Textual Amendments
F1Pt. 2 Ch. 3 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 27 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Modifications etc. (not altering text)
C1Pt. 2 Ch. 3 applied (31.12.2020) by Regulation (EU) No. 625/2017, Art. 143 (as substituted by The Official Controls (Animals, Feed and Food, Plant Health etc.) (Amendment) (EU Exit) Regulations 2020 (S.I. 2020/1481), regs. 1, 27(3) (with reg. 46))
(1)Article 9(1) of [F3the UK GDPR] (prohibition on processing of special categories of personal data) does not prohibit the processing of personal data to which [F4the UK GDPR] applies to the extent that the processing is carried out—
(a)for the purpose of safeguarding national security or for defence purposes, and
(b)with appropriate safeguards for the rights and freedoms of data subjects.
(2)Article 32 of [F5the UK GDPR] (security of processing) does not apply to a controller or processor to the extent that the controller or the processor (as the case may be) is processing personal data to which [F6the UK GDPR] applies for—
(a)the purpose of safeguarding national security, or
(b)defence purposes.
(3)Where Article 32 of [F7the UK GDPR] does not apply, the controller or the processor must implement security measures appropriate to the risks arising from the processing of the personal data.
(4)For the purposes of subsection (3), where the processing of personal data is carried out wholly or partly by automated means, the controller or the processor must, following an evaluation of the risks, implement measures designed to—
(a)prevent unauthorised processing or unauthorised interference with the systems used in connection with the processing,
(b)ensure that it is possible to establish the precise details of any processing that takes place,
(c)ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and
(d)ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.
[F8(5)The functions conferred on the Commissioner in relation to the UK GDPR by Articles 57(1)(a), (d), (e), (h) and (u) and 58(1)(d) and (2)(a) to (d) of the UK GDPR (which are subject to safeguards set out in section 115) include functions in relation to subsection (3).]
Textual Amendments
F2Words in s. 28 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F3Words in s. 28(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F4Words in s. 28(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F5Words in s. 28(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F6Words in s. 28(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F7Words in s. 28(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 36(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)