Data Protection Act 2018

Textual Amendments

F1Words in Sch. 2 Pt. 1 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)

Textual Amendments

F2Words in Sch. 2 para. 1 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)

1U.K.In this Part of this Schedule, “the listed GDPR provisions” means—

(a)the following provisions of the [F3UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F3UK GDPR])—

(i)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(ii)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(iii)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(iv)Article 16 (right to rectification);

(v)Article 17(1) and (2) (right to erasure);

(vi)Article 18(1) (restriction of processing);

(vii)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(viii)Article 20(1) and (2) (right to data portability);

(ix)Article 21(1) (objections to processing);

(x)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (i) to (ix); and

(b)the following provisions of the [F4UK GDPR] (the application of which may be adapted by virtue of Article 6(3) of the [F4UK GDPR])—

(i)Article 5(1)(a) (lawful, fair and transparent processing), other than the lawfulness requirements set out in Article 6;

(ii)Article 5(1)(b) (purpose limitation).

Textual Amendments

F3Words in Sch. 2 para. 1(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(5)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)

F4Words in Sch. 2 para. 1(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(5)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)

2(1)The listed GDPR provisions and Article 34(1) and (4) of the [F5UK GDPR] (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes—U.K.

(a)the prevention or detection of crime,

(b)the apprehension or prosecution of offenders, or

(c)the assessment or collection of a tax or duty or an imposition of a similar nature,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).

(2)Sub-paragraph (3) applies where—

(a)personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and

(b)another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions.

(3)Controller 2 is exempt from the obligations in the following provisions of the [F6UK GDPR]—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and

(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),

to the same extent that Controller 1 is exempt from those obligations by virtue of sub-paragraph (1).

Textual Amendments

F5Words in Sch. 2 para. 2(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(6)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)

F6Words in Sch. 2 para. 2(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(6)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)

3(1)The [F7UK GDPR] provisions listed in sub-paragraph (3) do not apply to personal data which consists of a classification applied to the data subject as part of a risk assessment system falling within sub-paragraph (2) to the extent that the application of those provisions would prevent the system from operating effectively.U.K.

(2)A risk assessment system falls within this sub-paragraph if—

(a)it is operated by a government department, a local authority or another authority administering housing benefit, and

(b)it is operated for the purposes of—

(i)the assessment or collection of a tax or duty or an imposition of a similar nature, or

(ii)the prevention or detection of crime or apprehension or prosecution of offenders, where the offence concerned involves the unlawful use of public money or an unlawful claim for payment out of public money.

(3)The [F8UK GDPR] provisions referred to in sub-paragraph (1) are the following provisions of the [F8UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F8UK GDPR])—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c).

Textual Amendments

F7Words in Sch. 2 para. 3(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(7)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)

F8Words in Sch. 2 para. 3(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(7)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)

4(1)The [F9UK GDPR] provisions listed in sub-paragraph (2) do not apply to personal data processed [F10by the Secretary of State] for any of the following purposes—U.K.

(a)the maintenance of effective immigration control, or

(b)the investigation or detection of activities that would undermine the maintenance of effective immigration control,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).

[F11(1A)But sub-paragraph (1) does not apply unless the Secretary of State has an immigration exemption policy document in place.

(1B)For the purposes of sub-paragraph (1A), the Secretary of State has an immigration exemption policy document in place if the Secretary of State has produced a document which explains the Secretary of State’s policies and processes for—

(a)determining the extent to which the application of any of the UK GDPR provisions listed in sub-paragraph (2) would be likely to prejudice any of the matters mentioned in sub-paragraph (1)(a) and (b), and

(b)where it is determined that any of those provisions do not apply in relation to personal data processed for any of the purposes mentioned in sub-paragraph (1)(a) and (b), preventing—

(i)the abuse of that personal data, and

(ii)any access to, or transfer of, it otherwise than in accordance with the UK GDPR.

(1C)Paragraphs 4A and 4B make provision about additional safeguards in connection with the exemption in this paragraph.]

(2)The [F12UK GDPR] provisions referred to in [F13sub-paragraphs (1) and (1B)] are the following provisions of the [F12UK GDPR] (the rights and obligations in which may be restricted by virtue of Article 23(1) of the [F12UK GDPR])—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 17(1) and (2) (right to erasure);

(e)Article 18(1) (restriction of processing);

(f)Article 21(1) (objections to processing);

(g)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f).

(That is, the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing) and Article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)

F14(3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F15(4). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Textual Amendments

F9Words in Sch. 2 para. 4(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(8)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)

F10Words in Sch. 2 para. 4(1) inserted (31.1.2022) by The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (S.I. 2022/76), regs. 1(2), 2(2)(a)

F11Sch. 2 para. 4(1A)-(1C) inserted (31.1.2022) by The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (S.I. 2022/76), regs. 1(2), 2(2)(b)

F12Words in Sch. 2 para. 4(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(8)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)

F13Words in Sch. 2 para. 4(2) substituted (31.1.2022) by The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (S.I. 2022/76), regs. 1(2), 2(2)(c)

F14Sch. 2 para. 4(3) omitted (31.1.2022) by virtue of The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (S.I. 2022/76), regs. 1(2), 2(2)(d)

F15Sch. 2 para. 4(4) omitted (31.1.2022) by virtue of The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (S.I. 2022/76), regs. 1(2), 2(2)(d)

Textual Amendments

F16Sch. 2 paras. 4A, 4B inserted (31.1.2022) by The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (S.I. 2022/76), regs. 1(2), 2(3)

4A.(1)The Secretary of State must—U.K.

(a)determine the extent to which the application of the relevant UK GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b) on a case by case basis, and

(b)have regard, when making such a determination, to the immigration exemption policy document.

(2)The Secretary of State must also—

(a)review the immigration exemption policy document and (if appropriate) update it from time to time;

(b)publish it, and any update to it, in such manner as the Secretary of State considers appropriate.

(3)In this paragraph and paragraph 4B “the relevant UK GDPR provisions” means the provisions of the UK GDPR listed in paragraph 4(2).

4B.(1)Where the Secretary of State determines in any particular case that the application of any of the relevant UK GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b), the Secretary of State must—U.K.

(a)keep a record of that determination and the reasons for it, and

(b)inform the data subject of that determination.

(2)But the Secretary of State is not required to comply with sub-paragraph (1)(b) if doing so may be prejudicial to any of the matters mentioned in paragraph 4(1)(a) and (b).]

5(1)The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.U.K.

(2)The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.

(3)The listed GDPR provisions do not apply to personal data where disclosure of the data—

(a)is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),

(b)is necessary for the purpose of obtaining legal advice, or

(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights,

to the extent that the application of those provisions would prevent the controller from making the disclosure.