Data Protection Act 2018

Status:

Dyma’r fersiwn wreiddiol (fel y’i gwnaed yn wreiddiol).

PART 2Amendments of other legislation

Estate Agents (Specified Offences) (No. 2) Order 1991 (S.I. 1991/1091)

228In the table in the Schedule to the Estate Agents (Specified Offences) (No. 2) Order 1991 (specified offences), at the end insert—

“Data Protection Act 2018	Section 144	False statements made in response to an information notice
“Data Protection Act 2018	Section 148	Destroying or falsifying information and documents etc”

Channel Tunnel (International Arrangements) Order 1993 (S.I. 1993/1813)

229(1)Article 4 of the Channel Tunnel (International Arrangements) Order 1993 (application of enactments) is amended as follows.

(2)In paragraph (2)—

(a)for “section 5 of the Data Protection Act 1998 (“the 1998 Act”), data which are” substitute “section 207 of the Data Protection Act 2018 (“the 2018 Act”), data which is”,

(b)for “data controller” substitute “controller”,

(c)after “in the context of” insert “the activities of”, and

(d)for “and the 1998 Act” substitute “and the 2018 Act”.

(3)In paragraph (3)—

(a)for “section 5 of the 1998 Act, data which are” substitute “section 207 of the 2018 Act, data which is”,

(b)for “data controller” substitute “controller”,

(c)after “in the context of” insert “the activities of”, and

(d)for “and the 1998 Act” substitute “and the 2018 Act”.

Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))

230The Access to Health Records (Northern Ireland) Order 1993 is amended as follows.

231In Article 4 (health professionals), for paragraph (1) substitute—

“(1)In this Order, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act).”

232In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “made by the Department”.

Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)

233In article 4 of the Channel Tunnel (Miscellaneous Provisions) Order 1994 (application of enactments), for paragraphs (2) and (3) substitute—

“(2)For the purposes of section 207 of the Data Protection Act 2018 (“the 2018 Act”), data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the United Kingdom is to be treated as processed by a controller established in the United Kingdom in the context of the activities of that establishment (and accordingly the 2018 Act applies in respect of such data).

(3)For the purposes of section 207 of the 2018 Act, data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the Kingdom of Belgium is to be treated as processed by a controller established in the Kingdom of Belgium in the context of the activities of that establishment (and accordingly the 2018 Act does not apply in respect of such data).”

European Primary and Specialist Dental Qualifications Regulations 1998 (S.I. 1998/811)

234The European Primary and Specialist Dental Qualifications Regulations 1998 are amended as follows.

235(1)Regulation 2(1) (interpretation) is amended as follows.

(2)Omit the definition of “Directive 95/46/EC”.

(3)At the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

236(1)The table in Schedule A1 (functions of the GDC under Directive 2005/36) is amended as follows.

(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)

237For article 7 of the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 substitute—

“7Data Protection Act 2018

(1)The Parliamentary corporation is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.

(2)The Parliamentary corporation is to be treated as a government department for the purposes of the following provisions—

(a)section 8(d) (lawfulness of processing under the GDPR: public interest etc),

(b)section 209 (application to the Crown),

(c)paragraph 6 of Schedule 1 (statutory etc and government purposes),

(d)paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and

(e)paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).

(3)In the provisions mentioned in paragraph (4)—

(a)references to employment by or under the Crown are to be treated as including employment as a member of staff of the Parliamentary corporation, and

(b)references to a person in the service of the Crown are to be treated as including a person so employed.

(4)The provisions are—

(a)section 24(3) (exemption for certain data relating to employment under the Crown), and

(b)section 209(6) (application of certain provisions to a person in the service of the Crown).

(5)In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”

Northern Ireland Assembly Commission (Crown Status) Order 1999 (S.I. 1999/3145)

238For article 9 of the Northern Ireland Assembly Commission (Crown Status) Order 1999 substitute—

“9Data Protection Act 2018

(1)The Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.

(2)The Commission is to be treated as a government department for the purposes of the following provisions—

(a)section 8(d) (lawfulness of processing under the GDPR: public interest etc),

(b)section 209 (application to the Crown),

(c)paragraph 6 of Schedule 1 (statutory etc and government purposes),

(d)paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and

(e)paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).

(3)In the provisions mentioned in paragraph (4)—

(a)references to employment by or under the Crown are to be treated as including employment as a member of staff of the Commission, and

(b)references to a person in the service of the Crown are to be treated as including a person so employed.

(4)The provisions are—

(a)section 24(3) (exemption for certain data relating to employment under the Crown), and

(b)section 209(6) (application of certain provisions to a person in the service of the Crown).

(5)In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”

Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184)

239The Data Protection (Corporate Finance Exemption) Order 2000 is revoked.

Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 (S.I. 2000/185)

240The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 is revoked.

Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186)

241The Data Protection (Functions of Designated Authority) Order 2000 is revoked.

Data Protection (International Co-operation) Order 2000 (S.I. 2000/190)

242The Data Protection (International Co-operation) Order 2000 is revoked.

Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (S.I. 2000/191)

243The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 are revoked.

Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290)

244In the Consumer Credit (Credit Reference Agency) Regulations 2000, regulation 4(1) and Schedule 1 (statement of rights under section 9(3) of the Data Protection Act 1998) are revoked.

Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413)

245The Data Protection (Subject Access Modification) (Health) Order 2000 is revoked.

Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414)

246The Data Protection (Subject Access Modification) (Education) Order 2000 is revoked.

Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415)

247The Data Protection (Subject Access Modification) (Social Work) Order 2000 is revoked.

Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416)

248The Data Protection (Crown Appointments) Order 2000 is revoked.

Data Protection (Processing of Sensitive Personal Data) Order 2000 (S.I. 2000/417)

249The Data Protection (Processing of Sensitive Personal Data) Order 2000 is revoked.

Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419)

250The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 is revoked.

Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864)

251The Data Protection (Designated Codes of Practice) (No. 2) Order 2000 is revoked.

Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)

252The Representation of the People (England and Wales) Regulations 2001 are amended as follows.

253In regulation 3(1) (interpretation), at the appropriate places insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

254In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.

255In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.

256In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.

257In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—

“(a)Article 89 GDPR purposes;”.

258(1)Regulation 92(2) (interpretation and application of Part VI etc) is amended as follows.

(2)After sub-paragraph (b) insert—

“(ba)“relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”

(3)Omit sub-paragraphs (c) and (d).

259In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section 122(5) of the Data Protection Act 2018”.

260In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

261In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

262In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

263In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

264In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—

“(i)Article 89 GDPR purposes;”.

Representation of the People (Scotland) Regulations 2001 (S.I. 2001/497)

265The Representation of the People (Scotland) Regulations 2001 are amended as follows.

266In regulation 3(1) (interpretation), at the appropriate places, insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

267In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.

268In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.

269In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.

270In regulation 61(3) (records and lists kept under Schedule 4), for paragraph (a) (but not the final “or”) substitute—

“(a)Article 89 GDPR purposes;”.

271In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—

“(a)Article 89 GDPR purposes;”.

272(1)Regulation 92(2) (interpretation of Part VI etc) is amended as follows.

(2)After sub-paragraph (b) insert—

(3)Omit sub-paragraphs (c) and (d).

273In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section 122(5) of the Data Protection Act 2018”.

274In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

275In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

276In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

277In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—

“(i)Article 89 GDPR purposes;”.

Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001 (S.I. 2001/2188)

278(1)Article 9 of the Financial Services and Markets 2000 (Disclosure of Confidential Information) Regulations 2001 (disclosure by regulators or regulator workers to certain other persons) is amended as follows.

(2)In paragraph (2B), for sub-paragraph (a) substitute—

“(a)the disclosure is made in accordance with Chapter V of the GDPR;”.

(3)After paragraph (5) insert—

“(6)In this article, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

Nursing and Midwifery Order 2001 (S.I. 2002/253)

279The Nursing and Midwifery Order 2001 is amended as follows.

280(1)Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.

(2)In paragraph (18), after “enactment” insert “or the GDPR”.

(3)After paragraph (18) insert—

“(19)In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

281(1)Article 25 (the Council’s power to require disclosure of information) is amended as follows.

(2)In paragraph (3), after “enactment” insert “or the GDPR”.

(3)In paragraph (6)—

(a)for “paragraph (5),” substitute “paragraph (3)—”, and

(b)at the appropriate place insert—

““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

282In article 39B (European professional card), after paragraph (2) insert—

“(3)For the purposes of Schedule 2B, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”

283In article 40(6) (Directive 2005/36/EC: designation of competent authority etc), at the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

284(1)Schedule 2B (Directive 2005/36/EC: European professional card) is amended as follows.

(2)In paragraph 8(1) (access to data) for “Directive 95/46/EC” substitute “the GDPR”.

(3)In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).

285(1)The table in Schedule 3 (functions of the Council under Directive 2005/36) is amended as follows.

(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

286In Schedule 4 (interpretation), omit the definition of “Directive 95/46/EC”.

Electronic Commerce (EC Directive) Regulations 2002 (S.I. 2002/2013)

287Regulation 3 of the Electronic Commerce (EC Directive) Regulations 2002 (exclusions) is amended as follows.

288In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “the GDPR”.

289In paragraph (3)—

(a)omit the definitions of “Data Protection Directive” and “Telecommunications Data Protection Directive”, and

(b)at the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 (S.I. 2002/2905)

290The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 is revoked.

Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426)

291The Privacy and Electronic Communications (EC Directive) Regulations 2003 are amended as follows.

292In regulation 2(1) (interpretation), in the definition of “the Information Commissioner” and “the Commissioner”, for “section 6 of the Data Protection Act 1998” substitute “the Data Protection Act 2018”.

293(1)Regulation 4 (relationship between these Regulations and the Data Protection Act 1998) is amended as follows.

(2)The existing text becomes sub-paragraph (1).

(3)In that sub-paragraph, for “the Data Protection Act 1998” substitute “the data protection legislation”.

(4)After that sub-paragraph insert—

“(2)In this regulation—

“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act).

(3)Regulation 2(2) and (3) (meaning of certain expressions) do not apply for the purposes of this regulation.”

(5)In the heading of that regulation, for “the Data Protection Act 1998” substitute “the data protection legislation”.

Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)

294The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 is amended as follows.

295In article 8(2) (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales)—

(a)for “The Data Protection Act 1998” substitute “The Data Protection Act 2018”, and

(b)for “are” substitute “is”.

296In article 11(4) (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect)—

(a)for “The Data Protection Act 1998” substitute “The Data Protection Act 2018”,

(b)for “are” substitute “is”,

(c)for “section 5” substitute “section 207”,

(d)for “data controller” substitute “controller”, and

(e)after “in the context of” insert “the activities of”.

Pupils’ Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)

297The Pupils’ Educational Records (Scotland) Regulations 2003 are amended as follows.

298(1)Regulation 2 (interpretation) is amended as follows.

(2)Omit the definition of “the 1998 Act”.

(3)At the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

299(1)Regulation 6 (circumstances where information should not be disclosed) is amended as follows.

(2)After “any information” insert “to the extent that any of the following conditions are satisfied”.

(3)For paragraphs (a) to (c) substitute—

“(aa)the pupil to whom the information relates would have no right of access to the information under the GDPR;

(ab)the information is personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences);”.

(4)In paragraph (d), for “to the extent that its disclosure” substitute “the disclosure of the information”.

(5)In paragraph (e), for “that” substitute “the information”.

300In regulation 9 (fees), for paragraph (1) substitute—

“(1A)In complying with a request made under regulation 5(2), the responsible body may only charge a fee where Article 12(5) or Article 15(3) of the GDPR would permit the charging of a fee if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.

(1B)Where paragraph (1A) permits the charging of a fee, the responsible body may not charge a fee that—

(a)exceeds the cost of supply, or

(b)exceeds any limit in regulations made under section 12 of the Data Protection Act 2018 that would apply if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.”

European Parliamentary Elections (Northern Ireland) Regulations 2004 (S.I. 2004/1267)

301Schedule 1 to the European Parliamentary Elections (Northern Ireland) Regulations 2004 (European Parliamentary elections rules) is amended as follows.

302(1)Paragraph 74(1) (interpretation) is amended as follows.

(2)Omit the definitions of “relevant conditions” and “research purposes”.

(3)At the appropriate places insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

303In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.

Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244)

304In regulation 3(1) of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, omit “the appropriate limit referred to in section 9A(3) and (4) of the 1998 Act and”.

Environmental Information Regulations 2004 (S.I. 2004/3391)

305The Environmental Information Regulations 2004 are amended as follows.

306(1)Regulation 2 (interpretation) is amended as follows.

(2)In paragraph (1), at the appropriate places, insert—

““the data protection principles” means the principles set out in—
(a)
Article 5(1) of the GDPR,
(b)
section 34(1) of the Data Protection Act 2018, and
(c)
section 85(1) of that Act;”;

““data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;

““the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”;

““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);”.

(3)For paragraph (4) substitute—

“(4A)In these Regulations, references to the Data Protection Act 2018 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—

(a)the references to an FOI public authority were references to a public authority as defined in these Regulations, and

(b)the references to personal data held by such an authority were to be interpreted in accordance with regulation 3(2).”

307(1)Regulation 13 (personal data) is amended as follows.

(2)For paragraph (1) substitute—

“(1)To the extent that the information requested includes personal data of which the applicant is not the data subject, a public authority must not disclose the personal data if—

(a)the first condition is satisfied, or

(b)the second or third condition is satisfied and, in all the circumstances of the case, the public interest in not disclosing the information outweighs the public interest in disclosing it.”

(3)For paragraph (2) substitute—

“(2A)The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—

(a)would contravene any of the data protection principles, or

(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(2B)The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene—

(a)Article 21 of the GDPR (general processing: right to object to processing), or

(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”

(4)For paragraph (3) substitute—

“(3A)The third condition is that—

(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,

(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or

(c)on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”

(5)Omit paragraph (4).

(6)For paragraph (5) substitute—

“(5A)For the purposes of this regulation a public authority may respond to a request by neither confirming nor denying whether such information exists and is held by the public authority, whether or not it holds such information, to the extent that—

(a)the condition in paragraph (5B)(a) is satisfied, or

(b)a condition in paragraph (5B)(b) to (e) is satisfied and in all the circumstances of the case, the public interest in not confirming or denying whether the information exists outweighs the public interest in doing so.

(5B)The conditions mentioned in paragraph (5A) are—

(a)giving a member of the public the confirmation or denial—

(i)would (apart from these Regulations) contravene any of the data protection principles, or

(ii)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded;

(b)giving a member of the public the confirmation or denial would (apart from these Regulations) contravene Article 21 of the GDPR or section 99 of the Data Protection Act 2018 (right to object to processing);

(c)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in paragraph (3A)(a);

(d)on a request under section 45(1)(a) of the Data Protection Act 2018 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section;

(e)on a request under section 94(1)(a) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”

(7)After that paragraph insert—

“(6)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”

308In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “regulation 13(1)(b) or (5A)”.

309In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “regulation 13(5A)”.

Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)

310The Environmental Information (Scotland) Regulations 2004 are amended as follows.

311(1)Regulation 2 (interpretation) is amended as follows.

(2)In paragraph (1), at the appropriate places, insert—

““the data protection principles” means the principles set out in—
(a)
Article 5(1) of the GDPR, and
(b)
section 34(1) of the Data Protection Act 2018;”;”;

““data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;

““the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”;

““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);”.

(3)For paragraph (3) substitute—

“(3A)In these Regulations, references to the Data Protection Act 2018 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—

(a)the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and

(b)the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.”

312(1)Regulation 11 (personal data) is amended as follows.

(2)For paragraph (2) substitute—

“(2)To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if—

(a)the first condition set out in paragraph (3A) is satisfied, or

(b)the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.”

(3)For paragraph (3) substitute—

“(3A)The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—

(a)would contravene any of the data protection principles, or

(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(3B)The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene Article 21 of the GDPR (general processing: right to object to processing).”

(4)For paragraph (4) substitute—

“(4A)The third condition is that any of the following applies to the information—

(a)it is exempt from the obligation under Article 15(1) of the GDPR (general processing: right of access by the data subject) to provide access to, and information about, personal data by virtue of provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or

(5)Omit paragraph (5).

(6)After paragraph (6) insert—

“(7)In determining, for the purposes of this regulation, whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”

Licensing Act 2003 (Personal Licences) Regulations 2005 (S.I. 2005/41)

313(1)Regulation 7 of the Licensing Act 2003 (Personal Licences) Regulations 2005 (application for grant of a personal licence) is amended as follows.

(2)In paragraph (1)(b)—

(a)for paragraph (iii) (but not the final “, and”) substitute—

“(iii)the results of a request made under Article 15 of the GDPR or section 45 of the Data Protection Act 2018 (rights of access by the data subject) to the National Identification Service for information contained in the Police National Computer”, and

(b)in the words following paragraph (iii), omit “search”.

(3)After paragraph (2) insert—

“(3)In this regulation, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

Education (Pupil Information) (England) Regulations 2005 (S.I. 2005/1437)

314The Education (Pupil Information) (England) Regulations 2005 are amended as follows.

315In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “section 3(4) of the Data Protection Act 2018”.

316(1)Regulation 5 (disclosure of curricular and educational records) is amended as follows.

(2)In paragraph (4)—

(a)in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and

(b)in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “the GDPR”.

(3)After paragraph (6) insert—

“(7)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”

Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)

317(1)Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information) is amended as follows.

(2)In paragraph (1)(d)—

(a)omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and

(b)for “(2) or (3)” substitute “(1A), (1B) or (1C)”.

(3)After paragraph (1) insert—

“(1A)The condition in this paragraph is that the disclosure of the information to a member of the public—

(a)would contravene any of the data protection principles, or

(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(1B)The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—

(a)Article 21 of the GDPR (general processing: right to object to processing), or

(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).

(1C)The condition in this paragraph is that—

(1D)In this regulation—

“the data protection principles” means the principles set out in—
(a)
Article 5(1) of the GDPR,
(b)
section 34(1) of the Data Protection Act 2018, and
(c)
section 85(1) of that Act;
“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

(1E)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”

(4)Omit paragraphs (2) to (4).

Register of Judgments, Orders and Fines Regulations 2005 (S.I. 2005/3595)

318In regulation 3 of the Register of Judgments, Orders and Fines Regulations 2005 (interpretation)—

(a)for the definition of “data protection principles” substitute—

““data protection principles” means the principles set out in Article 5(1) of the GDPR;”, and

(b)at the appropriate place insert—

““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);”.

Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494)

319The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 are amended as follows.

320(1)Regulation 39 (sensitive information) is amended as follows.

(2)In paragraph (1)(d)—

(a)omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and

(b)for “(2) or (3)” substitute “(1A), (1B) or (1C)”.

(3)After paragraph (1) insert—

“(1A)The condition in this paragraph is that the disclosure of the information to a member of the public—

(a)would contravene any of the data protection principles, or

(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(1B)The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—

(a)Article 21 of the GDPR (general processing: right to object to processing), or

(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).

(1C)The condition in this paragraph is that—

(1D)In this regulation—

“the data protection principles” means the principles set out in—
(a)
Article 5(1) of the GDPR,
(b)
section 34(1) of the Data Protection Act 2018, and
(c)
section 85(1) of that Act;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

(4)Omit paragraphs (2) to (4).

Data Protection (Processing of Sensitive Personal Data) Order 2006 (S.I. 2006/2068)

321The Data Protection (Processing of Sensitive Personal Data) Order 2006 is revoked.

National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)

322(1)Paragraph 14 of Schedule 1 to the National Assembly for Wales (Representation of the People) Order 2007 (absent voting at Assembly elections: conditions on the use, supply and inspection of absent vote records or lists) is amended as follows.

(2)The existing text becomes sub-paragraph (1).

(3)For paragraph (a) of that sub-paragraph (but not the final “or”) substitute—

“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.

(4)After that sub-paragraph insert—

“(2)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (S.I. 2007/679)

323In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity), for paragraph (b) substitute—

“(b)any material used consists of or includes human cells or human DNA,”.

National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118)

324For article 5 of the National Assembly for Wales Commission (Crown Status) Order 2007 substitute—

“5Data Protection Act 2018

(1)The Assembly Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.

(2)The Assembly Commission is to be treated as a government department for the purposes of the following provisions—

(a)section 8(d) (lawfulness of processing under the GDPR: public interest etc),

(b)section 209 (application to the Crown),

(c)paragraph 6 of Schedule 1 (statutory etc and government purposes),

(d)paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and

(e)paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).

(3)In the provisions mentioned in paragraph (4)—

(a)references to employment by or under the Crown are to be treated as including employment as a member of staff of the Assembly Commission, and

(b)references to a person in the service of the Crown are to be treated as including a person so employed.

(4)The provisions are—

(a)section 24(3) (exemption for certain data relating to employment under the Crown), and

(b)section 209(6) (application of certain provisions to a person in the service of the Crown).

(5)In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”

Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (S.I. 2007/837 (W.72))

325In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity) —

(a)in the English language text, for paragraph (c) substitute—

“(c)any material used consists of or includes human cells or human DNA; and”, and

(b)in the Welsh language text, for paragraph (c) substitute—

“(c)os yw unrhyw ddeunydd a ddefnyddir yn gelloedd dynol neu’n DNA dynol neu yn eu cynnwys; ac”.

Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (S.S.I. 2007/170)

326(1)Regulation 18 of the Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (conditions on the supply and inspection of absent voter records or lists) is amended as follows.

(2)In paragraph (1), for sub-paragraph (a) (but not the final “or”) substitute—

“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.

(3)After paragraph (1) insert—

“(2)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (S.S.I. 2007/264)

327In regulation 5 of the Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (conditions on the use, supply and disclosure of documents open to public inspection)—

(a)in paragraph (2), for sub-paragraph (i) (but not the final “or”) substitute—

“(i)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b)after paragraph (3) insert—

“(4)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 (S.R. (N.I.) 2007 No. 43)

328The Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 are amended as follows.

329In regulation 2 (interpretation), at the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

330In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “information to which the pupil to whom the information relates would have no right of access under the GDPR”.

Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)

331In regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)—

(a)in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”, and

(b)after paragraph (3) insert—

Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (S.I. 2008/3122)

332In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act 1998 (c 29)” substitute “the data protection legislation”.

Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 (S.I. 2008/3239 (W.286))

333The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 are amended as follows.

334In regulation 2(1) (interpretation)—

(a)at the appropriate place in the English language text insert—

““the GDPR” (“y GDPR”) and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”, and

(b)at the appropriate place in the Welsh language text insert—

““mae i “y GDPR” a chyfeiriadau at Atodlen 2 i Ddeddf Diogelu Data 2018 yr un ystyr ag a roddir i “the GDPR” a chyfeiriadau at yr Atodlen honno yn Rhannau 5 i 7 o’r Ddeddf honno (gweler adran 3(10), (11) a (14) o’r Ddeddf honno);”.”

335(1)Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.

(2)In paragraph (7)—

(a)in the English language text, at the end insert “or the GDPR”, and

(b)in the Welsh language text, at the end insert “neu’r GDPR”.

(3)For paragraph (8)—

(a)in the English language text substitute—

“(8)In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and

(b)in the Welsh language text substitute—

“(8)Wrth benderfynu at ddibenion paragraff (7) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”

336(1)Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.

(2)In paragraph (6)—

(a)in the English language text, at the end insert “or the GDPR”, and

(b)in the Welsh language text, at the end insert “neu’r GDPR”.

(3)For paragraph (7)—

(a)in the English language text substitute—

“(7)In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and

(b)in the Welsh language text substitute—

“(7)Wrth benderfynu at ddibenion paragraff (6) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”

337(1)Regulation 29 (occurrence reports) is amended as follows.

(2)In paragraph (3)—

(a)in the English language text, at the end insert “or the GDPR”, and

(b)in the Welsh language text, at the end insert “neu’r GDPR”.

(3)For paragraph (4)—

(a)in the English language text substitute—

“(4)In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and

(b)in the Welsh language text substitute—

“(4)Wrth benderfynu at ddibenion paragraff (3) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”

Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (S.R. (N.I.) 2008 No. 3)

338(1)Regulation 5 of the Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (information whose disclosure would be affected by the application of other legislation) is amended as follows.

(2)In paragraph (3)—

(a)omit “within the meaning of section 1(1) of the Data Protection Act 1998”, and

(b)for the words from “where” to the end substitute “if the condition in paragraph (3A) or (3B) is satisfied”.

(3)After paragraph (3) insert—

“(3A)The condition in this paragraph is that the disclosure of the information to a member of the public—

(a)would contravene any of the data protection principles, or

(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(3B)The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—

(a)Article 21 of the GDPR (general processing: right to object to processing), or

(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”

(4)After paragraph (4) insert—

“(5)In this regulation—

“the data protection principles” means the principles set out in—
(a)
Article 5(1) of the GDPR,
(b)
section 34(1) of the Data Protection Act 2018, and
(c)
section 85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”

Companies (Disclosure of Address) Regulations 2009 (S.I. 2009/214)

339(1)Paragraph 6 of Schedule 2 to the Companies (Disclosure of Address) Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.

(2)The existing text becomes sub-paragraph (1).

(3)In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—

“(ii)for the purposes of ensuring that it complies with its data protection obligations;”.

(4)In paragraph (c) of that sub-paragraph—

(a)omit “or” at the end of sub-paragraph (i), and

(b)at the end insert “; or

(iii)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice) or section 148 of that Act (destroying or falsifying information and documents etc);”.

(5)After paragraph (c) of that sub-paragraph insert—

“(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”

(6)After sub-paragraph (1) insert—

“(2)In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—

(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—

(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”

Overseas Companies Regulations 2009 (S.I. 2009/1801)

340(1)Paragraph 6 of Schedule 2 to the Overseas Companies Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.

(2)The existing text becomes sub-paragraph (1).

(3)In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—

“(ii)for the purposes of ensuring that it complies with its data protection obligations;”.

(4)In paragraph (c) of that sub-paragraph—

(a)omit “or” at the end of sub-paragraph (i), and

(b)at the end insert “; or

(iii)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice) or section 148 of that Act (destroying or falsifying information and documents etc);”.

(5)After paragraph (c) of that sub-paragraph insert—

“(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”

(6)After sub-paragraph (1) insert—

“(2)In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—

(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—

(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”

Data Protection (Processing of Sensitive Personal Data) Order 2009 (S.I. 2009/1811)

341The Data Protection (Processing of Sensitive Personal Data) Order 2009 is revoked.

Provision of Services Regulations 2009 (S.I. 2009/2999)

342In regulation 25 of the Provision of Services Regulations 2009 (derogations from the freedom to provide services), for paragraph (d) substitute—

“(d)matters covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

INSPIRE Regulations 2009 (S.I. 2009/3157)

343(1)Regulation 9 of the INSPIRE Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.

(2)In paragraph (2)—

(a)omit “or” at the end of sub-paragraph (a),

(b)for sub-paragraph (b) substitute—

“(b)Article 21 of the GDPR (general processing: right to object to processing), or

(c)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”, and

(c)omit the words following sub-paragraph (b).

(3)After paragraph (7) insert—

“(8)In this regulation—

“the data protection principles” means the principles set out in—
(a)
Article 5(1) of the GDPR,
(b)
section 34(1) of the Data Protection Act 2018, and
(c)
section 85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

(9)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”

INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440)

344(1)Regulation 10 of the INSPIRE (Scotland) Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.

(2)In paragraph (2)—

(a)omit “or” at the end of sub-paragraph (a),

(b)for sub-paragraph (b) substitute—

“(b)Article 21 of the GDPR (general processing: right to object to processing), or

(c)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”, and

(c)omit the words following sub-paragraph (b).

(3)After paragraph (6) insert—

“(7)In this regulation—

“the data protection principles” means the principles set out in—
(a)
Article 5(1) of the GDPR,
(b)
section 34(1) of the Data Protection Act 2018, and
(c)
section 85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

(8)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”

Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 (S.R (N.I.) 2009 No. 225)

345The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 are amended as follows.

346In regulation 2(2) (interpretation), at the appropriate place insert—

““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”.”

347(1)Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.

(2)In paragraph (7), at the end insert “or the GDPR”.

(3)For paragraph (8) substitute—

348(1)Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.

(2)In paragraph (6), at the end insert “or the GDPR”.

(3)For paragraph (7) substitute—

349(1)Regulation 29 (occurrence reports) is amended as follows.

(2)In paragraph (3), at the end insert “or the GDPR”.

(3)For paragraph (4) substitute—

Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31)

350The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 are revoked.

Pharmacy Order 2010 (S.I. 2010/231)

351The Pharmacy Order 2010 is amended as follows.

352In article 3(1) (interpretation), omit the definition of “Directive 95/46/EC”.

353(1)Article 9 (inspection and enforcement) is amended as follows.

(2)For paragraph (4) substitute—

“(4)If a report that the Council proposes to publish pursuant to paragraph (3) includes personal data, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure of the personal data is required by paragraph (3) of this article.”

(3)After paragraph (4) insert—

“(5)In this article, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”

354In article 33A (European professional card), after paragraph (2) insert—

“(3)In Schedule 2A, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”

355(1)Article 49 (disclosure of information: general) is amended as follows.

(2)In paragraph (2)(a), after “enactment” insert “or the GDPR”.

(3)For paragraph (3) substitute—

“(3)In determining for the purposes of paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (1) of this article.”

(4)After paragraph (5) insert—

“(6)In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”

356(1)Article 55 (professional performance assessments) is amended as follows.

(2)In paragraph (5)(a), after “enactment” insert “or the GDPR”.

(3)For paragraph (6) substitute—

“(6)In determining for the purposes of paragraph (5)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (4) of this article.”

(4)After paragraph (8) insert—

“(9)In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”

357In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.), after sub-paragraph (a) insert—

“(aa)“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

358(1)Schedule 2A (Directive 2005/36/EC: European professional card) is amended as follows.

(2)In paragraph 8(1) (access to data), for “Directive 95/46/EC)” substitute “the GDPR”.

(3)In paragraph 9 (processing data)—

(a)omit sub-paragraph (2) (deeming the Council to be the controller for the purposes of Directive 95/46/EC), and

(b)after sub-paragraph (2) insert—

“(3)In this paragraph, “personal data” has the same meaning as in the Data Protection Act 2018 (see section 3(2) of that Act).”

359(1)The table in Schedule 3 (Directive 2005/36/EC: designation of competent authority etc.) is amended as follows.

(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910)

360The Data Protection (Monetary Penalties) Order 2010 is revoked.

National Employment Savings Trust Order 2010 (S.I. 2010/917)

361The National Employment Savings Trust Order 2010 is amended as follows.

362In article 2 (interpretation)—

(a)omit the definition of “data” and “personal data”, and

(b)at the appropriate place insert—

““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”

363(1)Article 10 (disclosure of requested data to the Secretary of State) is amended as follows.

(2)In paragraph (1)—

(a)for “disclosure of data” substitute “disclosure of information”, and

(b)for “requested data” substitute “requested information”.

(3)In paragraph (2)—

(a)for “requested data” substitute “requested information”,

(b)for “those data are” substitute “the information is”, and

(c)for “receive those data” substitute “receive that information”.

(4)In paragraph (3), for “requested data” substitute “requested information”.

(5)In paragraph (4), for “requested data” substitute “requested information”.

Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)

364(1)Schedule 3 to the Local Elections (Northern Ireland) Order 2010 (access to marked registers and other documents open to public inspection after an election) is amended as follows.

(2)In paragraph 1(1) (interpretation and general)—

(a)omit the definition of “research purposes”, and

(b)at the appropriate places insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

(3)In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.

Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))

365(1)Regulation 5 of the Pupil Information (Wales) Regulations 2011 (duties of head teacher - educational records) is amended as follows.

(2)In paragraph (5)—

(a)in the English language text, for “documents which are subject to any order under section 30(2) of the Data Protection Act 1998” substitute “information—

(a)which the head teacher could not lawfully disclose to the pupil under the GDPR, or

(b)to which the pupil would have no right of access under the GDPR.”, and

(b)in the Welsh language text, for “ddogfennau sy’n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute “wybodaeth—

(a)na allai’r pennaeth ei datgelu’n gyfreithlon i’r disgybl o dan y GDPR, neu

(b)na fyddai gan y disgybl hawl mynediad ati o dan y GDPR.”

(3)After paragraph (5)—

(a)in the English language text insert—

“(6)In this regulation, “the GDPR” (“y GDPR”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”, and

(b)in the Welsh language text insert—

“(6)Yn y rheoliad hwn, ystyr “y GDPR” (“the GDPR”) yw Rheoliad (EU) 2016/679 Senedd Ewrop a’r Cyngor dyddiedig 27 Ebrill 2016 ar ddiogelu personau naturiol o ran prosesu data personol a rhyddid symud data o’r fath (y Rheoliad Diogelu Data Cyffredinol), fel y’i darllenir ynghyd â Phennod 2 o Ran 2 o Ddeddf Diogelu Data 2018.”

Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)

366In Schedule 4 to the Debt Arrangement Scheme (Scotland) Regulations 2011 (payments distributors), omit paragraph 2.

Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)

367The Police and Crime Commissioner Elections Order 2012 is amended as follows.

368(1)Schedule 2 (absent voting in Police and Crime Commissioner elections) is amended as follows.

(2)In paragraph 20 (absent voter lists: supply of copies etc)—

(a)in sub-paragraph (8), for paragraph (a) (but not the final “or”) substitute—

“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b)after sub-paragraph (10) insert—

“(11)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

(3)In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—

(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and

(b)after that sub-paragraph insert—

“(4)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

369(1)Schedule 10 (access to marked registers and other documents open to public inspection after an election) is amended as follows.

(2)In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).

(3)In paragraph 5 (restriction on use of documents or of information contained in them)—

(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and

(b)after sub-paragraph (4) insert—

“(5)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Data Protection (Processing of Sensitive Personal Data) Order 2012 (S.I. 2012/1978)

370The Data Protection (Processing of Sensitive Personal Data) Order 2012 is revoked.

Neighbourhood Planning (Referendums) Regulations 2012 (S.I. 2012/2031)

371Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (registering to vote in a business referendum) is amended as follows.

372(1)Paragraph 29(1) (interpretation of Part 8) is amended as follows.

(2)At the appropriate places insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

(3)For the definition of “relevant conditions” substitute—

““relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards;”.

(4)Omit the definition of “research purposes”.

373In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “section 122(5) of the Data Protection Act 2018”.

374In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

375In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

376In paragraph 39(8) and (97) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

377In paragraph 45(2) (conditions on the use, supply and disclosure of documents open to public inspection), for paragraph (a) (but not the final “or”) substitute—

“(a)Article 89 GDPR purposes (as defined in paragraph 29),”.

Controlled Drugs (Supervision of Management and Use) Regulations 2013 (S.I. 2013/373)

378(1)Regulation 20 of the Controlled Drugs (Supervision of Management and Use) Regulations 2013 (information management) is amended as follows.

(2)For paragraph (4) substitute—

“(4)Where a CDAO, a responsible body or someone acting on their behalf is permitted to share information which includes personal data by virtue of a function under these Regulations, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”

(3)In paragraph (5), after “enactment” insert “or the GDPR”.

(4)After paragraph (6) insert—

“(7)In this regulation, “the GDPR”, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (10), (11) and (14) of that Act).”

Communications Act 2003 (Disclosure of Information) Order 2014 (S.I. 2014/1825)

379(1)Article 3 of the Communications Act 2003 (Disclosure of Information) Order 2014 (specification of relevant functions) is amended as follows.

(2)The existing text becomes paragraph (1).

(3)In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(4)After that paragraph insert—

“(2)In this article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”

Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141)

380In the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014, omit Part 4 (data protection in relation to police and judicial co-operation in criminal matters).

Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 (S.I. 2014/3282)

381The Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 is revoked.

The Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (S.R. (N.I.) 2014 No. 224)

382In regulation 6 of the Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (applications)—

(a)in paragraph (9), omit sub-paragraph (b) and the word “and” before it, and

(b)in paragraph (11), omit the definition of “processing” and “sensitive personal data” and the word “and” before it.

Control of Poisons and Explosives Precursors Regulations 2015 (S.I. 2015/966)

383In regulation 3 of the Control of Poisons and Explosives Precursors Regulations 2015 (applications in relation to licences under section 4A of the Poisons Act 1972)—

(a)in paragraph (7), omit sub-paragraph (b) and the word “and” before it, and

(b)omit paragraph (8).

Companies (Disclosure of Date of Birth Information) Regulations 2015 (S.I. 2015/1694)

384(1)Paragraph 6 of Schedule 2 to the Companies (Disclosure of Date of Birth Information) Regulations 2015 (conditions for permitted disclosure to a credit reference agency) is amended as follows.

(2)The existing text becomes sub-paragraph (1).

(3)In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—

“(ii)for the purposes of ensuring that it complies with its data protection obligations;”.

(4)In paragraph (c) of that sub-paragraph—

(a)omit “or” at the end of sub-paragraph (i), and

(b)at the end insert “; or

(iii)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice) or section 148 of that Act (destroying or falsifying information and documents etc);”.

(5)After paragraph (c) of that sub-paragraph insert—

“(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”

(6)After sub-paragraph (1) insert—

“(2)In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—

(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—

(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”

Small and Medium Sized Business (Credit Information) Regulations 2015 (S.I. 2015/1945)

385The Small and Medium Sized Business (Credit Information) Regulations 2015 are amended as follows.

386(1)Regulation 12 (criteria for the designation of a credit reference agency) is amended as follows.

(2)In paragraph (1)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3)After paragraph (2) insert—

“(3)In this regulation, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”

387(1)Regulation 15 (access to and correction of information for individuals and small firms) is amended as follows.

(2)For paragraph (1) substitute—

“(1)Section 13 of the Data Protection Act 2018 (rights of the data subject under the GDPR: obligations of credit reference agencies) applies in respect of a designated credit reference agency which is not a credit reference agency within the meaning of section 145(8) of the Consumer Credit Act 1974 as if it were such an agency.”

(3)After paragraph (3) insert—

“(4)In this regulation, the reference to section 13 of the Data Protection Act 2018 has the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”

European Union (Recognition of Professional Qualifications) Regulations 2015 (S.I. 2015/2059)

388The European Union (Recognition of Professional Qualifications) Regulations 2015 are amended as follows.

389(1)Regulation 2(1) (interpretation) is amended as follows.

(2)Omit the definition of “Directive 95/46/EC”.

(3)At the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

390In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives 95/46/EC” substitute “the GDPR and Directive”.

391In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.

392In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.

393In regulation 48(2) (processing and access to data regarding the European Professional Card), omit paragraph (2) (deeming the relevant designated competent authorities to be controllers for the purposes of Directive 95/46/EC).

394In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute “the GDPR and Directive”.

Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)

395The Scottish Parliament (Elections etc) Order 2015 is amended as follows.

396(1)Schedule 3 (absent voting) is amended as follows.

(2)In paragraph 16 (absent voting lists: supply of copies etc)—

(a)in sub-paragraph (4), for paragraph (a) (but not the final “or”) substitute—

“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b)after sub-paragraph (10) insert—

(3)In paragraph 20 (restriction on use of absent voting lists)—

(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b)after that sub-paragraph insert—

397(1)Schedule 8 (access to marked registers and other documents open to public inspection after an election) is amended as follows.

(2)In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).

(3)In paragraph 5 (restriction on use of documents or of information contained in them)—

(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

“(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b)after sub-paragraph (4) insert—

Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (S.I. 2016/295)

398In paragraph 1(3) of Schedule 3 to the Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (access to marked registers after a petition), omit the definition of “relevant conditions”.

Register of People with Significant Control Regulations 2016 (S.I. 2016/339)

399Schedule 4 to the Register of People with Significant Control Regulations 2016 (conditions for permitted disclosure) is amended as follows.

400(1)Paragraph 6 (disclosure to a credit reference agency) is amended as follows.

(2)In sub-paragraph (b), for paragraph (ii) (together with the final “; and”) substitute—

“(ii)for the purposes of ensuring that it complies with its data protection obligations;”.

(3)In sub-paragraph (c)—

(a)omit “or” at the end of paragraph (ii), and

(b)at the end insert—

“(iv)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice); or

(v)section 148 of that Act (destroying or falsifying information and documents etc);”

(4)After sub-paragraph (c) insert—

“(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in sub-paragraph (c)(iii), other than a penalty notice that has been cancelled.”

401In paragraph 12A (disclosure to a credit institution or a financial institution), for sub-paragraph (b) substitute—

“(b)for the purposes of ensuring that it complies with its data protection obligations.”

402In Part 3 (interpretation), after paragraph 13 insert—

“14In this Schedule, “data protection obligations”, in relation to a credit reference agency, a credit institution or a financial institution, means—

(a)where the agency or institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b)where the agency or institution carries on business in a EEA State other than the United Kingdom, obligations under—

(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”

Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)

403The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 are amended as follows.

404In regulation 2(1) (interpretation), omit the definition of “the 1998 Act”.

405In regulation 3(3) (supervision), omit “under the 1998 Act”.

406For Schedule 2 substitute—

“SCHEDULE 2Information Commissioner’s enforcement powers

Provisions applied for enforcement purposes

1For the purposes of enforcing these Regulations and the eIDAS Regulation, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 26—

(a)section 140 (publication by the Commissioner);

(b)section 141 (notices from the Commissioner);

(c)section 142 (information notices);

(d)section 143 (information notices: restrictions);

(e)section 144 (false statements made in response to an information notice);

(f)section 145 (information orders);

(g)section 146 (assessment notices);

(h)section 147 (assessment notices: restrictions);

(i)section 148 (destroying or falsifying information and documents etc);

(j)section 149 (enforcement notices);

(k)section 150 (enforcement notices: supplementary);

(l)section 152 (enforcement notices: restrictions);

(m)section 153 (enforcement notices: cancellation and variation);

(n)section 154 and Schedule 15 (powers of entry and inspection);

(o)section 155 and Schedule 16 (penalty notices);

(p)section 156(4)(a) (penalty notices: restrictions);

(q)section 157 (maximum amount of penalty);

(r)section 159 (amount of penalties: supplementary);

(s)section 160 (guidance about regulatory action);

(t)section 161 (approval of first guidance about regulatory action);

(u)section 162 (rights of appeal);

(v)section 163 (determination of appeals);

(w)section 164 (applications in respect of urgent notices);

(x)section 180 (jurisdiction);

(y)section 182(1), (2), (5), (7) and (13) (regulations and consultation);

(z)section 196 (penalties for offences);

(z1)section 197 (prosecution);

(z2)section 202 (proceedings in the First-tier Tribunal: contempt);

(z3)section 203 (Tribunal Procedure Rules).

General modification of references to the Data Protection Act 2018

2The provisions listed in paragraph 1 have effect as if—

(a)references to the Data Protection Act 2018 were references to the provisions of that Act as applied by these Regulations;

(b)references to a particular provision of that Act were references to that provision as applied by these Regulations.

Modification of section 142 (information notices)

3(1)Section 142 has effect as if subsections (9) and (10) were omitted.

(2)In that section, subsection (1) has effect as if—

(a)in paragraph (a)—

(i)for “controller or processor” there were substituted “trust service provider”;

(ii)for “the data protection legislation” there were substituted “the eIDAS Regulation and the EITSET Regulations”;

(b)paragraph (b) were omitted.

(3)In that section, subsection (2) has effect as if paragraph (a) were omitted.

Modification of section 143 (information notices: restrictions)

4(1)Section 143 has effect as if subsections (1) and (9) were omitted.

(2)In that section—

(a)subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”;

(b)subsection (7)(a) has effect as if for “this Act” there were substituted “section 144 or 148 or paragraph 15 of Schedule 15”;

(c)subsection (8) has effect as if for “this Act (other than an offence under section 144)” there were substituted “section 148 or paragraph 15 of Schedule 15”.

Modification of section 145 (information orders)

5Section 145(2)(b) has effect as if for “section 142(2)(b)” there were substituted “section 142(2)”.

Modification of section 146 (assessment notices)

6(1)Section 146 has effect as if subsection (11) were omitted.

(2)In that section—

(a)subsection (1) has effect as if—

(i)for “controller or processor” (in both places) there were substituted “trust service provider”;

(ii)for “the data protection legislation” there were substituted “the eIDAS requirements”;

(b)subsection (2) has effect as if paragraphs (h) and (i) were omitted;

(c)subsections (7), (8), (9) and (10) have effect as if for “controller or processor” (in each place) there were substituted “trust service provider.

(d)subsection (9)(a) has effect as if for “as described in section 149(2) or that an offence under this Act” there were substituted “to comply with the eIDAS requirements or that an offence under section 144 or 148 or paragraph 15 of Schedule 15”.

Modification of section 147 (assessment notices: restrictions)

7(1)Section 147 has effect as if subsections (5) and (6) were omitted.

(2)In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.

Modification of section 149 (enforcement notices)

8(1)Section 149 has effect as if subsections (2) to (5) and (7) to (9) were omitted.

(2)In that section—

(a)subsection (1) has effect as if—

(i)for “as described in subsection (2), (3), (4) or (5)” there were substituted “to comply with the eIDAS requirements”;

(ii)for “sections 150 and 151” there were substituted “section 150”;

(b)subsection (6) has effect as if the words “given in reliance on subsection (2), (3) or (5)” were omitted.

Modification of section 150 (enforcement notices: supplementary)

9(1)Section 150 has effect as if subsection (3) were omitted.

(2)In that section, subsection (2) has effect as if the words “in reliance on section 149(2)” and “or distress” were omitted.

Modification of section 152 (enforcement notices: restrictions)

10Section 152 has effect as if subsections (1), (2) and (4) were omitted.

Withdrawal notices

11The provisions listed in paragraph 1 have effect as if after section 153 there were inserted—

“Withdrawal notices

153AWithdrawal notices

(1)The Commissioner may, by written notice (a “withdrawal notice”), withdraw the qualified status from a trust service provider, or the qualified status of a service provided by a trust service provider, if—

(a)the Commissioner is satisfied that the trust service provider has failed to comply with an information notice or an enforcement notice, and

(b)the condition in subsection (2) or (3) is met.

(2)The condition in this subsection is met if the period for the trust service provider to appeal against the information notice or enforcement notice has ended without an appeal having been brought.

(3)The condition in this subsection is met if an appeal against the information notice or enforcement notice has been brought and—

(a)the appeal and any further appeal in relation to the notice has been decided or has otherwise ended, and

(b)the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.

(4)A withdrawal notice must—

(a)state when the withdrawal takes effect, and

(b)provide information about the rights of appeal under section 162.”

Modification of Schedule 15 (powers of entry and inspection)

12(1)Schedule 15 has effect as if paragraph 3 were omitted.

(2)Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—

“(a)there are reasonable grounds for suspecting that—

(i)a trust service provider has failed or is failing to comply with the eIDAS requirements, or

(ii)an offence under section 144 or 148 or paragraph 15 of Schedule 15 has been or is being committed,”.

(3)Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—

(a)in sub-paragraphs (1) and (2), for “controller or processor” there were substituted “trust service provider”;

(b)in sub-paragraph (2), for “the data protection legislation” there were substituted “the eIDAS requirements”.

(4)Paragraph 5 of that Schedule (content of warrants) has effect as if—

(a)in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “the provision of trust services”;

(b)in sub-paragraph (2)(d)—

(i)for “controller or processor” there were substituted “trust service provider”;

(ii)for “as described in section 149(2)” there were substituted “to comply with the eIDAS requirements”;

(c)in sub-paragraph (3)(a) and (d)—

(i)for “controller or processor” there were substituted “trust service provider”;

(ii)for “the data protection legislation” there were substituted “the eIDAS requirements”.

(5)Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.

Modification of section 155 (penalty notices)

13(1)Section 155 has effect as if subsections (1)(a), (2)(a), (3)(g), (4) and (6) to (8) were omitted.

(2)Subsection (2) of that section has effect as if—

(a)the words “Subject to subsection (4),” were omitted;

(b)in paragraph (b), the words “to the extent that the notice concerns another matter,” were omitted.

(3)Subsection (3) of that section has effect as if—

(a)for “controller or processor”, in each place, there were substituted “trust services provider”;

(b)in paragraph (c), the words “or distress” were omitted;

(c)in paragraph (c), for “data subjects” there were substituted “relying parties”;

(d)in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “Article 19(1) of the eIDAS Regulation”.

Modification of Schedule 16 (penalties)

14Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.

Modification of section 157 (maximum amount of penalty)

15Section 157 has effect as if subsections (1) to (3) and (6) were omitted.

Modification of section 159 (amount of penalties: supplementary)

16Section 159 has effect as if—

(a)in subsection (1), the words “Article 83 of the GDPR and” were omitted;

(b)in subsection (2), the words “Article 83 of the GDPR” and “and section 158” were omitted.

Modification of section 160 (guidance about regulatory action)

17(1)Section 160 has effect as if subsections (5) and (12) were omitted.

(2)In that section, subsection (4)(f) has effect as if for “controllers and processors” there were substituted “trust service providers”.

Modification of section 162 (rights of appeal)

18(1)Section 162 has effect as if subsection (4) were omitted.

(2)In that section, subsection (1) has effect as if, after paragraph (c), there were inserted—

“(ca)a withdrawal notice;”.

Modification of section 163 (determination of appeals)

19Section 163 has effect as if subsection (6) were omitted.

Modification of section 180 (jurisdiction)

20(1)Section 180 has effect as if subsections (2)(d) and (e) and (3) were omitted.

(2)Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “subsection (4)”.

Modification of section 182 (regulations and consultation)

21Section 182 has effect as if subsections (3), (4), (6), (8) to (11) and (14) were omitted.

Modification of section 196 (penalties for offences)

22(1)Section 196 has effect as if subsections (3) to (5) were omitted.

(2)In that section—

(a)subsection (1) has effect as if the words “section 119 or 173 or” were omitted;

(b)subsection (2) has effect as if for “section 132, 144, 148, 170, 171 or 184” there were substituted “section 144 or 148”.

Modification of section 197 (prosecution)

23Section 197 has effect as if subsections (3) to (6) were omitted.

Modification of section 202 (proceedings in the First-tier Tribunal: contempt)

24Section 202 has effect as if in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “on an appeal under section 162”.

Modification of section 203 (Tribunal Procedure Rules)

25Section 203 has effect as if—

(a)in subsection (1), for paragraphs (a) and (b) there were substituted “the exercise of the rights of appeal conferred by section 162”;

(b)in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “the provision of trust services”.

Approval of first guidance about regulatory action

26(1)This paragraph applies if the first guidance produced under section 160(1) of the Data Protection Act 2018 and the first guidance produced under that provision as applied by this Schedule are laid before Parliament as a single document (“the combined guidance”).

(2)Section 161 of that Act (including that section as applied by this Schedule) has effect as if the references to “the guidance” were references to the combined guidance, except in subsections (2)(b) and (4).

(3)Nothing in subsection (2)(a) of that section (including as applied by this Schedule) prevents another version of the combined guidance being laid before Parliament.

(4)Any duty under subsection (2)(b) of that section (including as applied by this Schedule) may be satisfied by producing another version of the combined guidance.

Interpretation

27In this Schedule—

“the eIDAS requirements” means the requirements of Chapter III of the eIDAS Regulation;
“the EITSET Regulations” means these Regulations;
“withdrawal notice” has the meaning given in section 153A of the Data Protection Act 2018 (as inserted in that Act by this Schedule).”

Court Files Privileged Access Rules (Northern Ireland) 2016 (S.R. (N.I.) 2016 No. 123)

407The Court Files Privileged Access Rules (Northern Ireland) 2016 are amended as follows.

408In rule 5 (information that may released) for “Schedule 1 of the Data Protection Act 1998” substitute “—

(a)Article 5(1) of the GDPR, and

(b)section 34(1) of the Data Protection Act 2018.”

409In rule 7(2) (provision of information) for “Schedule 1 of the Data Protection Act 1998” substitute “—

(a)Article 5(1) of the GDPR, and

(b)section 34(1) of the Data Protection Act 2018.”

Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (S.I. 2017/692)

410The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are amended as follows.

411In regulation 3(1) (interpretation), at the appropriate places insert—

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;

““the GDPR” and references to provisions of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”.

412In regulation 16(8) (risk assessment by the Treasury and Home Office), for “the Data Protection Act 1998 or any other enactment” substitute “—

(a)the Data Protection Act 2018 or any other enactment, or

(b)the GDPR.”

413In regulation 17(9) (risk assessment by supervisory authorities), for “the Data Protection Act 1998 or any other enactment” substitute “—

(a)the Data Protection Act 2018 or any other enactment, or

(b)the GDPR.”

414For regulation 40(9)(c) (record keeping) substitute—

“(c)“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

(d)“personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”

415(1)Regulation 41 (data protection) is amended as follows.

(2)Omit paragraph (2).

(3)In paragraph (3)(a), after “Regulations” insert “or the GDPR”.

(4)Omit paragraphs (4) and (5).

(5)After those paragraphs insert—

“(6)Before establishing a business relationship or entering into an occasional transaction with a new customer, as well as providing the customer with the information required under Article 13 of the GDPR (information to be provided where personal data are collected from the data subject), relevant persons must provide the customer with a statement that any personal data received from the customer will be processed only—

(a)for the purposes of preventing money laundering or terrorist financing, or

(b)as permitted under paragraph (3).

(7)In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest includes processing of personal data in accordance with these Regulations that is necessary for the prevention of money laundering or terrorist financing.

(8)In the case of sensitive processing of personal data for the purposes of the prevention of money laundering or terrorist financing, section 10 of, and Schedule 1 to, the Data Protection Act 2018 make provision about when the processing meets a requirement in Article 9(2) or 10 of the GDPR for authorisation under the law of the United Kingdom (see, for example, paragraphs 10, 11 and 12 of that Schedule).

(9)In this regulation—

“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act);
“sensitive processing” means the processing of personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences etc).”

416(1)Regulation 84 (publication: the Financial Conduct Authority) is amended as follows.

(2)In paragraph (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3)For paragraph (11) substitute—

“(11)For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”

417(1)Regulation 85 (publication: the Commissioners) is amended as follows.

(2)In paragraph (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3)For paragraph (10) substitute—

“(10)For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”

418For regulation 106(a) (general restrictions) substitute—

“(a)a disclosure in contravention of the data protection legislation; or”.

419After paragraph 27 of Schedule 3 (relevant offences) insert—

“27AAn offence under the Data Protection Act 2018, apart from an offence under section 173 of that Act.”

Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (S.I. 2017/694)

420(1)Paragraph 6 of Schedule 5 to the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (conditions for permitted disclosure to a credit institution or a financial institution) is amended as follows.

(2)The existing text becomes sub-paragraph (1).

(3)For paragraph (b) of that sub-paragraph substitute—

“(b)for the purposes of ensuring that it complies with its data protection obligations.”

(4)After sub-paragraph (1) insert—

“(2)In this paragraph, “data protection obligations”, in relation to a relevant institution, means—

(a)where the institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b)where the institution carries on business in a EEA State other than the United Kingdom, obligations under—

(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”

Data Protection (Charges and Information) Regulations 2018 (S.I. 2018/480)

421In regulation 1(2) of the Data Protection (Charges and Information) Regulations 2018 (interpretation), at the appropriate places insert—

““data controller” means a person who is a controller for the purposes of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);”;

““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);”.

National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 (S.S.I. 2018/66)

422The National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 are amended as follows.

423(1)Regulation 1 (citation and commencement) is amended as follows.

(2)In paragraph (2), omit “Subject to paragraph (3),”.

(3)Omit paragraph (3).

424In regulation 3(1) (interpretation)—

(a)omit the definition of “the 1998 Act”,

(b)at the appropriate place insert—

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and

(c)omit the definition of “GDPR”.

425(1)Schedule 6 (other contractual terms) is amended as follows.

(2)In paragraph 63(2) (interpretation: general), for “the 1998 Act or any directly applicable EU instrument relating to data protection” substitute “—

(a)the data protection legislation, or

(b)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”

(3)For paragraph 64 (meaning of data controller etc.) substitute—

“Meaning of controller etc.

64AFor the purposes of this Part—

“controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);
“data protection officer” means a person designated as a data protection officer under the data protection legislation;
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).”

(4)In paragraph 65(2)(b) (roles, responsibilities and obligations: general), for “data controllers” substitute “controllers”.

(5)In paragraph 69(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—

(i)the data protection legislation, and

(ii)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.

(6)In paragraph 94(4) (variation of a contract: general)—

(a)omit paragraph (b), and

(b)after paragraph (d) (but before the final “and”) insert—

“(da)the data protection legislation;

(db)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.

National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 (S.S.I. 2018/67)

426The National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 are amended as follows.

427(1)Regulation 1 (citation and commencement) is amended as follows.

(2)In paragraph (2), omit “Subject to paragraph (3),”.

(3)Omit paragraph (3).

428In regulation 3(1) (interpretation)—

(a)omit the definition of “the 1998 Act”, and

(b)at the appropriate place insert—

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and

(c)omit the definition of “GDPR”.

429(1)Schedule 1 (content of agreements) is amended as follows.

(2)In paragraph 34 (interpretation)—

(a)in sub-paragraph (1)—

(i)omit “Subject to sub-paragraph (3),”,

(ii)before paragraph (a) insert—

“(za)“controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);

(zb)“data protection officer” means a person designated as a data protection officer under the data protection legislation;”, and

(iii)for paragraph (d) substitute—

“(e)“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).”,

(b)omit sub-paragraphs (2) and (3),

(c)in sub-paragraph (4), for “the 1998 Act and any directly applicable EU instrument relating to data protection” substitute “—

(a)the data protection legislation, or

(b)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”, and

(d)in sub-paragraph (6)(b), for “data controllers” substitute “controllers”.

(3)In paragraph 37(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—

(i)the data protection legislation, and

(ii)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.

(4)In paragraph 61(3) (variation of agreement: general)—

(a)omit paragraph (b), and

(b)after paragraph (d) (but before the final “and”) insert—

“(da)the data protection legislation;

(db)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.

Yn ôl i’r brig

legislation.gov.uk

Chwilio Deddfwriaeth

Data Protection Act 2018

You are here:

Pa Fersiwn

Nodweddion Uwch

Dewisiadau Agor

Rhagor o Adnoddau

Status:

PART 2Amendments of other legislation

Estate Agents (Specified Offences) (No. 2) Order 1991 (S.I. 1991/1091)

Channel Tunnel (International Arrangements) Order 1993 (S.I. 1993/1813)

Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))

Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)

European Primary and Specialist Dental Qualifications Regulations 1998 (S.I. 1998/811)

Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)

“7Data Protection Act 2018

Northern Ireland Assembly Commission (Crown Status) Order 1999 (S.I. 1999/3145)

“9Data Protection Act 2018

Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184)

Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 (S.I. 2000/185)

Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186)

Data Protection (International Co-operation) Order 2000 (S.I. 2000/190)

Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (S.I. 2000/191)

Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290)

Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413)

Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414)

Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415)

Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416)

Data Protection (Processing of Sensitive Personal Data) Order 2000 (S.I. 2000/417)

Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419)

Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864)

Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)

Representation of the People (Scotland) Regulations 2001 (S.I. 2001/497)

Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001 (S.I. 2001/2188)

Nursing and Midwifery Order 2001 (S.I. 2002/253)

Electronic Commerce (EC Directive) Regulations 2002 (S.I. 2002/2013)

Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 (S.I. 2002/2905)

Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426)

Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)

Pupils’ Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)

European Parliamentary Elections (Northern Ireland) Regulations 2004 (S.I. 2004/1267)

Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244)

Environmental Information Regulations 2004 (S.I. 2004/3391)

Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)

Licensing Act 2003 (Personal Licences) Regulations 2005 (S.I. 2005/41)

Education (Pupil Information) (England) Regulations 2005 (S.I. 2005/1437)

Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)

Register of Judgments, Orders and Fines Regulations 2005 (S.I. 2005/3595)

Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494)

Data Protection (Processing of Sensitive Personal Data) Order 2006 (S.I. 2006/2068)

National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)

Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (S.I. 2007/679)

National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118)

“5Data Protection Act 2018

Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (S.I. 2007/837 (W.72))

Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (S.S.I. 2007/170)

Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (S.S.I. 2007/264)

Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 (S.R. (N.I.) 2007 No. 43)

Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)

Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (S.I. 2008/3122)

Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 (S.I. 2008/3239 (W.286))

Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (S.R. (N.I.) 2008 No. 3)

Companies (Disclosure of Address) Regulations 2009 (S.I. 2009/214)

Overseas Companies Regulations 2009 (S.I. 2009/1801)

Data Protection (Processing of Sensitive Personal Data) Order 2009 (S.I. 2009/1811)

Provision of Services Regulations 2009 (S.I. 2009/2999)

INSPIRE Regulations 2009 (S.I. 2009/3157)

INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440)

Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 (S.R (N.I.) 2009 No. 225)

Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31)

Pharmacy Order 2010 (S.I. 2010/231)

Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910)

National Employment Savings Trust Order 2010 (S.I. 2010/917)

Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)

Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))

Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)

Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)

Data Protection (Processing of Sensitive Personal Data) Order 2012 (S.I. 2012/1978)

Neighbourhood Planning (Referendums) Regulations 2012 (S.I. 2012/2031)