PART 7 Supplementary and final provision
SCHEDULES
Special categories of personal data and criminal convictions etc data
PART 1 Conditions relating to employment, health and research etc
PART 2 Substantial public interest conditions
Requirement for an appropriate policy document when relying on conditions in this Part
Racial and ethnic diversity at senior levels of organisations
Regulatory requirements relating to unlawful acts and dishonesty etc
Journalism etc in connection with unlawful acts and dishonesty etc
Support for individuals with a particular disability or medical condition
PART 3 Additional conditions relating to criminal convictions etc
PART 4 Appropriate policy document and additional safeguards
Exemptions etc from the UK GDPR
PART 1 Adaptations and restrictions as described in Articles 6(3) and 23(1)
PART 2 Restrictions as described in Article 23(1): restrictions of rules in Articles 13 to 21 and 34
PART 4 Restrictions as described in Article 23(1): restrictions of rules in Articles 13 to 15
PART 5 Exemptions etc based on Article 85(2) for reasons of freedom of expression and information
PART 6 Derogations etc based on Article 89 for research, statistics and archiving
Exemptions etc from the UK GDPR: health, social work, education and child abuse data
Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment
Accreditation of certification providers: reviews and appeals
The applied GDPR and the applied Chapter 2
PART 1 Modifications to the GDPR
Section 1 of Chapter III of the GDPR (rights of the data subject: transparency and modalities)
Section 3 of Chapter III of the GDPR (rights of the data subject: rectification and erasure)
Section 5 of Chapter III of the GDPR (rights of the data subject: restrictions)
Section 1 of Chapter IV of the GDPR (controller and processor: general obligations)
Section 4 of Chapter IV of the GDPR (controller and processor: data protection officer)
Section 5 of Chapter IV of the GDPR (controller and processor: codes of conduct and certification)
Chapter V of the GDPR (transfers of data to third countries or international organisations)
Section 1 of Chapter VI of the GDPR (independent supervisory authorities: independent status)
Chapter VIII of the GDPR (remedies, liability and penalties)
51.In Article 78 (right to an effective judicial remedy against...
52.In Article 79 (right to an effective judicial remedy against...
55.In Article 82 (right to compensation and liability), for paragraph...
56.In Article 83 (general conditions for imposing administrative fines)—
57.In Article 84 (penalties)— (a) for paragraph 1 substitute— The rules on other penalties applicable to infringements of this...
Chapter IX of the GDPR (provisions relating to specific processing situations)
58.In Article 85 (processing and freedom of expression and information)—...
59.In Article 86 (processing and public access to official documents),...
60.Omit Article 87 (processing of national identification number).
61.Omit Article 88 (processing in the context of employment).
62.In Article 89 (safeguards and derogations relating to processing for...
64.Omit Article 91 (existing data protection rules of churches and...
Chapter X of the GDPR (delegated acts and implementing acts)
1.Any United Kingdom government department other than a non-ministerial government...
Chief officers of police and other policing bodies
5.The chief constable of a police force maintained under section...
8.The Chief Constable of the Police Service of Northern Ireland....
16.The chief officer of— (a) a body of constables appointed...
17.A body established in accordance with a collaboration agreement under...
18.The Director General of the Independent Office for Police Conduct....
Other authorities with investigatory functions
Conditions for sensitive processing under Part 3
Conditions for processing under Part 4
2.The processing is necessary— (a) for the performance of a...
3.The processing is necessary for compliance with a legal obligation...
4.The processing is necessary in order to protect the vital...
5.The processing is necessary— (a) for the administration of justice,...
6.(1) The processing is necessary for the purposes of legitimate...
Co-operation and mutual assistance
Review of processing of personal data for the purposes of journalism
Minor and consequential amendments
PART 1 Amendments of primary legislation
Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22))
11.The Pharmacy (Northern Ireland) Order 1976 is amended as follows....
12.In article 2(2) (interpretation), omit the definition of “Directive 95/46/EC”....
13.In article 8D (European professional card), after paragraph (3) insert—...
14.In article 22A(6) (Directive 2005/36/EC: functions of competent authority etc.),...
15.(1) Schedule 2C (Directive 2005/36/EC: European professional card) is amended...
16.(1) The table in Schedule 2D (functions of the Society...
17.(1) Paragraph 2 of Schedule 3 (fitness to practice: disclosure...
21.(1) Section 35A (General Medical Council's power to require disclosure...
22.In section 49B(7) (Directive 2005/36: designation of competent authority etc.),...
23.In section 55(1) (interpretation), omit the definition of “Directive 95/46/EC”....
24.(1) Paragraph 9B of Schedule 1 (incidental powers of the...
25.(1) Paragraph 5A of Schedule 4 (professional performance assessments and...
26.(1) The table in Schedule 4A (functions of the General...
28.(1) Section 33B (the General Dental Council's power to require...
29.In section 36ZA(6) (Directive 2005/36: designation of competent authority etc),...
30.(1) Section 36Y (the General Dental Council's power to require...
31.In section 53(1) (interpretation), omit the definition of “Directive 95/46/EC”....
32.(1) The table in Schedule 4ZA (Directive 2005/36: functions of...
Trade Union and Labour Relations (Consolidation) Act 1992 (c. 52)
Industrial Relations (Northern Ireland) Order 1992 (S.I. 1992/807 (N.I. 5))
Financial Services and Markets Act 2000 (c. 8)
48.The Financial Services and Markets Act 2000 is amended as...
49.In section 86(9) (exempt offers to the public), for “the...
50.In section 391A(6)(b) (publication: special provisions relating to the capital...
51.In section 391C(7)(a) (publication: special provisions relating to the UCITS...
52.In section 391D(9)(a) (publication: special provisions relating to the markets...
53.In section 417 (definitions), at the appropriate place insert— “the...
Freedom of Information Act 2000 (c. 36)
55.The Freedom of Information Act 2000 is amended as follows....
56.In section 2(3) (absolute exemptions), for paragraph (f) substitute—
57.In section 18 (the Information Commissioner), omit subsection (1).
58.(1) Section 40 (personal information) is amended as follows.
60.For section 61 (appeal proceedings) substitute— Appeal proceedings (1) Tribunal Procedure Rules may make provision for regulating the...
61.In section 76(1) (disclosure of information between Commissioner and ombudsmen),...
62.After section 76A insert— Disclosure of information to Tribunal (1) No enactment or rule of law prohibiting or restricting...
63.In section 77(1)(b) (offence of altering etc records with intent...
64.In section 84 (interpretation), at the appropriate place insert— “the...
Political Parties, Elections and Referendums Act 2000 (c. 41)
Public Finance and Accountability (Scotland) Act 2000 (asp 1)
Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.))
Proceeds of Crime Act 2002 (c. 29)
80.In section 333C(2)(d) (other permitted disclosures between institutions etc), for...
81.In section 436(3)(a) (disclosure of information to certain Directors), for...
82.In section 438(8)(a) (disclosure of information by certain Directors), for...
83.In section 439(3)(a) (disclosure of information to Lord Advocate and...
84.In section 441(7)(a) (disclosure of information by Lord Advocate and...
85.After section 442 insert— Data protection legislation In this Part, “the data protection legislation” has the same...
Mental Health (Care and Treatment) (Scotland) Act 2003 (asp 13)
Companies (Audit, Investigations and Community Enterprise) Act 2004 (c. 27)
121.In section 458(2) (disclosure of information by tax authorities)—
122.In section 461(7) (permitted disclosure of information obtained under compulsory...
123.In section 948(9) (restrictions on disclosure) for “the Data Protection...
124.In section 1173(1) (minor definitions: general), at the appropriate place...
125.In section 1224A(7) (restrictions on disclosure), for “the Data Protection...
126.In section 1253D(3) (restriction on transfer of audit working papers...
127.In section 1261(1) (minor definitions: Part 42), at the appropriate...
128.In section 1262 (index of defined expressions: Part 42), at...
129.In Schedule 8 (index of defined expressions: general), at the...
Statistics and Registration Service Act 2007 (c. 18)
133.The Statistics and Registration Service Act 2007 is amended as...
134.(1) Section 45 (information held by HMRC) is amended as...
135.(1) Section 45A (information held by other public authorities) is...
136.(1) Section 45B(3) (access to information held by Crown bodies...
137.(1) Section 45C(13) (power to require disclosures by other public...
138.In section 45D(9)(b) (power to require disclosure by undertakings), for...
139.(1) Section 45E (further provision about powers in sections 45B,...
140.(1) Section 53A (disclosure by the Statistics Board to devolved...
141.(1) Section 54 (Data Protection Act 1998 and Human Rights...
142.In section 67 (general interpretation: Part 1), at the appropriate...
Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))
Investigatory Powers Act 2016 (c. 25)
198.The Investigatory Powers Act 2016 is amended as follows.
200.In section 199 (bulk personal datasets: interpretation), for subsection (2)...
201.In section 202(4) (restriction on use of class BPD warrants),...
202.In section 206 (additional safeguards for health records), for subsection...
203.(1) Section 237 (information gateway) is amended as follows.
Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))
Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (c. 12 (N.I.))
Digital Economy Act 2017 (c. 30)
216.(1) Section 40 (further provisions about disclosures under sections 35...
217.(1) Section 43 (codes of practice) is amended as follows....
218.(1) Section 49 (further provision about disclosures under section 48)...
219.(1) Section 52 (code of practice) is amended as follows....
220.(1) Section 57 (further provision about disclosures under section 56)...
221.(1) Section 60 (code of practice) is amended as follows....
222.(1) Section 65 (supplementary provision about disclosures under section 64)...
223.(1) Section 70 (code of practice) is amended as follows....
224.Omit sections 108 to 110 (charges payable to the Information...
Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (anaw 2)
PART 2 Amendments of other legislation
Estate Agents (Specified Offences) (No. 2) Order 1991 (S.I. 1991/1091)
Channel Tunnel (International Arrangements) Order 1993 (S.I. 1993/1813)
Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))
Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)
European Primary and Specialist Dental Qualifications Regulations 1998 (S.I. 1998/811)
Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)
Northern Ireland Assembly Commission (Crown Status) Order 1999 (S.I. 1999/3145)
Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184)
Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 (S.I. 2000/185)
Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186)
Data Protection (International Co-operation) Order 2000 (S.I. 2000/190)
Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290)
Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413)
Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414)
Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415)
Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416)
Data Protection (Processing of Sensitive Personal Data) Order 2000 (S.I. 2000/417)
Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419)
Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864)
Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)
252.The Representation of the People (England and Wales) Regulations 2001...
253.In regulation 3(1) (interpretation), at the appropriate places insert— “Article...
254.In regulation 26(3)(a) (applications for registration), for “the Data Protection...
255.In regulation 26A(2)(a) (application for alteration of register in respect...
256.In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act...
257.In regulation 61A (conditions on the use, supply and inspection...
258.(1) Regulation 92(2) (interpretation and application of Part VI etc)...
259.In regulation 96(2A)(b)(i) (restriction on use of the full register),...
263.In regulation 109A(9) and (10) (supply of free copy of...
264.In regulation 119(2) (conditions on the use, supply and disclosure...
Representation of the People (Scotland) Regulations 2001 (S.I. 2001/497)
265.The Representation of the People (Scotland) Regulations 2001 are amended...
266.In regulation 3(1) (interpretation), at the appropriate places, insert— “Article...
267.In regulation 26(3)(a) (applications for registration), for “the Data Protection...
268.In regulation 26A(2)(a) (application for alteration of register in respect...
269.In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act...
270.In regulation 61(3) (records and lists kept under Schedule 4),...
271.In regulation 61A (conditions on the use, supply and inspection...
272.(1) Regulation 92(2) (interpretation of Part VI etc) is amended...
273.In regulation 95(3)(b)(i) (restriction on use of the full register),...
276.In regulation 108A(9) and (10) (supply of full register to...
277.In regulation 119(2) (conditions on the use, supply and disclosure...
Nursing and Midwifery Order 2001 (S.I. 2002/253)
279.The Nursing and Midwifery Order 2001 is amended as follows....
280.(1) Article 3 (the Nursing and Midwifery Council and its...
281.(1) Article 25 (the Council's power to require disclosure of...
282.In article 39B (European professional card), after paragraph (2) insert—...
283.In article 40(6) (Directive 2005/36/EC: designation of competent authority etc),...
284.(1) Schedule 2B (Directive 2005/36/EC: European professional card) is amended...
285.(1) The table in Schedule 3 (functions of the Council...
286.In Schedule 4 (interpretation), omit the definition of “Directive 95/46/EC”....
Electronic Commerce (EC Directive) Regulations 2002 (S.I. 2002/2013)
Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426)
Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)
Pupils' Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)
European Parliamentary Elections (Northern Ireland) Regulations 2004 (S.I. 2004/1267)
Environmental Information Regulations 2004 (S.I. 2004/3391)
305.The Environmental Information Regulations 2004 are amended as follows.
306.(1) Regulation 2 (interpretation) is amended as follows.
307.(1) Regulation 13 (personal data) is amended as follows.
308.In regulation 14 (refusal to disclose information), in paragraph (3)(b),...
309.In regulation 18 (enforcement and appeal provisions), in paragraph (5),...
Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)
Licensing Act 2003 (Personal Licences) Regulations 2005 (S.I. 2005/41)
Education (Pupil Information) (England) Regulations 2005 (S.I. 2005/1437)
Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)
Register of Judgments, Orders and Fines Regulations 2005 (S.I. 2005/3595)
Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494)
Data Protection (Processing of Sensitive Personal Data) Order 2006 (S.I. 2006/2068)
National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)
National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118)
Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)
333.The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations...
334.In regulation 2(1) (interpretation)— (a) at the appropriate place in...
335.(1) Regulation 25 (duty to co-operate by disclosing information as...
336.(1) Regulation 26 (responsible bodies requesting additional information be disclosed...
337.(1) Regulation 29 (occurrence reports) is amended as follows.
Companies (Disclosure of Address) Regulations 2009 (S.I. 2009/214)
Data Protection (Processing of Sensitive Personal Data) Order 2009 (S.I. 2009/1811)
345.The Controlled Drugs (Supervision of Management and Use) Regulations (Northern...
346.In regulation 2(2) (interpretation), at the appropriate place insert— “the...
347.(1) Regulation 25 (duty to co-operate by disclosing information as...
348.(1) Regulation 26 (responsible bodies requesting additional information be disclosed...
349.(1) Regulation 29 (occurrence reports) is amended as follows.
Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31)
Pharmacy Order 2010 (S.I. 2010/231)
352.In article 3(1) (interpretation), omit the definition of “Directive 95/46/EC”....
353.(1) Article 9 (inspection and enforcement) is amended as follows....
354.In article 33A (European professional card), after paragraph (2) insert—...
355.(1) Article 49 (disclosure of information: general) is amended as...
356.(1) Article 55 (professional performance assessments) is amended as follows....
357.In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.),...
358.(1) Schedule 2A (Directive 2005/36/EC: European professional card) is amended...
359.(1) The table in Schedule 3 (Directive 2005/36/EC: designation of...
Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910)
National Employment Savings Trust Order 2010 (S.I. 2010/917)
Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)
Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))
Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)
Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)
Data Protection (Processing of Sensitive Personal Data) Order 2012 (S.I. 2012/1978)
Neighbourhood Planning (Referendums) Regulations 2012 (S.I. 2012/2031)
371.Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (registering...
372.(1) Paragraph 29(1) (interpretation of Part 8) is amended as...
373.In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection...
374.In paragraph 33(6) and (7) (supply of copy of business...
375.In paragraph 34(6) and (7) (supply of copy of business...
376.In paragraph 39(8) and (97) (supply of copy of business...
377.In paragraph 45(2) (conditions on the use, supply and disclosure...
Controlled Drugs (Supervision of Management and Use) Regulations 2013 (S.I. 2013/373)
Communications Act 2003 (Disclosure of Information) Order 2014 (S.I. 2014/1825)
Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141)
Control of Poisons and Explosives Precursors Regulations 2015 (S.I. 2015/966)
Companies (Disclosure of Date of Birth Information) Regulations 2015 (S.I. 2015/1694)
Small and Medium Sized Business (Credit Information) Regulations 2015 (S.I. 2015/1945)
European Union (Recognition of Professional Qualifications) Regulations 2015 (S.I. 2015/2059)
388.The European Union (Recognition of Professional Qualifications) Regulations 2015 are...
389.(1) Regulation 2(1) (interpretation) is amended as follows.
390.In regulation 5(5) (functions of competent authorities in the United...
391.In regulation 45(3) (processing and access to data regarding the...
392.In regulation 46(1) (processing and access to data regarding the...
393.In regulation 48(2) (processing and access to data regarding the...
394.In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute...
Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)
Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (S.I. 2016/295)
Register of People with Significant Control Regulations 2016 (S.I. 2016/339)
399.Schedule 4 to the Register of People with Significant Control...
400.(1) Paragraph 6 (disclosure to a credit reference agency) is...
401.In paragraph 12A (disclosure to a credit institution or a...
402.In Part 3 (interpretation), after paragraph 13 insert— In this Schedule, “data protection obligations”, in relation to a...
403.The Electronic Identification and Trust Services for Electronic Transactions Regulations...
404.In regulation 2(1) (interpretation), omit the definition of “the 1998...
405.In regulation 3(3) (supervision), omit “under the 1998 Act”.
406.For Schedule 2 substitute— SCHEDULE 2 Information Commissioner's enforcement powers...
Court Files Privileged Access Rules (Northern Ireland) 2016 (S.R. (N.I.) 2016 No. 123)
410.The Money Laundering, Terrorist Financing and Transfer of Funds (Information...
411.In regulation 3(1) (interpretation), at the appropriate places insert— “the...
412.In regulation 16(8) (risk assessment by the Treasury and Home...
413.In regulation 17(9) (risk assessment by supervisory authorities), for “the...
414.For regulation 40(9)(c) (record keeping) substitute— (c) “data subject” has...
415.(1) Regulation 41 (data protection) is amended as follows.
416.(1) Regulation 84 (publication: the Financial Conduct Authority) is amended...
417.(1) Regulation 85 (publication: the Commissioners) is amended as follows....
418.For regulation 106(a) (general restrictions) substitute— (a) a disclosure in...
419.After paragraph 27 of Schedule 3 (relevant offences) insert— An offence under the Data Protection Act 2018, apart from...
Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (S.I. 2017/694)
Data Protection (Charges and Information) Regulations 2018 (S.I. 2018/480)
422.The National Health Service (General Medical Services Contracts) (Scotland) Regulations...
423.(1) Regulation 1 (citation and commencement) is amended as follows....
424.In regulation 3(1) (interpretation)— (a) omit the definition of “the...
425.(1) Schedule 6 (other contractual terms) is amended as follows....
426.The National Health Service (Primary Medical Services Section 17C Agreements)...
427.(1) Regulation 1 (citation and commencement) is amended as follows....
428.In regulation 3(1) (interpretation)— (a) omit the definition of “the...
429.(1) Schedule 1 (content of agreements) is amended as follows....
PART 2 Rights of data subjects
Right to prevent processing likely to cause damage or distress under the 1998 Act
Right to prevent processing for purposes of direct marketing under the 1998 Act
Compensation for contravention of the 1998 Act or Part 4 of the 2014 Regulations
Rectification, blocking, erasure and destruction under the 1998 Act
Prohibition by this Act of requirement to produce relevant records
Avoidance under this Act of certain contractual terms relating to health records
Codes etc required to be consistent with the Commissioner's data-sharing code
Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))
Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2450)
Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)
Further transitional provision etc
Part 3 Transfers to third countries and international organisations
5.(1) The following are specified for the purposes of paragraph...
7.UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses
9.UK GDPR: transfers subject to appropriate safeguards provided by binding corporate rules
10.Part 3 (law enforcement processing): adequacy decisions and adequacy regulations
11.(1) The following are specified for the purposes of paragraph...