406U.K.For Schedule 2 substitute—
“SCHEDULE 2U.K.Information Commissioner's enforcement powers
Provisions applied for enforcement purposesU.K.
1For the purposes of enforcing these Regulations and the eIDAS Regulation, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 26—
(a)section 140 (publication by the Commissioner);
(b)section 141 (notices from the Commissioner);
(c)section 142 (information notices);
(d)section 143 (information notices: restrictions);
(e)section 144 (false statements made in response to an information notice);
(f)section 145 (information orders);
(g)section 146 (assessment notices);
(h)section 147 (assessment notices: restrictions);
(i)section 148 (destroying or falsifying information and documents etc);
(j)section 149 (enforcement notices);
(k)section 150 (enforcement notices: supplementary);
(l)section 152 (enforcement notices: restrictions);
(m)section 153 (enforcement notices: cancellation and variation);
(n)section 154 and Schedule 15 (powers of entry and inspection);
(o)section 155 and Schedule 16 (penalty notices);
(p)section 156(4)(a) (penalty notices: restrictions);
(q)section 157 (maximum amount of penalty);
(r)section 159 (amount of penalties: supplementary);
(s)section 160 (guidance about regulatory action);
(t)section 161 (approval of first guidance about regulatory action);
(u)section 162 (rights of appeal);
(v)section 163 (determination of appeals);
(w)section 164 (applications in respect of urgent notices);
(x)section 180 (jurisdiction);
(y)section 182(1), (2), (5), (7) and (13) (regulations and consultation);
(z)section 196 (penalties for offences);
(z1)section 197 (prosecution);
(z2)section 202 (proceedings in the First-tier Tribunal: contempt);
(z3)section 203 (Tribunal Procedure Rules).
General modification of references to the Data Protection Act 2018U.K.
2The provisions listed in paragraph 1 have effect as if—
(a)references to the Data Protection Act 2018 were references to the provisions of that Act as applied by these Regulations;
(b)references to a particular provision of that Act were references to that provision as applied by these Regulations.
Modification of section 142 (information notices)U.K.
3(1)Section 142 has effect as if subsections (9) and (10) were omitted.
(2)In that section, subsection (1) has effect as if—
(a)in paragraph (a)—
(i)for “controller or processor” there were substituted “ trust service provider ”;
(ii)for “the data protection legislation” there were substituted “ the eIDAS Regulation and the EITSET Regulations ”;
(b)paragraph (b) were omitted.
(3)In that section, subsection (2) has effect as if paragraph (a) were omitted.
Modification of section 143 (information notices: restrictions)U.K.
4(1)Section 143 has effect as if subsections (1) and (9) were omitted.
(2)In that section—
(a)subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”;
(b)subsection (7)(a) has effect as if for “this Act” there were substituted “ section 144 or 148 or paragraph 15 of Schedule 15 ”;
(c)subsection (8) has effect as if for “this Act (other than an offence under section 144)” there were substituted “ section 148 or paragraph 15 of Schedule 15 ”.
Modification of section 145 (information orders)U.K.
5Section 145(2)(b) has effect as if for “section 142(2)(b)” there were substituted “ section 142(2) ”.
Modification of section 146 (assessment notices)U.K.
6(1)Section 146 has effect as if subsection (11) were omitted.
(2)In that section—
(a)subsection (1) has effect as if—
(i)for “controller or processor” (in both places) there were substituted “ trust service provider ”;
(ii)for “the data protection legislation” there were substituted “ the eIDAS requirements ”;
(b)subsection (2) has effect as if paragraphs (h) and (i) were omitted;
(c)subsections (7), (8), (9) and (10) have effect as if for “controller or processor” (in each place) there were substituted “trust service provider.
(d)subsection (9)(a) has effect as if for “as described in section 149(2) or that an offence under this Act” there were substituted “ to comply with the eIDAS requirements or that an offence under section 144 or 148 or paragraph 15 of Schedule 15 ”.
Modification of section 147 (assessment notices: restrictions)U.K.
7(1)Section 147 has effect as if subsections (5) and (6) were omitted.
(2)In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”.
Modification of section 149 (enforcement notices)U.K.
8(1)Section 149 has effect as if subsections (2) to (5) and (7) to (9) were omitted.
(2)In that section—
(a)subsection (1) has effect as if—
(i)for “as described in subsection (2), (3), (4) or (5)” there were substituted “ to comply with the eIDAS requirements ”;
(ii)for “sections 150 and 151” there were substituted “ section 150 ”;
(b)subsection (6) has effect as if the words “given in reliance on subsection (2), (3) or (5)” were omitted.
Modification of section 150 (enforcement notices: supplementary)U.K.
9(1)Section 150 has effect as if subsection (3) were omitted.
(2)In that section, subsection (2) has effect as if the words “in reliance on section 149(2)” and “or distress” were omitted.
Modification of section 152 (enforcement notices: restrictions)U.K.
10Section 152 has effect as if subsections (1), (2) and (4) were omitted.
Withdrawal noticesU.K.
11The provisions listed in paragraph 1 have effect as if after section 153 there were inserted—
“Withdrawal noticesU.K.
153AWithdrawal notices
(1)The Commissioner may, by written notice (a “withdrawal notice”), withdraw the qualified status from a trust service provider, or the qualified status of a service provided by a trust service provider, if—
(a)the Commissioner is satisfied that the trust service provider has failed to comply with an information notice or an enforcement notice, and
(b)the condition in subsection (2) or (3) is met.
(2)The condition in this subsection is met if the period for the trust service provider to appeal against the information notice or enforcement notice has ended without an appeal having been brought.
(3)The condition in this subsection is met if an appeal against the information notice or enforcement notice has been brought and—
(a)the appeal and any further appeal in relation to the notice has been decided or has otherwise ended, and
(b)the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.
(4)A withdrawal notice must—
(a)state when the withdrawal takes effect, and
(b)provide information about the rights of appeal under section 162.”
Modification of Schedule 15 (powers of entry and inspection)U.K.
12(1)Schedule 15 has effect as if paragraph 3 were omitted.
(2)Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—
“(a)there are reasonable grounds for suspecting that—
(i)a trust service provider has failed or is failing to comply with the eIDAS requirements, or
(ii)an offence under section 144 or 148 or paragraph 15 of Schedule 15 has been or is being committed,”.
(3)Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—
(a)in sub-paragraphs (1) and (2), for “controller or processor” there were substituted “ trust service provider ”;
(b)in sub-paragraph (2), for “the data protection legislation” there were substituted “ the eIDAS requirements ”.
(4)Paragraph 5 of that Schedule (content of warrants) has effect as if—
(a)in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “ the provision of trust services ”;
(b)in sub-paragraph (2)(d)—
(i)for “controller or processor” there were substituted “ trust service provider ”;
(ii)for “as described in section 149(2)” there were substituted “ to comply with the eIDAS requirements ”;
(c)in sub-paragraph (3)(a) and (d)—
(i)for “controller or processor” there were substituted “ trust service provider ”;
(ii)for “the data protection legislation” there were substituted “ the eIDAS requirements ”.
(5)Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”.
Modification of section 155 (penalty notices)U.K.
13(1)Section 155 has effect as if subsections (1)(a), (2)(a), (3)(g), (4) and (6) to (8) were omitted.
(2)Subsection (2) of that section has effect as if—
(a)the words “Subject to subsection (4),” were omitted;
(b)in paragraph (b), the words “to the extent that the notice concerns another matter,” were omitted.
(3)Subsection (3) of that section has effect as if—
(a)for “controller or processor”, in each place, there were substituted “ trust services provider ”;
(b)in paragraph (c), the words “or distress” were omitted;
(c)in paragraph (c), for “data subjects” there were substituted “ relying parties ”;
(d)in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “ Article 19(1) of the eIDAS Regulation ”.
Modification of Schedule 16 (penalties)U.K.
14Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.
Modification of section 157 (maximum amount of penalty)U.K.
15Section 157 has effect as if subsections (1) to (3) and (6) were omitted.
Modification of section 159 (amount of penalties: supplementary)U.K.
16Section 159 has effect as if—
(a)in subsection (1), the words “Article 83 of the GDPR and” were omitted;
(b)in subsection (2), the words “Article 83 of the GDPR” and “and section 158” were omitted.
Modification of section 160 (guidance about regulatory action)U.K.
17(1)Section 160 has effect as if subsections (5) and (12) were omitted.
(2)In that section, subsection (4)(f) has effect as if for “controllers and processors” there were substituted “ trust service providers ”.
Modification of section 162 (rights of appeal)U.K.
18(1)Section 162 has effect as if subsection (4) were omitted.
(2)In that section, subsection (1) has effect as if, after paragraph (c), there were inserted—
“(ca)a withdrawal notice;”.
Modification of section 163 (determination of appeals)U.K.
19Section 163 has effect as if subsection (6) were omitted.
Modification of section 180 (jurisdiction)U.K.
20(1)Section 180 has effect as if subsections (2)(d) and (e) and (3) were omitted.
(2)Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “ subsection (4) ”.
Modification of section 182 (regulations and consultation)U.K.
21Section 182 has effect as if subsections (3), (4), (6), (8) to (11) and (14) were omitted.
Modification of section 196 (penalties for offences)U.K.
22(1)Section 196 has effect as if subsections (3) to (5) were omitted.
(2)In that section—
(a)subsection (1) has effect as if the words “section 119 or 173 or” were omitted;
(b)subsection (2) has effect as if for “section 132, 144, 148, 170, 171 or 184” there were substituted “ section 144 or 148 ”.
Modification of section 197 (prosecution)U.K.
23Section 197 has effect as if subsections (3) to (6) were omitted.
Modification of section 202 (proceedings in the First-tier Tribunal: contempt)U.K.
24Section 202 has effect as if in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “ on an appeal under section 162 ”.
Modification of section 203 (Tribunal Procedure Rules)U.K.
25Section 203 has effect as if—
(a)in subsection (1), for paragraphs (a) and (b) there were substituted “ the exercise of the rights of appeal conferred by section 162 ”;
(b)in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “ the provision of trust services ”.
Approval of first guidance about regulatory actionU.K.
26(1)This paragraph applies if the first guidance produced under section 160(1) of the Data Protection Act 2018 and the first guidance produced under that provision as applied by this Schedule are laid before Parliament as a single document (“the combined guidance”).
(2)Section 161 of that Act (including that section as applied by this Schedule) has effect as if the references to “the guidance” were references to the combined guidance, except in subsections (2)(b) and (4).
(3)Nothing in subsection (2)(a) of that section (including as applied by this Schedule) prevents another version of the combined guidance being laid before Parliament.
(4)Any duty under subsection (2)(b) of that section (including as applied by this Schedule) may be satisfied by producing another version of the combined guidance.
InterpretationU.K.
27In this Schedule—
“the eIDAS requirements” means the requirements of Chapter III of the eIDAS Regulation;
“the EITSET Regulations” means these Regulations;
“withdrawal notice” has the meaning given in section 153A of the Data Protection Act 2018 (as inserted in that Act by this Schedule).”