Data Protection Act 2018

PART 2U.K.General processing

CHAPTER 1U.K.Scope and definitions

4Processing to which this Part appliesU.K.

(1)This Part is relevant to most processing of personal data.

(2)[F1This Part]—

(a)applies to the types of processing of personal data to which the [F2UK GDPR] applies by virtue of Article 2 of the [F2UK GDPR], and

(b)supplements, and must be read with, the [F2UK GDPR].

F3(3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5DefinitionsU.K.

(1)Terms used in F4... this Part and in the [F5UK GDPR] have the same meaning in [F6this Part as] they have in the [F5UK GDPR].

(2)In subsection (1), the reference to a term's meaning in the [F7UK GDPR] is to its meaning in the [F7UK GDPR] read with any provision of [F8this Part] which modifies the term's meaning for the purposes of the [F7UK GDPR].

(3)Subsection (1) is subject to any provision in [F9this Part] which provides expressly for the term to have a different meaning and to section 204.

F10(4). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F10(5). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F10(6). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(7)A reference in F11... this Part to the processing of personal data is to processing to which [F12this Part] applies.

(8)Sections 3 and 205 include definitions of other expressions used in this Part.

CHAPTER 2U.K.[F13 The UK GDPR]

Meaning of certain terms used in the [F14UK GDPR] U.K.

6Meaning of “controller”U.K.

(1)The definition of “controller” in Article [F154(1)(7)] of the [F16UK GDPR] has effect subject to—

(a)subsection (2),

(b)section 209, and

(c)section 210.

(2)For the purposes of the [F17UK GDPR], where personal data is processed only—

(a)for purposes for which it is required by an enactment to be processed, and

(b)by means by which it is required by an enactment to be processed,

the person on whom the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.

7Meaning of “public authority” and “public body”U.K.

(1)For the purposes of the [F18UK GDPR], the following (and only the following) are “public authorities” and “public bodies” F19...—

(a)a public authority as defined by the Freedom of Information Act 2000,

(b)a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13),

[F20(ba)the Advanced Research and Invention Agency,] and

(c)an authority or body specified or described by the Secretary of State in regulations,

subject to subsections (2), (3) and (4).

(2)An authority or body that falls within subsection (1) is only a “public authority” or “public body” for the purposes of the [F21UK GDPR] when performing a task carried out in the public interest or in the exercise of official authority vested in it.

(3)The references in subsection (1)(a) and (b) to public authorities and Scottish public authorities as defined by the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 (asp 13) do not include any of the following that fall within those definitions—

(a)a parish council in England;

(b)a community council in Wales;

(c)a community council in Scotland;

(d)a parish meeting constituted under section 13 of the Local Government Act 1972;

(e)a community meeting constituted under section 27 of that Act;

(f)charter trustees constituted—

(i)under section 246 of that Act,

(ii)under Part 1 of the Local Government and Public Involvement in Health Act 2007, or

(iii)by the Charter Trustees Regulations 1996 (S.I. 1996/263).

(4)The Secretary of State may by regulations provide that a person specified or described in the regulations that is a public authority [F22described or mentioned in subsection (1)(a), (b) or (ba)] is not a “public authority” or “public body” for the purposes of the [F23UK GDPR].

(5)Regulations under this section are subject to the affirmative resolution procedure.

Lawfulness of processingU.K.

8Lawfulness of processing: public interest etcU.K.

In Article 6(1) of the [F24UK GDPR] (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of F25... official authority includes processing of personal data that is necessary for—

(a)the administration of justice,

(b)the exercise of a function of either House of Parliament,

(c)the exercise of a function conferred on a person by an enactment or rule of law,

(d)the exercise of a function of the Crown, a Minister of the Crown or a government department, or

(e)an activity that supports or promotes democratic engagement.

F269Child's consent in relation to information society servicesU.K.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F27Relevant international lawU.K.

9AProcessing in reliance on relevant international lawU.K.

(1)Processing of personal data meets the requirement in Article 6(3), 8A(3)(e), 9(2)(g) or 10(1) of the UK GDPR for a basis in, or authorisation by, relevant international law only if it meets a condition in Schedule A1.

(2)A condition in Schedule A1 may be relied on for the purposes of any of those provisions, unless that Schedule provides otherwise.

(3)The Secretary of State may by regulations amend Schedule A1 by adding, varying or omitting—

(a)conditions,

(b)provision about the purposes for which a condition may be relied on, and

(c)safeguards in connection with processing carried out in reliance on a condition in the Schedule.

(4)Regulations under this section may only add a condition relating entirely or partly to a treaty ratified by the United Kingdom.

(5)Regulations under this section are subject to the affirmative resolution procedure.

(6)In this section, “treaty” and “ratified” have the same meaning as in Part 2 of the Constitutional Reform and Governance Act 2010 (see section 25 of that Act).]

Special categories of personal dataU.K.

10Special categories of personal data and criminal convictions etc dataU.K.

(1)Subsections (2) and (3) make provision about the processing of personal data described in Article 9(1) of the [F28UK GDPR] (prohibition on processing of special categories of personal data) in reliance on an exception in one of the following points of Article 9(2)—

(a)point (b) (employment, social security and social protection);

(b)point (g) (substantial public interest);

(c)point (h) (health and social care);

(d)point (i) (public health);

(e)point (j) (archiving, research and statistics).

(2)The processing meets the requirement in point (b), (h), (i) or (j) of Article 9(2) of the [F29UK GDPR] for authorisation by, or a basis in, the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1 of Schedule 1.

(3)The processing meets the requirement in point (g) of Article 9(2) of the [F30UK GDPR] for a basis in the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 2 of Schedule 1.

(4)Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.

(5)The processing meets the requirement in Article [F3110(1) of the UK GDPR] for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.

(6)The Secretary of State may by regulations—

(a)amend Schedule 1—

(i)by adding or varying conditions or safeguards, and

(ii)by omitting conditions or safeguards added by regulations under this section, and

(b)consequentially amend this section.

(7)Regulations under this section are subject to the affirmative resolution procedure.

11Special categories of personal data etc: supplementaryU.K.

(1)For the purposes of Article 9(2)(h) of the [F32UK GDPR] (processing for health or social care purposes etc), the circumstances in which the processing of personal data is carried out subject to the conditions and safeguards referred to in Article 9(3) of the [F32UK GDPR] (obligation of secrecy) include circumstances in which it is carried out—

(a)by or under the responsibility of a health professional or a social work professional, or

(b)by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

(2)In Article 10 of the [F33UK GDPR] and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to—

(a)the alleged commission of offences by the data subject, or

(b)proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

Rights of the data subjectU.K.

12Limits on fees that may be charged by controllersU.K.

(1)The Secretary of State may by regulations specify limits on the fees that a controller may charge in reliance on—

(a)Article 12(5) of the [F34UK GDPR] (reasonable fees when responding to manifestly unfounded or excessive requests), or

(b)Article 15(3) of the [F35UK GDPR] (reasonable fees for provision of further copies).

(2)The Secretary of State may by regulations—

(a)require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in reliance on those provisions, and

(b)specify what the guidance must include.

(3)Regulations under this section are subject to the negative resolution procedure.

13Obligations of credit reference agenciesU.K.

(1)This section applies where a controller is a credit reference agency (within the meaning of section 145(8) of the Consumer Credit Act 1974).

(2)The controller's obligations under Article 15(1) to (3) of the [F36UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers) are taken to apply only to personal data relating to the data subject's financial standing, unless the data subject has indicated a contrary intention.

(3)Where the controller discloses personal data in pursuance of Article 15(1) to (3) of the [F37UK GDPR], the disclosure must be accompanied by a statement informing the data subject of the data subject's rights under section 159 of the Consumer Credit Act 1974 (correction of wrong information).

[F3813AMeaning of “relevant offence” for purpose of right to erasureU.K.

(1)The Secretary of State may by regulations amend the table in Article 17(5) of the UK GDPR.

(2)Regulations under this section are subject to the affirmative resolution procedure.]

F3914Automated decision-making authorised by law: safeguardsU.K.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F40Exemptions etc] U.K.

15Exemptions etcU.K.

(1)Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the [F41UK GDPR].

(2)In Schedule 2—

(a)Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the [F42UK GDPR] in specified circumstances [F43(of a kind described in] Article 6(3) and Article 23(1) of the [F44UK GDPR)];

(b)Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the [F45UK GDPR] in specified circumstances [F46(of a kind described in] Article 23(1) of the [F47UK GDPR)];

(c)Part 3 makes provision restricting the application of Article 15 of the [F48UK GDPR] where this is necessary to protect the rights of others [F49(of a kind described in] Article 23(1) of the [F50UK GDPR)];

(d)Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the [F51UK GDPR] in specified circumstances [F52(of a kind described in] Article 23(1) of the [F53UK GDPR)];

(e)Part 5 makes provision containing exemptions or derogations from Chapters II, III, IV [F54and V of the UK GDPR] for reasons relating to freedom of expression [F55(of a kind described in Article 85(2) of the UK GDPR)];

(f)Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the [F56UK GDPR] for scientific or historical research purposes, statistical purposes and archiving purposes F57....

(3)Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the [F58UK GDPR] to health, social work, education and child abuse data [F59(of a kind described in] Article 23(1) of the [F60UK GDPR)].

(4)Schedule 4 makes provision restricting the application of rules contained in Articles 13 to 21 of the [F61UK GDPR] to information the disclosure of which is prohibited or restricted by an enactment [F62(of a kind described in] Article 23(1) of the [F63UK GDPR)].

[F64(4A)In connection with the manual unstructured processing of personal data held by an FOI public authority, see Chapter 3 of this Part (sections 21, 24 and 25).]

(5)In connection with the safeguarding of national security and with defence, see Chapter 3 of this Part [F65(sections 26 to 28)].

16Power to make further exemptions etc by regulationsU.K.

(1)The following powers to make provision altering the application of the [F66UK GDPR] may be exercised by way of regulations made by the Secretary of State under this section—

(a)the power in Article 6(3) F67... to lay down a legal basis containing specific provisions to adapt the application of rules of the [F68UK GDPR] where processing is necessary for compliance with a legal obligation, for the performance of a task in the public interest or in the exercise of official authority;

(b)the power in Article 23(1) to make [F69provision] restricting the scope of the obligations and rights mentioned in that Article where necessary and proportionate to safeguard certain objectives of general public interest;

(c)the power in Article 85(2) to provide for exemptions or derogations from certain Chapters of the [F70UK GDPR] where necessary to reconcile the protection of personal data with the freedom of expression and information.

(2)Regulations under this section may—

(a)amend Schedules 2 to 4—

(i)by adding or varying provisions, and

(ii)by omitting provisions added by regulations under this section, F71...

(b)consequentially amend section 15 [F72, and

(c)consequentially amend the UK GDPR by adding, varying or omitting a reference to section 15, Schedule 2, 3 or 4, this section or regulations under this section.]

(3)Regulations under this section are subject to the affirmative resolution procedure.

[F73Certification]U.K.

17Accreditation of certification providersU.K.

(1)Accreditation of a person as a certification provider is only valid when carried out by—

(a)the Commissioner, or

(b)the [F74UK national accreditation body].

(2)The Commissioner may only accredit a person as a certification provider where the Commissioner—

(a)has published a statement that the Commissioner will carry out such accreditation, and

(b)has not published a notice withdrawing that statement.

(3)The [F75UK national accreditation body] may only accredit a person as a certification provider where the Commissioner—

(a)has published a statement that the body may carry out such accreditation, and

(b)has not published a notice withdrawing that statement.

(4)The publication of a notice under subsection (2)(b) or (3)(b) does not affect the validity of any accreditation carried out before its publication.

(5)Schedule 5 makes provision about reviews of, and appeals from, a decision relating to accreditation of a person as a certification provider.

(6)The [F76UK national accreditation body] may charge a reasonable fee in connection with, or incidental to, the carrying out of the body's functions under this section, Schedule 5 and Article 43 of the [F77UK GDPR].

(7)The [F78UK national accreditation body] must provide the Secretary of State with such information relating to its functions under this section, Schedule 5 and Article 43 of the [F79UK GDPR] as the Secretary of State may reasonably require.

(8)In this section—

• “certification provider” means a person who issues certification for the purposes of Article 42 of the [F80UK GDPR];

• “the [F81UK national accreditation body]” means the [F81UK national accreditation body] for the purposes of Article 4(1) of Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93.

F82...U.K.

F8217ATransfers based on adequacy regulationsU.K.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F8317BTransfers based on adequacy regulations: review etcU.K.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F8417CStandard data protection clausesU.K.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F8618Transfers of personal data to third countries etc [F85: public interest]U.K.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F87...U.K.

F8719Processing for archiving, research and statistical purposes: safeguardsU.K.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Minor definitionU.K.

F8820Meaning of “court”U.K.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CHAPTER 3U.K.[F89Exemptions for manual unstructured processing and for national security and defence purposes]

[F90Definitions]U.K.

21[F91Definitions]U.K.

F92(1). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F92(2). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F92(3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F92(4). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(5)In this Chapter, “FOI public authority” means—

(a)a public authority as defined in the Freedom of Information Act 2000, F93...

(b)a Scottish public authority as defined in the Freedom of Information (Scotland) Act 2002 (asp 13) [F94, or

(c)the Advanced Research and Invention Agency].

(6)References in this Chapter to personal data “held” by an FOI public authority are to be interpreted—

(a)in relation to England and Wales and Northern Ireland, in accordance with section 3(2) of the Freedom of Information Act 2000, and

(b)in relation to Scotland, in accordance with section 3(2), (4) and (5) of the Freedom of Information (Scotland) Act 2002 (asp 13),

but such references do not include information held by an intelligence service (as defined in section 82) on behalf of an FOI public authority.

(7)But personal data is not to be treated as “held” by an FOI public authority for the purposes of this Chapter, where—

(a)section 7 of the Freedom of Information Act 2000 prevents Parts 1 to 5 of that Act from applying to the personal data, or

(b)section 7(1) of the Freedom of Information (Scotland) Act 2002 (asp 13) prevents that Act from applying to the personal data.

[F95(8)In relation to the Advanced Research and Invention Agency—

(a)for the purposes of subsection (6)(a)—

(i)section 3(2) of the Freedom of Information Act 2000 is to be read as if “public authority” included that Agency, and

(ii)section 3(2) of the Freedom of Information (Scotland) Act 2002 (asp 13) is to be read as if “authority” included that Agency, and

(b)subsection (7) does not apply.]

F96...U.K.

F9622Application of the GDPR to processing to which this Chapter appliesU.K.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F9723Power to make provision in consequence of regulations related to the GDPRU.K.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exemptions etcU.K.

24Manual unstructured data held by FOI public authoritiesU.K.

(1)The provisions of [F98the UK GDPR] and this Act listed in subsection (2) do not apply to personal data to which [F99the UK GDPR] applies by virtue of [F100Article 2(1A)] (manual unstructured personal data held by FOI public authorities).

(2)Those provisions are—

(a)in Chapter II of [F101the UK GDPR] (principles)—

(i)Article 5(1)(a) to (c), (e) and (f) (principles relating to processing, other than the accuracy principle),

(ii)Article 6 (lawfulness),

(iii)Article 7 (conditions for consent),

(iv)Article 8(1) and (2) (child's consent),

(v)Article 9 (processing of special categories of personal data),

(vi)Article 10 (data relating to criminal convictions etc), and

(vii)Article 11(2) (processing not requiring identification);

(b)in Chapter III of [F102the UK GDPR] (rights of the data subject)—

(i)Article 13(1) to (3) (personal data collected from data subject: information to be provided),

(ii)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),

(iii)Article 20 (right to data portability), and

(iv)Article 21(1) (objections to processing);

(c)in Chapter V of [F103the UK GDPR], Articles [F10444A to 49A] (transfers of personal data to third countries or international organisations);

F105[F106(ca). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(cb)in Part 5 of this Act, section 119A (standard clauses for transfers to third countries);]

[F107(d)in Part 7 of this Act, sections 170 and 171 (offences relating to personal data).]

(see also paragraph 1(2) of Schedule 18).

(3)In addition, the provisions of [F108the UK GDPR] listed in subsection (4) do not apply to personal data to which [F109the UK GDPR] applies by virtue of [F110Article 2(1A)] where the personal data relates to appointments, removals, pay, discipline, superannuation or other personnel matters in relation to—

(a)service in any of the armed forces of the Crown;

(b)service in any office or employment under the Crown or under any public authority;

(c)service in any office or employment, or under any contract for services, in respect of which power to take action, or to determine or approve the action taken, in such matters is vested in—

(i)Her Majesty,

(ii)a Minister of the Crown,

(iii)the National Assembly for Wales,

(iv)the Welsh Ministers,

(v)a Northern Ireland Minister (within the meaning of the Freedom of Information Act 2000), or

(vi)an FOI public authority.

(4)Those provisions are—

(a)the remaining provisions of Chapters II and III (principles and rights of the data subject);

(b)Chapter IV (controller and processor);

[F111(ba)Chapter 8A (safeguards for processing for research, archiving or statistical purposes);]

(c)Chapter IX (specific processing situations).

(5)A controller is not obliged to comply with Article 15(1) to (3) of [F112the UK GDPR] (right of access by the data subject) in relation to personal data to which [F113the UK GDPR] applies by virtue of [F114Article 2(1A)] if—

(a)the request under [F115Article 15] does not contain a description of the personal data, or

(b)the controller estimates that the cost of complying with the request so far as relating to the personal data would exceed the appropriate maximum.

(6)Subsection (5)(b) does not remove the controller's obligation to confirm whether or not personal data concerning the data subject is being processed unless the estimated cost of complying with that obligation alone in relation to the personal data would exceed the appropriate maximum.

(7)An estimate for the purposes of this section must be made in accordance with regulations under section 12(5) of the Freedom of Information Act 2000.

(8)In subsections (5) and (6), “the appropriate maximum” means the maximum amount specified by the Secretary of State by regulations.

(9)Regulations under subsection (8) are subject to the negative resolution procedure.

25Manual unstructured data used in longstanding historical researchU.K.

(1)The provisions of [F116the UK GDPR] listed in subsection (2) do not apply to personal data to which [F117the UK GDPR] applies by virtue of [F118Article 2(1A)] (manual unstructured personal data held by FOI public authorities) at any time when—

(a)the personal data—

(i)is subject to processing which was already underway immediately before 24 October 1998, and

(ii)is processed only for the purposes of historical research, and

(b)the processing is not carried out—

(i)for the purposes of measures or decisions with respect to a particular data subject, or

(ii)in a way that causes, or is likely to cause, substantial damage or substantial distress to a data subject.

(2)Those provisions are—

(a)in Chapter II F119...(principles), Article 5(1)(d) (the accuracy principle), and

(b)in Chapter III F120... (rights of the data subject)—

(i)Article 16 (right to rectification), and

(ii)Article 17(1) and (2) (right to erasure).

(3)The exemptions in this section apply in addition to the exemptions in section 24.

26National security and defence exemptionU.K.

(1)A provision of [F121the UK GDPR] or this Act mentioned in subsection (2) does not apply to personal data to which [F122the UK GDPR] applies if exemption from the provision is required for—

(a)the purpose of safeguarding national security, or

(b)defence purposes.

(2)The provisions are—

(a)Chapter II of [F123the UK GDPR] (principles) except for—

(i)Article 5(1)(a) (lawful, fair and transparent processing), so far as it requires processing of personal data to be lawful;

(ii)Article 6 (lawfulness of processing);

(iii)Article 9 (processing of special categories of personal data);

(b)Chapter III of [F124the UK GDPR] (rights of data subjects);

(c)in Chapter IV of [F125the UK GDPR]—

(i)Article 33 (notification of personal data breach to the Commissioner);

(ii)Article 34 (communication of personal data breach to the data subject);

(d)Chapter V of [F126the UK GDPR] (transfers of personal data to third countries or international organisations);

(e)in Chapter VI of [F127the UK GDPR]—

(i)Article 57(1)(a) and (h) (Commissioner's duties to monitor and enforce [F127the UK GDPR] and to conduct investigations);

(ii)Article 58 (investigative, corrective, authorisation and advisory powers of Commissioner);

(f)Chapter VIII of [F128the UK GDPR] (remedies, liabilities and penalties) except for—

[F129(ai)Article 77 (right to lodge a complaint with the Commissioner);]

(i)Article 83 (general conditions for imposing administrative fines);

(ii)Article 84 (penalties);

F130(fa). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(g)in Part 5 of this Act—

(i)in section 115 (general functions of the Commissioner), subsections (3) and (8);

(ii)in section 115, subsection (9), so far as it relates to Article 58(2)(i) of [F131the UK GDPR];

(iii)section 119 (inspection in accordance with international obligations);

[F132(iv)section 119A (standard clauses for transfers to third countries);]

(h)in Part 6 of this Act—

(i)sections 142 to 154 and Schedule 15 (Commissioner's notices and powers of entry and inspection);

(ii)sections 170 to 173 (offences relating to personal data);

(i)in Part 7 of this Act, section 187 (representation of data subjects).

27National security: certificateU.K.

(1)Subject to subsection (3), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions listed in section 26(2) is, or at any time was, required in relation to any personal data for the purpose of safeguarding national security is conclusive evidence of that fact.

(2)A certificate under subsection (1)—

(a)may identify the personal data to which it applies by means of a general description, and

(b)may be expressed to have prospective effect.

(3)Any person directly affected by a certificate under subsection (1) may appeal to the Tribunal against the certificate.

(4)If, on an appeal under subsection (3), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing a certificate, the Tribunal may—

(a)allow the appeal, and

(b)quash the certificate.

(5)Where, in any proceedings under or by virtue of [F133the UK GDPR] or this Act, it is claimed by a controller that a certificate under subsection (1) which identifies the personal data to which it applies by means of a general description applies to any personal data, another party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question.

(6)But, subject to any determination under subsection (7), the certificate is to be conclusively presumed so to apply.

(7)On an appeal under subsection (5), the Tribunal may determine that the certificate does not so apply.

(8)A document purporting to be a certificate under subsection (1) is to be—

(a)received in evidence, and

(b)deemed to be such a certificate unless the contrary is proved.

(9)A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (1) is—

(a)in any legal proceedings, evidence of that certificate;

(b)in any legal proceedings in Scotland, sufficient evidence of that certificate.

(10)The power conferred by subsection (1) on a Minister of the Crown is exercisable only by—

(a)a Minister who is a member of the Cabinet, or

(b)the Attorney General or the Advocate General for Scotland.

28National security and defence: modifications to Articles 9 and 32 of the [F134UK GDPR] U.K.

(1)Article 9(1) of [F135the UK GDPR] (prohibition on processing of special categories of personal data) does not prohibit the processing of personal data to which [F136the UK GDPR] applies to the extent that the processing is carried out—

(a)for the purpose of safeguarding national security or for defence purposes, and

(b)with appropriate safeguards for the rights and freedoms of data subjects.

(2)Article 32 of [F137the UK GDPR] (security of processing) does not apply to a controller or processor to the extent that the controller or the processor (as the case may be) is processing personal data to which [F138the UK GDPR] applies for—

(a)the purpose of safeguarding national security, or

(b)defence purposes.

(3)Where Article 32 of [F139the UK GDPR] does not apply, the controller or the processor must implement security measures appropriate to the risks arising from the processing of the personal data.

(4)For the purposes of subsection (3), where the processing of personal data is carried out wholly or partly by automated means, the controller or the processor must, following an evaluation of the risks, implement measures designed to—

(a)prevent unauthorised processing or unauthorised interference with the systems used in connection with the processing,

(b)ensure that it is possible to establish the precise details of any processing that takes place,

(c)ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and

(d)ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.

[F140(5)The functions conferred on the Commissioner in relation to the UK GDPR by Articles 57(1)(a), (d), (e), (h) and (u) and 58(1)(d) and (2)(a) to (d) of the UK GDPR (which are subject to safeguards set out in section 115) include functions in relation to subsection (3).]