(1)The Commissioner is to be the supervisory authority in the United Kingdom for the purposes of Article 51 of the GDPR.
(2)General functions are conferred on the Commissioner by—
(a)Article 57 of the GDPR (tasks), and
(b)Article 58 of the GDPR (powers),
(and see also the Commissioner’s duty under section 2).
(3)The Commissioner’s functions in relation to the processing of personal data to which the GDPR applies include—
(a)a duty to advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data, and
(b)a power to issue, on the Commissioner’s own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.
(4)The Commissioner’s functions under Article 58 of the GDPR are subject to the safeguards in subsections (5) to (9).
(5)The Commissioner’s power under Article 58(1)(a) of the GDPR (power to require a controller or processor to provide information that the Commissioner requires for the performance of the Commissioner’s tasks under the GDPR) is exercisable only by giving an information notice under section 142.
(6)The Commissioner’s power under Article 58(1)(b) of the GDPR (power to carry out data protection audits) is exercisable only in accordance with section 146.
(7)The Commissioner’s powers under Article 58(1)(e) and (f) of the GDPR (power to obtain information from controllers and processors and access to their premises) are exercisable only—
(a)in accordance with Schedule 15 (see section 154), or
(b)to the extent that they are exercised in conjunction with the power under Article 58(1)(b) of the GDPR, in accordance with section 146.
(8)The following powers are exercisable only by giving an enforcement notice under section 149—
(a)the Commissioner’s powers under Article 58(2)(c) to (g) and (j) of the GDPR (certain corrective powers);
(b)the Commissioner’s powers under Article 58(2)(h) to order a certification body to withdraw, or not to issue, a certification under Articles 42 and 43 of the GDPR.
(9)The Commissioner’s powers under Articles 58(2)(i) and 83 of the GDPR (administrative fines) are exercisable only by giving a penalty notice under section 155.
(10)This section is without prejudice to other functions conferred on the Commissioner, whether by the GDPR, this Act or otherwise.