1In this Part of this Schedule, “the listed GDPR provisions” means—
(a)the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—
(i)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(ii)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(iii)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(iv)Article 16 (right to rectification);
(v)Article 17(1) and (2) (right to erasure);
(vi)Article 18(1) (restriction of processing);
(vii)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
(viii)Article 20(1) and (2) (right to data portability);
(ix)Article 21(1) (objections to processing);
(x)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (i) to (ix); and
(b)the following provisions of the GDPR (the application of which may be adapted by virtue of Article 6(3) of the GDPR)—
(i)Article 5(1)(a) (lawful, fair and transparent processing), other than the lawfulness requirements set out in Article 6;
(ii)Article 5(1)(b) (purpose limitation).
2(1)The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes—
(a)the prevention or detection of crime,
(b)the apprehension or prosecution of offenders, or
(c)the assessment or collection of a tax or duty or an imposition of a similar nature,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).
(2)Sub-paragraph (3) applies where—
(a)personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and
(b)another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions.
(3)Controller 2 is exempt from the obligations in the following provisions of the GDPR—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),
to the same extent that Controller 1 is exempt from those obligations by virtue of sub-paragraph (1).
3(1)The GDPR provisions listed in sub-paragraph (3) do not apply to personal data which consists of a classification applied to the data subject as part of a risk assessment system falling within sub-paragraph (2) to the extent that the application of those provisions would prevent the system from operating effectively.
(2)A risk assessment system falls within this sub-paragraph if—
(a)it is operated by a government department, a local authority or another authority administering housing benefit, and
(b)it is operated for the purposes of—
(i)the assessment or collection of a tax or duty or an imposition of a similar nature, or
(ii)the prevention or detection of crime or apprehension or prosecution of offenders, where the offence concerned involves the unlawful use of public money or an unlawful claim for payment out of public money.
(3)The GDPR provisions referred to in sub-paragraph (1) are the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c).
4(1)The GDPR provisions listed in sub-paragraph (2) do not apply to personal data processed for any of the following purposes—
(a)the maintenance of effective immigration control, or
(b)the investigation or detection of activities that would undermine the maintenance of effective immigration control,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).
(2)The GDPR provisions referred to in sub-paragraph (1) are the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d)Article 17(1) and (2) (right to erasure);
(e)Article 18(1) (restriction of processing);
(f)Article 21(1) (objections to processing);
(g)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f).
(That is, the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing) and Article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)
(3)Sub-paragraph (4) applies where—
(a)personal data is processed by a person (“Controller 1”), and
(b)another person (“Controller 2”) obtains the data from Controller 1 for any of the purposes mentioned in sub-paragraph (1)(a) and (b) and processes it for any of those purposes.
(4)Controller 1 is exempt from the obligations in the following provisions of the GDPR—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),
to the same extent that Controller 2 is exempt from those obligations by virtue of sub-paragraph (1).
5(1)The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.
(2)The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.
(3)The listed GDPR provisions do not apply to personal data where disclosure of the data—
(a)is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
(b)is necessary for the purpose of obtaining legal advice, or
(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
to the extent that the application of those provisions would prevent the controller from making the disclosure.