Section 22
SCHEDULE 6The applied GDPR and the applied Chapter 2
PART 1Modifications to the GDPR
Introductory
1In its application by virtue of section 22(1), the GDPR has effect as if it were modified as follows.
References to the GDPR and its provisions
2(1)References to “this Regulation” and to provisions of the GDPR have effect as references to the applied GDPR and to the provisions of the applied GDPR.
(2)But sub-paragraph (1) does not have effect—
(a)in the case of the references which are modified or inserted by paragraphs 9(f)(ii), 15(b), 16(a)(ii), 35, 36(a) and (e)(ii) and 38(a)(i);
(b)in relation to the references in points (a) and (b) of paragraph 2 of Article 61, as inserted by paragraph 49.
References to Union law and Member State law
3(1)References to “Union law”, “Member State law”, “the law of a Member State” and “Union or Member State law” have effect as references to domestic law.
(2)Sub-paragraph (1) is subject to the specific modifications made in this Part of this Schedule.
(3)In this paragraph, “domestic law” means the law of the United Kingdom, or of a part of the United Kingdom, and includes law in the form of an enactment, an instrument made under Her Majesty’s prerogative or a rule of law.
References to the Union and to Member States
4(1)References to “the Union”, “a Member State” and “Member States” have effect as references to the United Kingdom.
(2)Sub-paragraph (1) is subject to the specific modifications made in this Part of this Schedule (including paragraph 3(1)).
References to supervisory authorities
5(1)References to a “supervisory authority”, a “competent supervisory authority” or “supervisory authorities”, however expressed, have effect as references to the Commissioner.
(2)Sub-paragraph (1) does not apply to the references in—
(a)Article 4(21) as modified by paragraph 9(f);
(b)Article 57(1)(h);
(c)Article 61(1) inserted by paragraph 49.
(3)Sub-paragraph (1) is also subject to the specific modifications made in this Part of this Schedule.
References to the national parliament
6References to “the national parliament” have effect as references to both Houses of Parliament.
Chapter I of the GDPR (general provisions)
7For Article 2 (material scope) substitute—
“2This Regulation applies to the processing of personal data to which Chapter 3 of Part 2 of the 2018 Act applies (see section 21 of that Act).”
8For Article 3 substitute—
“Article 3Territorial application
Subsections (1), (2) and (7) of section 207 of the 2018 Act have effect for the purposes of this Regulation as they have effect for the purposes of that Act but as if the following were omitted—
(a)in subsection (1), the reference to subsection (3), and
(b)in subsection (7), the words following paragraph (d).”
9In Article 4 (definitions)—
(a)in paragraph (7) (meaning of “controller”), for “; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” substitute “, subject to section 6 of the 2018 Act (meaning of “controller”)”;
(b)after paragraph (7) insert—
“(7A)“the 2018 Act” means the Data Protection Act 2018 as applied by section 22 of that Act and further modified by section 3 of that Act.”;
(c)omit paragraph (16) (meaning of “main establishment”);
(d)omit paragraph (17) (meaning of “representative”);
(e)in paragraph (20) (meaning of “binding corporate rules”), for “on the territory of a Member State” substitute “in the United Kingdom”;
(f)in paragraph (21) (meaning of “supervisory authority”)—
(i)after “a Member State” insert “(other than the United Kingdom)”;
(ii)for “Article 51” substitute “Article 51 of the GDPR”;
(g)after paragraph (21) insert—
“(21A)“the Commissioner” means the Information Commissioner (see section 114 of the 2018 Act);”;
(h)omit paragraph (22) (meaning of “supervisory authority concerned”);
(i)omit paragraph (23) (meaning of “cross-border processing”);
(j)omit paragraph (24) (meaning of “relevant and reasoned objection”);
(k)after paragraph (26) insert—
“(27)“the GDPR” has the meaning given in section 3(10) of the 2018 Act.
(28)“domestic law” has the meaning given in paragraph 3(3) of Schedule 6 to the 2018 Act.”
Chapter II of the GDPR (principles)
10In Article 6 (lawfulness of processing)—
(a)omit paragraph 2;
(b)in paragraph 3, for the first subparagraph substitute—
“In addition to the provision made in section 15 of and Part 1 of Schedule 2 to the 2018 Act, a legal basis for the processing referred to in point (c) and (e) of paragraph 1 may be laid down by the Secretary of State in regulations (see section 16 of the 2018 Act).”;
(c)in paragraph 3, in the second subparagraph, for “The Union or the Member State law shall” substitute “The regulations must”.
11In Article 8 (conditions applicable to child’s consent in relation to information society services)—
(a)in paragraph 1, for the second subparagraph substitute—
“This paragraph is subject to section 9 of the 2018 Act.”;
(b)in paragraph 3, for “the general contract law of Member States” substitute “the general law of contract as it operates in domestic law”.
12In Article 9 (processing of special categories of personal data)—
(a)in paragraph 2(a), omit “, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject”;
(b)in paragraph 2(b), for “Union or Member State law” substitute “domestic law (see section 10 of the 2018 Act)”;
(c)in paragraph 2, for point (g) substitute—
“(g)processing is necessary for reasons of substantial public interest and is authorised by domestic law (see section 10 of the 2018 Act);”;
(d)in paragraph 2(h), for “Union or Member State law” substitute “domestic law (see section 10 of the 2018 Act)”;
(e)in paragraph 2(i), for “Union or Member State law” insert “domestic law (see section 10 of the 2018 Act);”;
(f)in paragraph 2, for point (j) substitute—
“(j)processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) (as supplemented by section 19 of the 2018 Act) and is authorised by domestic law (see section 10 of that Act).”;
(g)in paragraph 3, for “national competent bodies”, in both places, substitute “a national competent body of the United Kingdom”;
(h)omit paragraph 4.
13In Article 10 (processing of personal data relating to criminal convictions and offences), in the first sentence, for “Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects” substitute “domestic law (see section 10 of the 2018 Act)”.
Section 1 of Chapter III of the GDPR (rights of the data subject: transparency and modalities)
14In Article 12 (transparent information etc for the exercise of the rights of the data subject), omit paragraph 8.
Section 2 of Chapter III of the GDPR (rights of the data subject: information and access to personal data)
15In Article 13 (personal data collected from data subject: information to be provided), in paragraph 1—
(a)in point (a), omit “and, where applicable, of the controller’s representative”;
(b)in point (f), after “the Commission” insert “pursuant to Article 45(3) of the GDPR”.
16In Article 14 (personal data collected other than from data subject: information to be provided)—
(a)in paragraph 1—
(i)in point (a), omit “and, where applicable, of the controller’s representative”;
(ii)in point (f), after “the Commission” insert “pursuant to Article 45(3) of the GDPR”;
(b)in paragraph 5(c), for “Union or Member State law to which the controller is subject” substitute “a rule of domestic law”.
Section 3 of Chapter III of the GDPR (rights of the data subject: rectification and erasure)
17In Article 17 (right to erasure (‘right to be forgotten’))—
(a)in paragraph 1(e), for “in Union or Member State law to which the controller is subject” substitute “under domestic law”;
(b)in paragraph 3(b), for “by Union or Member State law to which the controller is subject” substitute “under domestic law”.
18In Article 18 (right to restriction of processing), in paragraph 2, for “of the Union or of a Member State” substitute “of the United Kingdom”.
Section 4 of Chapter III of the GDPR (rights of the data subject: right to object and automated individual decision-making)
19In Article 21 (right to object), in paragraph 5, omit “, and notwithstanding Directive 2002/58/EC,”.
20In Article 22 (automated individual decision-making, including profiling), for paragraph 2(b) substitute—
“(b)is a qualifying significant decision for the purposes of section 14 of the 2018 Act; or”.
Section 5 of Chapter III of the GDPR (rights of the data subject: restrictions)
21In Article 23 (restrictions), in paragraph 1—
(a)for “Union or Member State law to which the data controller or processor is subject” substitute “In addition to the provision made by section 15 of and Schedules 2, 3 and 4 to the 2018 Act, the Secretary of State”;
(b)in point (e), for “of the Union or of a Member State”, in both places, substitute “of the United Kingdom”;
(c)after point (j) insert—
“See section 16 of the 2018 Act.”
Section 1 of Chapter IV of the GDPR (controller and processor: general obligations)
22In Article 26 (joint controllers), in paragraph 1, for “Union or Member State law to which the controllers are subject” substitute “domestic law”.
23Omit Article 27 (representatives of controllers or processors not established in the Union).
24In Article 28 (processor)—
(a)in paragraph 3, in point (a), for “Union or Member State law to which the processor is subject” substitute “domestic law”;
(b)in paragraph 3, in the second subparagraph, for “other Union or Member State data protection provisions” substitute “any other rule of domestic law relating to data protection”;
(c)in paragraph 6, for “paragraphs 7 and 8” substitute “paragraph 8”;
(d)omit paragraph 7;
(e)in paragraph 8, omit “and in accordance with the consistency mechanism referred to in Article 63”.
25In Article 30 (records of processing activities)—
(a)in paragraph 1, in the first sentence, omit “and, where applicable, the controller’s representative,”;
(b)in paragraph 1, in point (a), omit “, the controller’s representative”;
(c)in paragraph 1, in point (g), after “32(1)” insert “or section 28(3) of the 2018 Act”;
(d)in paragraph 2, in the first sentence, omit “and, where applicable, the processor’s representative”;
(e)in paragraph 2, in point (a), omit “the controller’s or the processor’s representative, and”;
(f)in paragraph 2, in point (d), after “32(1)” insert “or section 28(3) of the 2018 Act”;
(g)in paragraph 4, omit “and, where applicable, the controller’s or the processor’s representative,”.
26In Article 31 (co-operation with the supervisory authority), omit “and, where applicable, their representatives,”.
Section 3 of Chapter IV of the GDPR (controller and processor: data protection impact assessment and prior consultation)
27In Article 35 (data protection impact assessment), omit paragraphs 4, 5, 6 and 10.
28In Article 36 (prior consultation)—
(a)for paragraph 4 substitute—
“4The Secretary of State must consult the Commissioner during the preparation of any proposal for a legislative measure which relates to processing.”;
(b)omit paragraph 5.
Section 4 of Chapter IV of the GDPR (controller and processor: data protection officer)
29In Article 37 (designation of data protection officers), omit paragraph 4.
30In Article 39 (tasks of the data protection officer), in paragraph 1(a) and (b), for “other Union or Member State data protection provisions” substitute “other rules of domestic law relating to data protection”.
Section 5 of Chapter IV of the GDPR (controller and processor: codes of conduct and certification)
31In Article 40 (codes of conduct)—
(a)in paragraph 1, for “The Member States, the supervisory authorities, the Board and the Commission shall” substitute “The Commissioner must”;
(b)omit paragraph 3;
(c)in paragraph 6, omit “, and where the code of conduct concerned does not relate to processing activities in several Member States”;
(d)omit paragraphs 7 to 11.
32In Article 41 (monitoring of approved codes of conduct), omit paragraph 3.
33In Article 42 (certification)—
(a)in paragraph 1—
(i)for “The Member States, the supervisory authorities, the Board and the Commission” substitute “The Commissioner”;
(ii)omit “, in particular at Union level,”;
(b)omit paragraph 2;
(c)in paragraph 5, omit “or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal”;
(d)omit paragraph 8.
34In Article 43 (certification bodies)—
(a)in paragraph 1, in the second sentence, for “Member States shall ensure that those certification bodies are” substitute “Those certification bodies must be”;
(b)in paragraph 2, in point (b), omit “or by the Board pursuant to Article 63”;
(c)in paragraph 3, omit “or by the Board pursuant to Article 63”;
(d)in paragraph 6, omit the second and third sentences;
(e)omit paragraphs 8 and 9.
Chapter V of the GDPR (transfers of data to third countries or international organisations)
35In Article 45 (transfers on the basis of an adequacy decision)—
(a)in paragraph 1, after “decided” insert “in accordance with Article 45 of the GDPR”;
(b)after paragraph 1 insert—
“1ABut a transfer of personal data to a third country or international organisation must not take place under paragraph 1, if the Commission’s decision in relation to the third country (including a territory or sector within it) or the international organisation—
(a)is suspended,
(b)has been amended, or
(c)has been repealed,
by the Commission under Article 45(5) of the GDPR.”;
(c)omit paragraphs 2 to 8;
(d)in paragraph 9, for “of this Article” substitute “of Article 45 of the GDPR”.
36In Article 46 (transfers subject to appropriate safeguards)—
(a)in paragraph 1, for “Article 45(3)” substitute “Article 45(3) of the GDPR”;
(b)in paragraph 2, omit point (c);
(c)in paragraph 2, in point (d), omit “and approved by the Commission pursuant to the examination procedure referred to in Article 93(2)”;
(d)omit paragraph 4;
(e)in paragraph 5—
(i)in the first sentence, for “a Member State or supervisory authority” substitute “the Commissioner”;
(ii)in the second sentence, for “this Article” substitute “Article 46 of the GDPR”.
37In Article 47 (binding corporate rules)—
(a)in paragraph 1, in the first sentence, omit “in accordance with the consistency mechanism set out in Article 63”;
(b)in paragraph 2, in point (e), for “the competent courts of the Member States” substitute “a court”;
(c)in paragraph 2, in point (f), for “on the territory of a Member State” substitute “in the United Kingdom”;
(d)omit paragraph 3.
38In Article 49 (derogations for specific situations)—
(a)in paragraph 1, in the first sentence—
(i)for “Article 45(3)” substitute “Article 45(3) of the GDPR”;
(ii)for “Article 46” substitute “Article 46 of this Regulation”;
(b)in paragraph 4, for “Union law or in the law of the Member State to which the controller is subject” substitute “domestic law (see section 18 of the 2018 Act which makes certain provision about the public interest)”;
(c)for paragraph 5 substitute—
“5Paragraph 1 is subject to any regulations made under section 18(2) of the 2018 Act.”
39In Article 50 (international co-operation for the protection of personal data), omit “the Commission and”.
Section 1 of Chapter VI of the GDPR (independent supervisory authorities: independent status)
40In Article 51 (supervisory authority)—
(a)in paragraph 1—
(i)for “Each Member State shall provide for one or more independent public authorities to be” substitute “The Commissioner is”;
(ii)omit “and to facilitate the free flow of personal data within the Union (‘supervisory authority’)”;
(b)omit paragraphs 2 to 4.
41In Article 52 (independence)—
(a)in paragraph 2—
(i)for “The member or members of each supervisory authority” substitute “The Commissioner”;
(ii)for “their”, in both places, substitute “the Commissioner’s”;
(b)in paragraph 3—
(i)for “Member or members of each supervisory authority” substitute “The Commissioner”;
(ii)for “their”, in both places, substitute “the Commissioner’s”;
(c)omit paragraphs 4 to 6.
42Omit Article 53 (general conditions for the members of the supervisory authority).
43Omit Article 54 (rules on the establishment of the supervisory authority).
Section 2 of Chapter VI of the GDPR (independent supervisory authorities: competence, tasks and powers)
44In Article 55 (competence)—
(a)in paragraph 1, omit “on the territory of its own Member State”;
(b)omit paragraph 2.
45Omit Article 56 (competence of the lead supervisory authority).
46In Article 57 (tasks)—
(a)in paragraph 1, in the first sentence, for “each supervisory authority shall on its territory” substitute “the Commissioner is to”;
(b)in paragraph 1, in point (e), omit “and, if appropriate, cooperate with the supervisory authorities in other Member States to that end”;
(c)in paragraph 1, in point (f), omit “or coordination with another supervisory authority”;
(d)in paragraph 1, omit points (g), (k) and (t);
(e)after paragraph 1 insert—
“1AIn this Article and Article 58, references to “this Regulation” have effect as references to this Regulation and section 28(3) of the 2018 Act.”
47In Article 58 (powers)—
(a)in paragraph 1, in point (a), omit “, and, where applicable, the controller’s or the processor’s representative”;
(b)in paragraph 1, in point (f), for “Union or Member State procedural law” substitute “domestic law”;
(c)in paragraph 3, in point (b), for “the Member State government” substitute “the Secretary of State”;
(d)in paragraph 3, omit point (c);
(e)omit paragraphs 4 to 6.
48In Article 59 (activity reports)—
(a)for “, the government and other authorities as designated by Member State law” substitute “and the Secretary of State”;
(b)omit “, to the Commission and to the Board”.
Chapter VII of the GDPR (co-operation and consistency)
49For Articles 60 to 76 substitute—
“Article 61Co-operation with other supervisory authorities etc
1The Commissioner may, in connection with carrying out the Commissioner’s functions under this Regulation—
(a)co-operate with, provide assistance to and seek assistance from other supervisory authorities;
(b)conduct joint operations with other supervisory authorities, including joint investigations and joint enforcement measures.
2The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, have regard to—
(a)decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR;
(b)any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).”
Chapter VIII of the GDPR (remedies, liability and penalties)
50In Article 77 (right to lodge a complaint with a supervisory authority)—
(a)in paragraph 1, omit “in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement”;
(b)in paragraph 2, for “The supervisory authority with which the complaint has been lodged” substitute “The Commissioner”.
51In Article 78 (right to an effective judicial remedy against a supervisory authority)—
(a)omit paragraph 2;
(b)for paragraph 3 substitute—
“3Proceedings against the Commissioner are to be brought before a court in the United Kingdom.”;
(c)omit paragraph 4.
52In Article 79 (right to an effective judicial remedy against a controller or processor), for paragraph 2 substitute—
“2Proceedings against a controller or a processor are to be brought before a court (see section 180 of the 2018 Act).”
53In Article 80 (representation of data subjects)—
(a)in paragraph 1, omit “where provided for by Member State law”;
(b)in paragraph 2, for “Member States” substitute “The Secretary of State”;
(c)after that paragraph insert—
“3The power under paragraph 2 may only be exercised by making regulations under section 190 of the 2018 Act.”
54Omit Article 81 (suspension of proceedings).
55In Article 82 (right to compensation and liability), for paragraph 6 substitute—
“6Proceedings for exercising the right to receive compensation are to be brought before a court (see section 180 of the 2018 Act).”
56In Article 83 (general conditions for imposing administrative fines)—
(a)in paragraph 5, in point (d), for “pursuant to Member State law adopted under Chapter IX” substitute “under Part 5 or 6 of Schedule 2 to the 2018 Act or under regulations made under section 16 of that Act”;
(b)in paragraph 7—
(i)for “each Member State” substitute “the Secretary of State”;
(ii)for “that Member State” substitute “the United Kingdom”;
(c)for paragraph 8 substitute—
“8Section 115(9) of the 2018 Act makes provision about the exercise of the Commissioner’s powers under this Article.”;
(d)omit paragraph 9.
57In Article 84 (penalties)—
(a)for paragraph 1 substitute—
“1The rules on other penalties applicable to infringements of this Regulation are set out in the 2018 Act (see in particular Part 6 (enforcement)).”;
(b)omit paragraph 2.
Chapter IX of the GDPR (provisions relating to specific processing situations)
58In Article 85 (processing and freedom of expression and information)—
(a)omit paragraph 1;
(b)in paragraph 2, for “Member States shall” substitute “the Secretary of State, in addition to the relevant provisions, may by way of regulations (see section 16 of the 2018 Act),”;
(c)in paragraph 2, at the end insert—
“In this paragraph, “the relevant provisions” means section 15 of and Part 5 of Schedule 2 to the 2018 Act.”;
(d)omit paragraph 3.
59In Article 86 (processing and public access to official documents), for “Union or Member State law to which the public authority or body is subject” substitute “domestic law”.
60Omit Article 87 (processing of national identification number).
61Omit Article 88 (processing in the context of employment).
62In Article 89 (safeguards and derogations relating to processing for archiving purposes etc)—
(a)in paragraph 2, for “Union or Member State law may” substitute “the Secretary of State, in addition to the relevant provisions, may in regulations (see section 16 of the 2018 Act)”;
(b)in paragraph 3, for “Union or Member State law may” substitute “the Secretary of State, in addition to the relevant provisions, may in regulations (see section 16 of the 2018 Act)”;
(c)after paragraph 3 insert—
“3AIn this Article “the relevant provisions” means section 15 of and Part 6 of Schedule 2 to the 2018 Act.”
63Omit Article 90 (obligations of secrecy).
64Omit Article 91 (existing data protection rules of churches and religious associations).
Chapter X of the GDPR (delegated acts and implementing acts)
65Omit Article 92 (exercise of the delegation).
66Omit Article 93 (committee procedure).
Chapter XI of the GDPR (final provisions)
67Omit Article 94 (repeal of Directive 95/46/EC).
68Omit Article 95 (relationship with Directive 2002/58/EC).
69In Article 96 (relationship with previously concluded Agreements), for “by Member States” substitute “by the United Kingdom or the Commissioner”.
70Omit Article 97 (Commission reports).
71Omit Article 98 (Commission reviews).
72Omit Article 99 (entry into force and application).
PART 2Modifications to Chapter 2 of Part 2
Introductory
73In its application by virtue of section 22(2), Chapter 2 of Part 2 has effect as if it were modified as follows.
General modifications
74(1)References to Chapter 2 of Part 2 and the provisions of that Chapter have effect as references to the applied Chapter 2 and the provisions of the applied Chapter 2 .
(2)References to the GDPR and to the provisions of the GDPR have effect as references to the applied GDPR and to the provisions of the applied GDPR, except in section 18(2)(a).
(3)References to the processing of personal data to which Chapter 2 applies have effect as references to the processing of personal data to which Chapter 3 applies.
Exemptions
75In section 16 (power to make further exemptions etc by regulations), in subsection (1)(a), for “Member State law” substitute “the Secretary of State”.