Crime and taxation: general
2(1)The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes—
(a)the prevention or detection of crime,
(b)the apprehension or prosecution of offenders, or
(c)the assessment or collection of a tax or duty or an imposition of a similar nature,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).
(2)Sub-paragraph (3) applies where—
(a)personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and
(b)another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions.
(3)Controller 2 is exempt from the obligations in the following provisions of the GDPR—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),
to the same extent that Controller 1 is exempt from those obligations by virtue of sub-paragraph (1).