to (5) were omitted.

(2)In that section—

(a)subsection (1) has effect as if the words “section 119 or 173 or” were omitted;

(b)subsection (2) has effect as if for “section 132, 144, 148, 170, 171 or 184” there were substituted “section 144 or 148”.

Modification of section 197 (prosecution)

23Section 197 has effect as if subsections (3) to (6) were omitted.

Modification of section 202 (proceedings in the First-tier Tribunal: contempt)

24Section 202 has effect as if in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “on an appeal under section 162”.

Modification of section 203 (Tribunal Procedure Rules)

25Section 203 has effect as if—

(a)in subsection (1), for paragraphs (a) and (b) there were substituted “the exercise of the rights of appeal conferred by section 162”;

(b)in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “the provision of trust services”.

Approval of first guidance about regulatory action

26(1)This paragraph applies if the first guidance produced under section 160(1) of the Data Protection Act 2018 and the first guidance produced under that provision as applied by this Schedule are laid before Parliament as a single document (“the combined guidance”).

(2)Section 161 of that Act (including that section as applied by this Schedule) has effect as if the references to “the guidance” were references to the combined guidance, except in subsections (2)(b) and (4).

(3)Nothing in subsection (2)(a) of that section (including as applied by this Schedule) prevents another version of the combined guidance being laid before Parliament.

(4)Any duty under subsection (2)(b) of that section (including as applied by this Schedule) may be satisfied by producing another version of the combined guidance.

Interpretation

27In this Schedule—

  • “the eIDAS requirements” means the requirements of Chapter III of the eIDAS Regulation;

  • “the EITSET Regulations” means these Regulations;

  • “withdrawal notice” has the meaning given in section 153A of the Data Protection Act 2018 (as inserted in that Act by this Schedule).

Back to top

Options/Help

Print Options

You have chosen to open The Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act as a PDF

The Whole Act you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open The Whole Schedule

The Whole Schedule you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Schedule as a PDF

The Whole Schedule you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open The Whole Part

The Whole Part you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Part as a PDF

The Whole Part you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open the Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open the Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open Schedules only

The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made):The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

See additional information alongside the content

Show Explanatory Notes for Sections: Displays relevant parts of the explanatory notes interweaved within the legislation content.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Notes

Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources