SCHEDULES

SCHEDULE 2U.K.Exemptions etc from the [F1UK GDPR]

PART 1U.K.Adaptations and restrictions [F2as described in] Articles 6(3) and 23(1)

[F3UK GDPR] provisions to be adapted or restricted: “the listed GDPR provisions”U.K.

1U.K.In this Part of this Schedule, “the listed GDPR provisions” means—

(a)the following provisions of the [F4UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F4UK GDPR])—

(i)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(ii)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(iii)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(iv)Article 16 (right to rectification);

(v)Article 17(1) and (2) (right to erasure);

(vi)Article 18(1) (restriction of processing);

(vii)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(viii)Article 20(1) and (2) (right to data portability);

(ix)Article 21(1) (objections to processing);

(x)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (i) to (ix); and

(b)the following provisions of the [F5UK GDPR] (the application of which may be adapted by virtue of Article 6(3) of the [F5UK GDPR])—

(i)Article 5(1)(a) (lawful, fair and transparent processing), other than the lawfulness requirements set out in Article 6;

(ii)Article 5(1)(b) (purpose limitation).

Crime and taxation: generalU.K.

2(1)The listed GDPR provisions and Article 34(1) and (4) of the [F6UK GDPR] (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes—U.K.

(a)the prevention or detection of crime,

(b)the apprehension or prosecution of offenders, or

(c)the assessment or collection of a tax or duty or an imposition of a similar nature,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).

(2)Sub-paragraph (3) applies where—

(a)personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and

(b)another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions.

(3)Controller 2 is exempt from the obligations in the following provisions of the [F7UK GDPR]—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and

(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),

to the same extent that Controller 1 is exempt from those obligations by virtue of sub-paragraph (1).

Crime and taxation: risk assessment systemsU.K.

3(1)The [F8UK GDPR] provisions listed in sub-paragraph (3) do not apply to personal data which consists of a classification applied to the data subject as part of a risk assessment system falling within sub-paragraph (2) to the extent that the application of those provisions would prevent the system from operating effectively.U.K.

(2)A risk assessment system falls within this sub-paragraph if—

(a)it is operated by a government department, a local authority or another authority administering housing benefit, and

(b)it is operated for the purposes of—

(i)the assessment or collection of a tax or duty or an imposition of a similar nature, or

(ii)the prevention or detection of crime or apprehension or prosecution of offenders, where the offence concerned involves the unlawful use of public money or an unlawful claim for payment out of public money.

(3)The [F9UK GDPR] provisions referred to in sub-paragraph (1) are the following provisions of the [F9UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F9UK GDPR])—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c).

ImmigrationU.K.

4(1)The [F10relevant UK GDPR provisions] do not apply to personal data processed [F11by the Secretary of State] for any of the following purposes—U.K.

(a)the maintenance of effective immigration control, or

(b)the investigation or detection of activities that would undermine the maintenance of effective immigration control,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).

F12[F13(1A). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F14(1B). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(1C)Paragraphs 4A and 4B make provision about F15... safeguards in connection with the exemption in [F16sub-paragraph (1)].]

(2)[F17In sub-paragraph (1) and paragraph 4A, the “relevant UK GDPR provisions”] are the following provisions of the [F18UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F18UK GDPR])—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 17(1) and (2) (right to erasure);

(e)Article 18(1) (restriction of processing);

(f)Article 21(1) (objections to processing);

(g)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f).

(That is, the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing) and Article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)

F19(3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F20(4). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F21Immigration: safeguards: immigration exemption decisionsU.K.

4A.(1)A decision under paragraph 4(1) as to whether, and the extent to which, the application of the relevant UK GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b) (referred to in this paragraph as “an immigration exemption decision”) must be made in accordance with this paragraph.U.K.

(2)An immigration exemption decision must be made—

(a)on a case by case basis,

(b)separately in respect of each of the relevant UK GDPR provisions mentioned in paragraph 4(2)(a) to (f) which relates to the data subject, and

(c)afresh on each occasion on which the Secretary of State considers disapplying or restricting the application of any of the relevant UK GDPR provisions mentioned in paragraph 4(2)(a) to (f) in relation to the data subject.

(3)When making an immigration exemption decision, the Secretary of State must take into account all the circumstances of the case, including at least the following—

(a)any potential vulnerability of the data subject that is relevant to the decision,

(b)all the rights and freedoms of the data subject including the data subject’s Convention rights, and

(c)any relevant duties or obligations of the United Kingdom, the Secretary of State or any other person, including—

(i)the United Kingdom’s obligations under the Refugee Convention and the Trafficking Convention,

(ii)any duty under section 55 of the Borders, Citizenship and Immigration Act 2009 (duty regarding the welfare of children), and

(iii)the need to ensure compliance with the UK GDPR.

(4)A decision that the application of a particular relevant UK GDPR provision mentioned in paragraph 4(2)(a) to (f) (or that provision in combination with the provision mentioned in paragraph 4(2)(g), so far as it applies) would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b) may be made only if—

(a)the application of that provision or those provisions would give rise to a substantial risk of prejudice to any of the matters mentioned in paragraph 4(1)(a) and (b),

(b)that risk outweighs the risk of prejudice to the interests of the data subject concerned that would arise if the exemption in paragraph 4(1) were to apply in relation to that provision or those provisions, and

(c)the application of the exemption in relation to that provision or those provisions is necessary and proportionate to the risks in the particular case.

(5)In this paragraph—

• “Convention rights” has the same meaning as in the Human Rights Act 1998 (see section 1(1) of that Act);

• “the Refugee Convention” means the Convention relating to the Status of Refugees, done at Geneva on 28 July 1951, and its Protocol;

• “the Trafficking Convention” means the Council of Europe Convention on Action against Trafficking in Human Beings, done at Warsaw on 16 May 2005.]

[F21Immigration: safeguard: record of decision that exemption appliesU.K.

4B.(1)Where the Secretary of State makes a decision mentioned in paragraph 4A(4), the Secretary of State must keep a record of it and the reasons for it.U.K.

(2)Where sub-paragraph (1) applies, the Secretary of State must also inform the data subject of the decision unless, in the particular circumstances of the case, the Secretary of State considers that doing so may be prejudicial to any of the matters mentioned in paragraph 4(1)(a) and (b).]

Information required to be disclosed by law etc or in connection with legal proceedingsU.K.

5(1)The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.U.K.

(2)The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.

(3)The listed GDPR provisions do not apply to personal data where disclosure of the data—

(a)is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),

(b)is necessary for the purpose of obtaining legal advice, or

(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights,

to the extent that the application of those provisions would prevent the controller from making the disclosure.