6In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d)Article 16 (right to rectification);
(e)Article 17(1) and (2) (right to erasure);
(f)Article 18(1) (restriction of processing);
(g)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
(h)Article 20(1) and (2) (right to data portability);
(i)Article 21(1) (objections to processing);
(j)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (i).
7The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—
(a)is designed as described in column 1 of the Table, and
(b)meets the condition relating to the function specified in column 2 of the Table,
to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
| Description of function design | Condition |
|---|---|
1. The function is designed to protect members of the public against— (a) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate, or (b) financial loss due to the conduct of discharged or undischarged bankrupts. | The function is— (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest. |
2. The function is designed to protect members of the public against— (a) dishonesty, malpractice or other seriously improper conduct, or (b) unfitness or incompetence. | The function is— (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest. |
3. The function is designed— (a) to protect charities or community interest companies against misconduct or mismanagement (whether by trustees, directors or other persons) in their administration, (b) to protect the property of charities or community interest companies from loss or misapplication, or (c) to recover the property of charities or community interest companies. | The function is— (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest. |
4. The function is designed— (a) to secure the health, safety and welfare of persons at work, or (b) to protect persons other than those at work against risk to health or safety arising out of or in connection with the action of persons at work. | The function is— (a) conferred on a person by an enactment, (b) a function of the Crown, a Minister of the Crown or a government department, or (c) of a public nature, and is exercised in the public interest. |
5. The function is designed to protect members of the public against— (a) maladministration by public bodies, (b) failures in services provided by public bodies, or (c) a failure of a public body to provide a service which it is a function of the body to provide. | The function is conferred by any enactment on— (a) the Parliamentary Commissioner for Administration, (b) the Commissioner for Local Administration in England, (c) the Health Service Commissioner for England, (d) the Public Services Ombudsman for Wales, (e) the Northern Ireland Public Services Ombudsman, (f) the Prison Ombudsman for Northern Ireland, or (g) the Scottish Public Services Ombudsman. |
6. The function is designed— (a) to protect members of the public against conduct which may adversely affect their interests by persons carrying on a business, (b) to regulate agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or (c) to regulate conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market. | The function is conferred on the Competition and Markets Authority by an enactment. |
8(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
(2)The functions are any function that is conferred by an enactment on—
(a)the Comptroller and Auditor General;
(b)the Auditor General for Scotland;
(c)the Auditor General for Wales;
(d)the Comptroller and Auditor General for Northern Ireland.
9(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a relevant function of the Bank of England to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
(2)“Relevant function of the Bank of England” means—
(a)a function discharged by the Bank acting in its capacity as a monetary authority (as defined in section 244(2)(c) and (2A) of the Banking Act 2009);
(b)a public function of the Bank within the meaning of section 349 of the Financial Services and Markets Act 2000;
(c)a function conferred on the Prudential Regulation Authority by or under the Financial Services and Markets Act 2000 or by another enactment.
10(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
(2)The functions are—
(a)a function of the Legal Services Board;
(b)the function of considering a complaint under the scheme established under Part 6 of the Legal Services Act 2007 (legal complaints);
(c)the function of considering a complaint under—
(i)section 14 of the NHS Redress Act 2006,
(ii)section 113(1) or (2) or section 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003,
(iii)section 24D or 26 of the Children Act 1989, or
(iv)Part 2A of the Public Services Ombudsman (Wales) Act 2005;
(d)the function of considering a complaint or representations under Chapter 1 of Part 10 of the Social Services and Well-being (Wales) Act 2014 (anaw 4).
11The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—
(a)is a function of a person described in column 1 of the Table, and
(b)is conferred on that person as described in column 2 of the Table,
to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
| Person on whom function is conferred | How function is conferred |
|---|---|
| 1. The Commissioner. | By or under— (a) the data protection legislation; (b) the Freedom of Information Act 2000; (c) section 244 of the Investigatory Powers Act 2016; (d) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426); (e) the Environmental Information Regulations 2004 (S.I. 2004/3391); (f) the INSPIRE Regulations 2009 (S.I. 2009/3157); (g) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC; (h) the Re-use of Public Sector Information Regulations 2015 (S.I. 2015/1415); (i) the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696). |
| 2. The Scottish Information Commissioner. | By or under— (a) the Freedom of Information (Scotland) Act 2002 (asp 13); (b) the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520); (c) the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440). |
| 3. The Pensions Ombudsman. | By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland. |
| 4. The Board of the Pension Protection Fund. | By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland. |
| 5. The Ombudsman for the Board of the Pension Protection Fund. | By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland. |
| 6. The Pensions Regulator. | By an enactment. |
| 7. The Financial Conduct Authority. | By or under the Financial Services and Markets Act 2000 or by another enactment. |
| 8. The Financial Ombudsman. | By or under Part 16 of the Financial Services and Markets Act 2000. |
| 9. The investigator of complaints against the financial regulators. | By or under Part 6 of the Financial Services Act 2012. |
| 10. A consumer protection enforcer, other than the Competition and Markets Authority. | By or under the CPC Regulation. |
| 11. The monitoring officer of a relevant authority. | By or under the Local Government and Housing Act 1989. |
| 12. The monitoring officer of a relevant Welsh authority. | By or under the Local Government Act 2000. |
| 13. The Public Services Ombudsman for Wales. | By or under the Local Government Act 2000. |
| 14. The Charity Commission. | By or under— (a) the Charities Act 1992; (b) the Charities Act 2006; (c) the Charities Act 2011. |
12In the Table in paragraph 11—
“consumer protection enforcer” has the same meaning as “CPC enforcer” in section 213(5A) of the Enterprise Act 2002;
the “CPC Regulation” has the meaning given in section 235A of the Enterprise Act 2002;
the “Financial Ombudsman” means the scheme operator within the meaning of Part 16 of the Financial Services and Markets Act 2000 (see section 225 of that Act);
the “investigator of complaints against the financial regulators” means the person appointed under section 84(1)(b) of the Financial Services Act 2012;
“relevant authority” has the same meaning as in section 5 of the Local Government and Housing Act 1989, and “monitoring officer”, in relation to such an authority, means a person designated as such under that section;
“relevant Welsh authority” has the same meaning as “relevant authority” in section 49(6) of the Local Government Act 2000, and “monitoring officer”, in relation to such an authority, has the same meaning as in Part 3 of that Act.
13The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data where this is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.
14(1)The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person’s suitability for judicial office or the office of Queen’s Counsel.
(2)The listed GDPR provisions do not apply to personal data processed by—
(a)an individual acting in a judicial capacity, or
(b)a court or tribunal acting in its judicial capacity.
(3)As regards personal data not falling within sub-paragraph (1) or (2), the listed GDPR provisions do not apply to the extent that the application of those provisions would be likely to prejudice judicial independence or judicial proceedings.
15(1)The listed GDPR provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity.
(2)The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person’s suitability for any of the following offices—
(a)archbishops and diocesan and suffragan bishops in the Church of England;
(b)deans of cathedrals of the Church of England;
(c)deans and canons of the two Royal Peculiars;
(d)the First and Second Church Estates Commissioners;
(e)lord-lieutenants;
(f)Masters of Trinity College and Churchill College, Cambridge;
(g)the Provost of Eton;
(h)the Poet Laureate;
(i)the Astronomer Royal.
(3)The Secretary of State may by regulations amend the list in sub-paragraph (2) to—
(a)remove an office, or
(b)add an office to which appointments are made by Her Majesty.
(4)Regulations under sub-paragraph (3) are subject to the affirmative resolution procedure.