xmlns:atom="http://www.w3.org/2005/Atom"

SCHEDULES

Section 15

SCHEDULE 2Exemptions etc from the GDPR

PART 1Adaptations and restrictions based on Articles 6(3) and 23(1)

GDPR provisions to be adapted or restricted: “the listed GDPR provisions”

1In this Part of this Schedule, “the listed GDPR provisions” means—

(a)the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—

(i)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(ii)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(iii)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(iv)Article 16 (right to rectification);

(v)Article 17(1) and (2) (right to erasure);

(vi)Article 18(1) (restriction of processing);

(vii)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(viii)Article 20(1) and (2) (right to data portability);

(ix)Article 21(1) (objections to processing);

(x)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (i) to (ix); and

(b)the following provisions of the GDPR (the application of which may be adapted by virtue of Article 6(3) of the GDPR)—

(i)Article 5(1)(a) (lawful, fair and transparent processing), other than the lawfulness requirements set out in Article 6;

(ii)Article 5(1)(b) (purpose limitation).

Crime and taxation: general

2(1)The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes—

(a)the prevention or detection of crime,

(b)the apprehension or prosecution of offenders, or

(c)the assessment or collection of a tax or duty or an imposition of a similar nature,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).

(2)Sub-paragraph (3) applies where—

(a)personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and

(b)another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions.

(3)Controller 2 is exempt from the obligations in the following provisions of the GDPR—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and

(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),

to the same extent that Controller 1 is exempt from those obligations by virtue of sub-paragraph (1).

Crime and taxation: risk assessment systems

3(1)The GDPR provisions listed in sub-paragraph (3) do not apply to personal data which consists of a classification applied to the data subject as part of a risk assessment system falling within sub-paragraph (2) to the extent that the application of those provisions would prevent the system from operating effectively.

(2)A risk assessment system falls within this sub-paragraph if—

(a)it is operated by a government department, a local authority or another authority administering housing benefit, and

(b)it is operated for the purposes of—

(i)the assessment or collection of a tax or duty or an imposition of a similar nature, or

(ii)the prevention or detection of crime or apprehension or prosecution of offenders, where the offence concerned involves the unlawful use of public money or an unlawful claim for payment out of public money.

(3)The GDPR provisions referred to in sub-paragraph (1) are the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c).

Immigration

4(1)The GDPR provisions listed in sub-paragraph (2) do not apply to personal data processed for any of the following purposes—

(a)the maintenance of effective immigration control, or

(b)the investigation or detection of activities that would undermine the maintenance of effective immigration control,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).

(2)The GDPR provisions referred to in sub-paragraph (1) are the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 17(1) and (2) (right to erasure);

(e)Article 18(1) (restriction of processing);

(f)Article 21(1) (objections to processing);

(g)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f).

(That is, the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing) and Article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)

(3)Sub-paragraph (4) applies where—

(a)personal data is processed by a person (“Controller 1”), and

(b)another person (“Controller 2”) obtains the data from Controller 1 for any of the purposes mentioned in sub-paragraph (1)(a) and (b) and processes it for any of those purposes.

(4)Controller 1 is exempt from the obligations in the following provisions of the GDPR—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and

(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),

to the same extent that Controller 2 is exempt from those obligations by virtue of sub-paragraph (1).

Information required to be disclosed by law etc or in connection with legal proceedings

5(1)The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.

(2)The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.

(3)The listed GDPR provisions do not apply to personal data where disclosure of the data—

(a)is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),

(b)is necessary for the purpose of obtaining legal advice, or

(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights,

to the extent that the application of those provisions would prevent the controller from making the disclosure.

PART 2Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 21 and 34

GDPR provisions to be restricted: “the listed GDPR provisions”

6In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 16 (right to rectification);

(e)Article 17(1) and (2) (right to erasure);

(f)Article 18(1) (restriction of processing);

(g)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(h)Article 20(1) and (2) (right to data portability);

(i)Article 21(1) (objections to processing);

(j)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (i).

Functions designed to protect the public etc

7The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—

(a)is designed as described in column 1 of the Table, and

(b)meets the condition relating to the function specified in column 2 of the Table,

to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

TABLE
Description of function designCondition

1. The function is designed to protect members of the public against—

(a)

financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate, or

(b)

financial loss due to the conduct of discharged or undischarged bankrupts.

The function is—

(a)

conferred on a person by an enactment,

(b)

a function of the Crown, a Minister of the Crown or a government department, or

(c)

of a public nature, and is exercised in the public interest.

2. The function is designed to protect members of the public against—

(a)

dishonesty, malpractice or other seriously improper conduct, or

(b)

unfitness or incompetence.

The function is—

(a)

conferred on a person by an enactment,

(b)

a function of the Crown, a Minister of the Crown or a government department, or

(c)

of a public nature, and is exercised in the public interest.

3. The function is designed—

(a)

to protect charities or community interest companies against misconduct or mismanagement (whether by trustees, directors or other persons) in their administration,

(b)

to protect the property of charities or community interest companies from loss or misapplication, or

(c)

to recover the property of charities or community interest companies.

The function is—

(a)

conferred on a person by an enactment,

(b)

a function of the Crown, a Minister of the Crown or a government department, or

(c)

of a public nature, and is exercised in the public interest.

4. The function is designed—

(a)

to secure the health, safety and welfare of persons at work, or

(b)

to protect persons other than those at work against risk to health or safety arising out of or in connection with the action of persons at work.

The function is—

(a)

conferred on a person by an enactment,

(b)

a function of the Crown, a Minister of the Crown or a government department, or

(c)

of a public nature, and is exercised in the public interest.

5. The function is designed to protect members of the public against—

(a)

maladministration by public bodies,

(b)

failures in services provided by public bodies, or

(c)

a failure of a public body to provide a service which it is a function of the body to provide.

The function is conferred by any enactment on—

(a)

the Parliamentary Commissioner for Administration,

(b)

the Commissioner for Local Administration in England,

(c)

the Health Service Commissioner for England,

(d)

the Public Services Ombudsman for Wales,

(e)

the Northern Ireland Public Services Ombudsman,

(f)

the Prison Ombudsman for Northern Ireland, or

(g)

the Scottish Public Services Ombudsman.

6. The function is designed—

(a)

to protect members of the public against conduct which may adversely affect their interests by persons carrying on a business,

(b)

to regulate agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or

(c)

to regulate conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market.

The function is conferred on the Competition and Markets Authority by an enactment.

Audit functions

8(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

(2)The functions are any function that is conferred by an enactment on—

(a)the Comptroller and Auditor General;

(b)the Auditor General for Scotland;

(c)the Auditor General for Wales;

(d)the Comptroller and Auditor General for Northern Ireland.

Functions of the Bank of England

9(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a relevant function of the Bank of England to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

(2)Relevant function of the Bank of England” means—

(a)a function discharged by the Bank acting in its capacity as a monetary authority (as defined in section 244(2)(c) and (2A) of the Banking Act 2009);

(b)a public function of the Bank within the meaning of section 349 of the Financial Services and Markets Act 2000;

(c)a function conferred on the Prudential Regulation Authority by or under the Financial Services and Markets Act 2000 or by another enactment.

Regulatory functions relating to legal services, the health service and children’s services

10(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

(2)The functions are—

(a)a function of the Legal Services Board;

(b)the function of considering a complaint under the scheme established under Part 6 of the Legal Services Act 2007 (legal complaints);

(c)the function of considering a complaint under—

(i)section 14 of the NHS Redress Act 2006,

(ii)section 113(1) or (2) or section 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003,

(iii)section 24D or 26 of the Children Act 1989, or

(iv)Part 2A of the Public Services Ombudsman (Wales) Act 2005;

(d)the function of considering a complaint or representations under Chapter 1 of Part 10 of the Social Services and Well-being (Wales) Act 2014 (anaw 4).

Regulatory functions of certain other persons

11The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—

(a)is a function of a person described in column 1 of the Table, and

(b)is conferred on that person as described in column 2 of the Table,

to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

TABLE
Person on whom function is conferredHow function is conferred
1. The Commissioner.

By or under—

(a)

the data protection legislation;

(b)

the Freedom of Information Act 2000;

(c)

section 244 of the Investigatory Powers Act 2016;

(d)

the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426);

(e)

the Environmental Information Regulations 2004 (S.I. 2004/3391);

(f)

the INSPIRE Regulations 2009 (S.I. 2009/3157);

(g)

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC;

(h)

the Re-use of Public Sector Information Regulations 2015 (S.I. 2015/1415);

(i)

the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696).

2. The Scottish Information Commissioner.

By or under—

(a)

the Freedom of Information (Scotland) Act 2002 (asp 13);

(b)

the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520);

(c)

the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440).

3. The Pensions Ombudsman.By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland.
4. The Board of the Pension Protection Fund.By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.
5. The Ombudsman for the Board of the Pension Protection Fund.By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.
6. The Pensions Regulator.By an enactment.
7. The Financial Conduct Authority.By or under the Financial Services and Markets Act 2000 or by another enactment.
8. The Financial Ombudsman.By or under Part 16 of the Financial Services and Markets Act 2000.
9. The investigator of complaints against the financial regulators.By or under Part 6 of the Financial Services Act 2012.
10. A consumer protection enforcer, other than the Competition and Markets Authority.By or under the CPC Regulation.
11. The monitoring officer of a relevant authority.By or under the Local Government and Housing Act 1989.
12. The monitoring officer of a relevant Welsh authority.By or under the Local Government Act 2000.
13. The Public Services Ombudsman for Wales.By or under the Local Government Act 2000.
14. The Charity Commission.

By or under—

(a)

the Charities Act 1992;

(b)

the Charities Act 2006;

(c)

the Charities Act 2011.

12In the Table in paragraph 11—

Parliamentary privilege

13The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data where this is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.

Judicial appointments, judicial independence and judicial proceedings

14(1)The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person’s suitability for judicial office or the office of Queen’s Counsel.

(2)The listed GDPR provisions do not apply to personal data processed by—

(a)an individual acting in a judicial capacity, or

(b)a court or tribunal acting in its judicial capacity.

(3)As regards personal data not falling within sub-paragraph (1) or (2), the listed GDPR provisions do not apply to the extent that the application of those provisions would be likely to prejudice judicial independence or judicial proceedings.

Crown honours, dignities and appointments

15(1)The listed GDPR provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity.

(2)The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person’s suitability for any of the following offices—

(a)archbishops and diocesan and suffragan bishops in the Church of England;

(b)deans of cathedrals of the Church of England;

(c)deans and canons of the two Royal Peculiars;

(d)the First and Second Church Estates Commissioners;

(e)lord-lieutenants;

(f)Masters of Trinity College and Churchill College, Cambridge;

(g)the Provost of Eton;

(h)the Poet Laureate;

(i)the Astronomer Royal.

(3)The Secretary of State may by regulations amend the list in sub-paragraph (2) to—

(a)remove an office, or

(b)add an office to which appointments are made by Her Majesty.

(4)Regulations under sub-paragraph (3) are subject to the affirmative resolution procedure.

PART 3Restriction based on Article 23(1): protection of rights of others

Protection of the rights of others: general

16(1)Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers), and Article 5 of the GDPR so far as its provisions correspond to the rights and obligations provided for in Article 15(1) to (3), do not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information.

(2)Sub-paragraph (1) does not remove the controller’s obligation where—

(a)the other individual has consented to the disclosure of the information to the data subject, or

(b)it is reasonable to disclose the information to the data subject without the consent of the other individual.

(3)In determining whether it is reasonable to disclose the information without consent, the controller must have regard to all the relevant circumstances, including—

(a)the type of information that would be disclosed,

(b)any duty of confidentiality owed to the other individual,

(c)any steps taken by the controller with a view to seeking the consent of the other individual,

(d)whether the other individual is capable of giving consent, and

(e)any express refusal of consent by the other individual.

(4)For the purposes of this paragraph—

(a)information relating to another individual” includes information identifying the other individual as the source of information;

(b)an individual can be identified from information to be provided to a data subject by a controller if the individual can be identified from—

(i)that information, or

(ii)that information and any other information that the controller reasonably believes the data subject is likely to possess or obtain.

Assumption of reasonableness for health workers, social workers and education workers

17(1)For the purposes of paragraph 16(2)(b), it is to be considered reasonable for a controller to disclose information to a data subject without the consent of the other individual where—

(a)the health data test is met,

(b)the social work data test is met, or

(c)the education data test is met.

(2)The health data test is met if—

(a)the information in question is contained in a health record, and

(b)the other individual is a health professional who has compiled or contributed to the health record or who, in his or her capacity as a health professional, has been involved in the diagnosis, care or treatment of the data subject.

(3)The social work data test is met if—

(a)the other individual is—

(i)a children’s court officer,

(ii)a person who is or has been employed by a person or body referred to in paragraph 8 of Schedule 3 in connection with functions exercised in relation to the information, or

(iii)a person who has provided for reward a service that is similar to a service provided in the exercise of any relevant social services functions, and

(b)the information relates to the other individual in an official capacity or the other individual supplied the information—

(i)in an official capacity, or

(ii)in a case within paragraph (a)(iii), in connection with providing the service mentioned in paragraph (a)(iii).

(4)The education data test is met if—

(a)the other individual is an education-related worker, or

(b)the other individual is employed by an education authority (within the meaning of the Education (Scotland) Act 1980) in pursuance of its functions relating to education and—

(i)the information relates to the other individual in his or her capacity as such an employee, or

(ii)the other individual supplied the information in his or her capacity as such an employee.

(5)In this paragraph—

PART 4Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 15

GDPR provisions to be restricted: “the listed GDPR provisions”

18In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (c).

Legal professional privilege

19The listed GDPR provisions do not apply to personal data that consists of—

(a)information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications, could be maintained in legal proceedings, or

(b)information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.

Self incrimination

20(1)A person need not comply with the listed GDPR provisions to the extent that compliance would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.

(2)The reference to an offence in sub-paragraph (1) does not include an offence under—

(a)this Act,

(b)section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),

(c)section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or

(d)Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).

(3)Information disclosed by any person in compliance with Article 15 of the GDPR is not admissible against the person in proceedings for an offence under this Act.

Corporate finance

21(1)The listed GDPR provisions do not apply to personal data processed for the purposes of or in connection with a corporate finance service provided by a relevant person to the extent that either Condition A or Condition B is met.

(2)Condition A is that the application of the listed GDPR provisions would be likely to affect the price of an instrument.

(3)Condition B is that—

(a)the relevant person reasonably believes that the application of the listed GDPR provisions to the personal data in question could affect a decision of a person—

(i)whether to deal in, subscribe for or issue an instrument, or

(ii)whether to act in a way likely to have an effect on a business activity (such as an effect on the industrial strategy of a person, the capital structure of an undertaking or the legal or beneficial ownership of a business or asset), and

(b)the application of the listed GDPR provisions to that personal data would have a prejudicial effect on the orderly functioning of financial markets or the efficient allocation of capital within the economy.

(4)In this paragraph—

(5)In the definition of “relevant person” in sub-paragraph (4), references to “the general prohibition” are to the general prohibition within the meaning of section 19 of the Financial Services and Markets Act 2000.

Management forecasts

22The listed GDPR provisions do not apply to personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that the application of those provisions would be likely to prejudice the conduct of the business or activity concerned.

Negotiations

23The listed GDPR provisions do not apply to personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject to the extent that the application of those provisions would be likely to prejudice those negotiations.

Confidential references

24The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of—

(a)the education, training or employment (or prospective education, training or employment) of the data subject,

(b)the placement (or prospective placement) of the data subject as a volunteer,

(c)the appointment (or prospective appointment) of the data subject to any office, or

(d)the provision (or prospective provision) by the data subject of any service.

Exam scripts and exam marks

25(1)The listed GDPR provisions do not apply to personal data consisting of information recorded by candidates during an exam.

(2)Where personal data consists of marks or other information processed by a controller—

(a)for the purposes of determining the results of an exam, or

(b)in consequence of the determination of the results of an exam,

the duty in Article 12(3) or (4) of the GDPR for the controller to provide information requested by the data subject within a certain time period, as it applies to Article 15 of the GDPR (confirmation of processing, access to data and safeguards for third country transfers), is modified as set out in sub-paragraph (3).

(3)Where a question arises as to whether the controller is obliged by Article 15 of the GDPR to disclose personal data, and the question arises before the day on which the exam results are announced, the controller must provide the information mentioned in Article 12(3) or (4)—

(a)before the end of the period of 5 months beginning when the question arises, or

(b)if earlier, before the end of the period of 40 days beginning with the announcement of the results.

(4)In this paragraph, “exam” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate’s performance while undertaking work or any other activity.

(5)For the purposes of this paragraph, the results of an exam are treated as announced when they are first published or, if not published, first communicated to the candidate.

PART 5Exemptions etc based on Article 85(2) for reasons of freedom of expression and information

Journalistic, academic, artistic and literary purposes

26(1)In this paragraph, “the special purposes” means one or more of the following—

(a)the purposes of journalism;

(b)academic purposes;

(c)artistic purposes;

(d)literary purposes.

(2)Sub-paragraph (3) applies to the processing of personal data carried out for the special purposes if—

(a)the processing is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and

(b)the controller reasonably believes that the publication of the material would be in the public interest.

(3)The listed GDPR provisions do not apply to the extent that the controller reasonably believes that the application of those provisions would be incompatible with the special purposes.

(4)In determining whether publication would be in the public interest the controller must take into account the special importance of the public interest in the freedom of expression and information.

(5)In determining whether it is reasonable to believe that publication would be in the public interest, the controller must have regard to any of the codes of practice or guidelines listed in sub-paragraph (6) that is relevant to the publication in question.

(6)The codes of practice and guidelines are—

(a)BBC Editorial Guidelines;

(b)Ofcom Broadcasting Code;

(c)Editors’ Code of Practice.

(7)The Secretary of State may by regulations amend the list in sub-paragraph (6).

(8)Regulations under sub-paragraph (7) are subject to the affirmative resolution procedure.

(9)For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the GDPR (which may be exempted or derogated from by virtue of Article 85(2) of the GDPR)—

(a)in Chapter II of the GDPR (principles)—

(i)Article 5(1)(a) to (e) (principles relating to processing);

(ii)Article 6 (lawfulness);

(iii)Article 7 (conditions for consent);

(iv)Article 8(1) and (2) (child’s consent);

(v)Article 9 (processing of special categories of data);

(vi)Article 10 (data relating to criminal convictions etc);

(vii)Article 11(2) (processing not requiring identification);

(b)in Chapter III of the GDPR (rights of the data subject)—

(i)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(ii)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(iii)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(iv)Article 16 (right to rectification);

(v)Article 17(1) and (2) (right to erasure);

(vi)Article 18(1)(a), (b) and (d) (restriction of processing);

(vii)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(viii)Article 20(1) and (2) (right to data portability);

(ix)Article 21(1) (objections to processing);

(c)in Chapter IV of the GDPR (controller and processor)—

(i)Article 34(1) and (4) (communication of personal data breach to the data subject);

(ii)Article 36 (requirement for controller to consult Commissioner prior to high risk processing);

(d)in Chapter V of the GDPR (transfers of data to third countries etc), Article 44 (general principles for transfers);

(e)in Chapter VII of the GDPR (co-operation and consistency)—

(i)Articles 60 to 62 (co-operation);

(ii)Articles 63 to 67 (consistency).

PART 6Derogations etc based on Article 89 for research, statistics and archiving

Research and statistics

27(1)The listed GDPR provisions do not apply to personal data processed for—

(a)scientific or historical research purposes, or

(b)statistical purposes,

to the extent that the application of those provisions would prevent or seriously impair the achievement of the purposes in question.

This is subject to sub-paragraph (3).

(2)For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the GDPR (the rights in which may be derogated from by virtue of Article 89(2) of the GDPR)—

(a)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(b)Article 16 (right to rectification);

(c)Article 18(1) (restriction of processing);

(d)Article 21(1) (objections to processing).

(3)The exemption in sub-paragraph (1) is available only where—

(a)the personal data is processed in accordance with Article 89(1) of the GDPR (as supplemented by section 19), and

(b)as regards the disapplication of Article 15(1) to (3), the results of the research or any resulting statistics are not made available in a form which identifies a data subject.

Archiving in the public interest

28(1)The listed GDPR provisions do not apply to personal data processed for archiving purposes in the public interest to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes.

This is subject to sub-paragraph (3).

(2)For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the GDPR (the rights in which may be derogated from by virtue of Article 89(3) of the GDPR)—

(a)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(b)Article 16 (right to rectification);

(c)Article 18(1) (restriction of processing);

(d)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(e)Article 20(1) (right to data portability);

(f)Article 21(1) (objections to processing).

(3)The exemption in sub-paragraph (1) is available only where the personal data is processed in accordance with Article 89(1) of the GDPR (as supplemented by section 19).