Data Protection Bill [HL] - Commons Amendments

Part of the debate – in the House of Lords at 7:15 pm on 14th May 2018.

Alert me about debates like this

Moved by Lord Ashton of Hyde

That this House do agree with the Commons in their Amendments 176 to 282.

176: Schedule 2, page 138, line 15, at end insert— “( ) Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);”

177: Schedule 2, page 139, leave out lines 17 to 27 and insert—“2. The function is designed to protect members of the public against—(a) dishonesty, malpractice or other seriously improper conduct, or(b) unfitness or incompetence.The function is—(a) conferred on a person by an enactment,(b) a function of the Crown, a Minister of the Crown or a government department, or(c) of a public nature, and is exercised in the public interest.”

178: Schedule 2, page 140, line 42, at end insert—“Audit functions7A (1) The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.(2) The functions are any function that is conferred by an enactment on— (a) the Comptroller and Auditor General;(b) the Auditor General for Scotland;(c) the Auditor General for Wales;(d) the Comptroller and Auditor General for Northern Ireland.”

179: Page 140, line 42, at end insert—“Functions of the Bank of England7B (1) The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a relevant function of the Bank of England to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.(2) “Relevant function of the Bank of England” means—(a) a function discharged by the Bank acting in its capacity as a monetary authority (as defined in section 244(2)(c) and (2A) of the Banking Act 2009);(b) a public function of the Bank within the meaning of section 349 of the Financial Services and Markets Act 2000;(c) a function conferred on the Prudential Regulation Authority by or under the Financial Services and Markets Act 2000 or by another enactment.”

180: Schedule 2, page 141, line 18, leave out “body” and insert “person”

181: Schedule 2, page 141, line 19, leave out “body” and insert “person”

182: Schedule 2, page 142, line 7, column 2, at end insert—“( ) section 244 of the Investigatory Powers Act 2016;”

183: Schedule 2, page 142, line 37, at end insert—“1A. The Scottish Information Commissioner.By or under—(a) the Freedom of Information (Scotland) Act 2002 (asp 13);(b) the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520);(c) the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440).”

184: Schedule 2, page 143, line 7, leave out “or under any” and insert “an”

185: Schedule 2, page 143, line 7, at end insert—“5A. The Financial Conduct Authority.By or under the Financial Services and Markets Act 2000 or by another enactment.”

186: Schedule 2, page 143, line 22, at end insert—“12. The Charity Commission.By or under—(a) the Charities Act 1992; (b) the Charities Act 2006; (c) the Charities Act 2011.”

187: Schedule 2, page 146, line 22, leave out “16(4)(a) or (b)” and insert “16(4)(a), (b) or (c)”

188: Schedule 2, page 146, line 44, at end insert “, or(b) information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.”

189: Schedule 2, page 149, line 23, leave out “with the date on which” and insert “when”

190: Schedule 2, page 149, line 25, leave out “the date of”

191: Schedule 2, page 150, line 45, at end insert—“( ) Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);”

192: Schedule 2, page 151, line 1, after “processor)” insert “—(i) Article 34(1) and (4) (communication of personal data breach to the data subject);(ii) ”

193: Schedule 2, pchedule 3, page 160, line 21, leave out “with the day on which” and insert “when”

194: Schedule 2, page 162, line 3, leave out paragraph 16 and insert—“16 (1) This paragraph applies to a record of information which—(a) is processed by or on behalf of the Board of Governors, proprietor or trustees of, or a teacher at, a school in Northern Ireland specified in sub-paragraph (3),(b) relates to an individual who is or has been a pupil at the school, and(c) originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).(2) But this paragraph does not apply to information which is processed by a teacher solely for the teacher’s own use.(3) The schools referred to in sub-paragraph (1)(a) are— (a) a grant-aided school;(b) an independent school.(4) The persons referred to in sub-paragraph (1)(c) are— (a) a teacher at the school;(b) an employee of the Education Authority, other than a teacher at the school;(c) an employee of the Council for Catholic Maintained Schools, other than a teacher at the school;(d) the pupil to whom the record relates;(e) a parent, as defined by Article 2(2) of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).(5) In this paragraph, “grant-aided school”, “independent school”, “proprietor” and “trustees” have the same meaning as in the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).”

195: Schedule 2, page 164, line 7, leave out “with the day on which” and insert “when”

196: Schedule 5, page 170, line 21, leave out “In this paragraph” and insert—“Meaning of “working day”7 In this Schedule”

197: Schedule 6, page 172, line 4, leave out from beginning to end of line 14 and insert— “Subsections (1), (2) and (6) of section 200 of the 2018 Act have effect for the purposes of this Regulation as they have effect for the purposes of that Act but as if the following were omitted—(a) in subsection (1), the reference to subsection (3), and (b) in subsection (6), the words following paragraph (d).””

198: Schedule 6, page 180, line 2, leave out sub-paragraph (b) and insert—“(b) in paragraph 2, for “Member States” substitute “The Secretary of State”;(c) after that paragraph insert—“3 The power under paragraph 2 may only be exercised by making regulations under section (Post-review powers to make provision about representation of data subjects) of the 2018 Act.”

199: Schedule 8, page 184, line 32, at end insert—“Safeguarding of children and of individuals at risk3A (1) This condition is met if—(a) the processing is necessary for the purposes of—(i) protecting an individual from neglect or physical, mental or emotional harm, or(ii) protecting the physical, mental or emotional well-being of an individual,(b) the individual is—(i) aged under 18, or(ii) aged 18 or over and at risk,(c) the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and(d) the processing is necessary for reasons of substantial public interest.(2) The reasons mentioned in sub-paragraph (1)(c) are—(a) in the circumstances, consent to the processing cannot be given by the data subject;(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;(c) the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).(3) For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—(a) has needs for care and support,(b) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and(c) as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.(4) In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.”

200: Schedule 10, page 187, line 5, at end insert—“Safeguarding of children and of individuals at risk3A (1) This condition is met if—(a) the processing is necessary for the purposes of—(i) protecting an individual from neglect or physical, mental or emotional harm, or(ii) protecting the physical, mental or emotional well-being of an individual,(b) the individual is—(i) aged under 18, or(ii) aged 18 or over and at risk,(c) the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and(d) the processing is necessary for reasons of substantial public interest.(2) The reasons mentioned in sub-paragraph (1)(c) are—(a) in the circumstances, consent to the processing cannot be given by the data subject; (b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;(c) the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).(3) For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—(a) has needs for care and support,(b) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and(c) as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.(4) In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.”

201: Schedule 11, page 189, line 20, at end insert “, or(b) information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.”

202: Schedule 11, page 190, line 4, leave out “day falls before the day on which” and insert “time falls before”

203: Schedule 11, page 190, line 7, leave out “day” and insert “time”

204: Schedule 11, page 190, line 9, leave out “the date of”

205: Schedule 11, page 190, line 17, leave out “day” and insert “time”

206: Schedule 12, page 193, line 16, after “fees” insert “, charges, penalties”

207: Schedule 13, page 194, line 36, leave out from beginning to end of line 4 on page 195

208: Schedule 13, page 195, line 4, at end insert—“(2) Section 3(14)(b) does not apply to the reference to personal data in sub- paragraph (1)(h).”

209: Schedule 15, page 198, line 13, after “if” insert “a judge of the High Court,”

210: Schedule 15, page 198, line 22, at end insert “or is capable of being viewed using equipment on such premises”

211: Schedule 15, page 198, line 25, after “if” insert “a judge of the High Court,”

212: Schedule 15, page 199, line 34, at end insert—“( ) to require any person on the premises to provide, in an appropriate form, a copy of information capable of being viewed using equipment on the premises which may be evidence of that failure or offence,”

213: Schedule 15, page 199, line 36, after “premises” insert “and of any information capable of being viewed using equipment on the premises”

214: Schedule 15, page 199, line 46, at end insert—“( ) to require any person on the premises to provide, in an appropriate form, a copy of information capable of being viewed using equipment on the premises which may enable the Commissioner to make such a determination,”

215: Schedule 15, page 200, line 2, after “premises” insert “and of any information capable of being viewed using equipment on the premises”

216: Schedule 15, page 200, line 10, at end insert—“( ) For the purposes of this paragraph, a copy of information is in an “appropriate form” if —(a) it can be taken away, and(b) it is visible and legible or it can readily be made visible and legible.”

217: Schedule 15, page 203, line 4, at end insert— “( ) references to a judge of the High Court have effect as if they were references to a judge of the Court of Session,”

218: Schedule 16, page 203, line 26, leave out “with the day after” and insert “when”

219: Schedule 16, page 204, line 10, leave out “with the day on which” and insert “when”

220: Schedule 16, page 205, line 5, leave out “with the day after the day on which” and insert “when”

221: Schedule 16, page 205, line 37, leave out “controller or processor” and insert “person to whom the penalty notice was given”

222: Schedule 17, page 206, line 15, leave out paragraph (a) and insert—“(a) a relevant health record (see paragraph 1A),”

223: Schedule 17, page 206, line 21, at end insert—“Relevant health records1A “Relevant health record” means a health record which has been or is to be obtained by a data subject in the exercise of a data subject access right.”

224: Schedule 17, page 207, line 12, at end insert—“( ) the Department of Justice in Northern Ireland;”

225: Schedule 17, page 207, line 22, leave out sub-paragraph (iii) and insert—“(iii) Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 (S.I. 1998/1504 (N.I. 9));”

226: Schedule 17, page 207, line 32, at end insert—“( ) Part 5 of the Police Act 1997,”

227: Schedule 17, page 207, line 42, at end insert—“( ) In relation to the Department of Justice in Northern Ireland, the “relevant functions” are its functions under Part 5 of the Police Act 1997.”

228: Schedule 17, page 207, line 44, after “under” insert “—(a) Part 5 of the Police Act 1997, or(b) ”

229: Schedule 17, page 208, line 2, at end insert—“( ) Part 5 of the Police Act 1997,”

230: Schedule 18, page 208, line 25, at end insert—“Registration Service Act 1953 (c. 37)A1 (1) Section 19AC of the Registration Service Act 1953 (codes of practice) is amended as follows.(2) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 122 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.”(3) In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.Veterinary Surgeons Act 1966 (c. 36)A2 (1) Section 1A of the Veterinary Surgeons Act 1966 (functions of the Royal College of Veterinary Surgeons as competent authority) is amended as follows.(2) In subsection (8)—(a) omit “personal data protection legislation in the United Kingdom that implements”,(b) for paragraph (a) substitute—“(a) the GDPR; and”, and(c) in paragraph (b), at the beginning insert “legislation in the United Kingdom that implements”.(3) In subsection (9), after “section” insert “—“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.”

231: Schedule 18, page 208, line 31, leave out “162” and insert “(Applications in respect of urgent notices)”

232: Schedule 18, page 209, line 9, leave out “162” and insert “(Applications in respect of urgent notices)”

233: Schedule 18, page 209, line 24, leave out “162” and insert “(Applications in respect of urgent notices)”

234: Schedule 18, page 210, line 4, at end insert—“Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22))8A The Pharmacy (Northern Ireland) Order 1976 is amended as follows.8B In article 2(2) (interpretation), omit the definition of “Directive 95/46/ EC”.8C In article 8D (European professional card), after paragraph (3) insert—“(4) In Schedule 2C, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”8D In article 22A(6) (Directive 2005/36/EC: functions of competent authority etc.), before sub-paragraph (a) insert—“(za) “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.8E (1) Schedule 2C (Directive 2005/36/EC: European professional card) is amended as follows.(2) In paragraph 8(1) (access to data), for “Directive 95/46/EC” substitute “the GDPR”.(3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).8F (1) The table in Schedule 2D (functions of the Society under Directive 2005/36/EC) is amended as follows.(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/ EC” substitute “the GDPR”.(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.8G (1) Paragraph 2 of Schedule 3 (fitness to practice: disclosure of information) is amended as follows.(2) In sub-paragraph (2)(a), after “provision” insert “or the GDPR”. (3) For sub-paragraph (3) substitute—“(3) In determining for the purposes of sub-paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”(4) After sub-paragraph (4) insert—“(5) In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”Representation of the People Act 1983 (c. 2)8H (1) Schedule 2 to the Representation of the People Act 1983 (provisions which may be contained in regulations as to registration etc) is amended as follows.(2) In paragraph 1A(5), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”. (3) In paragraph 8C(2), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.(4) In paragraph 11A—(a) in sub-paragraph (1) for “who are data users to supply data, or documents containing information extracted from data and” substitute “to supply information”, and(b) omit sub-paragraph (2).”

235: Schedule 18, page 210, leave out lines 5 to 39 and insert—“Medical Act 1983 (c. 54)9 The Medical Act 1983 is amended as follows.10 (1) Section 29E (evidence) is amended as follows.(2) In subsection (5), after “enactment” insert “or the GDPR”. (3) For subsection (7) substitute—“(7) In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) In subsection (9), at the end insert—““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”11 (1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.(2) In subsection (4), after “enactment” insert “or the GDPR”. (3) For subsection (5A) substitute—“(5A) In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) In subsection (7), at the end insert—““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”12 In section 49B(7) (Directive 2005/36: designation of competent authority etc.), after “Schedule 4A” insert “—“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.13 In section 55(1) (interpretation), omit the definition of “Directive 95/46/ EC”.13A (1) Paragraph 9B of Schedule 1 (incidental powers of the General Medical Council) is amended as follows.(2) In sub-paragraph (2)(a), after “enactment” insert “or the GPDR”. (3) After sub-paragraph (3) insert—“(4) In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”13B (1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows.(2) In sub-paragraph (8), after “enactment” insert “or the GDPR”. (3) For sub-paragraph (8A) substitute—“(8A) In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”(4) After sub-paragraph (13) insert— “(14) In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”13C (1) The table in Schedule 4A (functions of the General Medical Council as competent authority under Directive 2005/36) is amended as follows.(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/ EC” substitute “the GDPR”.(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.”

236: Schedule 18, page 211, line 18, leave out from “GDPR”” to “(see” in line 19 and insert “and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

237: Schedule 18, page 211, line 20, at end insert—“15A In section 36ZA(6) (Directive 2005/36: designation of competent authority etc), after “Schedule 4ZA—” insert—““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.”

238: Schedule 18, page 211, line 39, leave out from “GDPR”” to “(see” in line 40 and insert “and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

239: Schedule 18, page 211, line 41, at the end insert—“16A In section 53(1) (interpretation), omit the definition of “Directive 95/46/ EC”.16B (1) The table in Schedule 4ZA (Directive 2005/36: functions of the General Dental Council under section 36ZA(3)) is amended as follows.(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/ EC” substitute “the GDPR”.(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.Companies Act 1985 (c. 6)16C In section 449(11) of the Companies Act 1985 (provision for security of information obtained), for “the Data Protection Act 1998” substitute “the data protection legislation”.”

240: Schedule 18, page 212, line 16, leave out from “GDPR”” to “(see” in line 17 and insert “and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

241: Schedule 18, page 212, line 18, at end insert—“Access to Health Records Act 1990 (c. 23)18A The Access to Health Records Act 1990 is amended as follows.18B For section 2 substitute—“2 Health professionalsIn this Act, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 197 of that Act).”18C (1) Section 3 (right of access to health records) is amended as follows. (2) In subsection (2), omit “Subject to subsection (4) below,”.(3) In subsection (4), omit from “other than the following” to the end.”

242: Schedule 18, page 213, line 2, at end insert—“Industrial Relations (Northern Ireland) Order 1992 (S.I. 1992/807 (N.I. 5))21A (1) Article 90B of the Industrial Relations (Northern Ireland) Order 1992 (prohibition on disclosure of information held by the Labour Relations Agency) is amended as follows.(2) In paragraph (3), for “the Data Protection Act 1998” substitute “the data protection legislation”. (3) After paragraph (6) insert—“(7) In this Article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

243: Schedule 18, page 213, line 7, leave out “162” and insert “(Applications in respect of urgent notices)”

244: Schedule 18, page 213, line 20, at end insert “, with the exception of section 62 and paragraphs 13, 15, 16, 18 and 19 of Schedule 15 (which amend other enactments)”

245: Schedule 18, page 216, line 10, leave out from “data”” to “(see” in line 11 and insert “, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

246: Schedule 18, page 219, line 15, leave out from “GDPR”” to “(see” in line 16 and insert “and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

247: Schedule 18, page 220, line 7, at end insert—“Enterprise Act 2002 (c. 40)64A (1) Section 237 of the Enterprise Act 2002 (general restriction on disclosure) is amended as follows.(2) In subsection (4), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

248: Schedule 18, page 220, line 13, leave out “162” and insert “(Applications in respect of urgent notices)”

249: Schedule 18, page 221, line 21, leave out from “data”” to “(see” in line 22 and insert “, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

250: Schedule 18, page 222, line 21, at end insert—“Mental Health (Care and Treatment) (Scotland) Act 2003 (asp 13)75A (1) Section 279 of the Mental Health Care and Treatment (Scotland) Act 2003 (information for research) is amended as follows.(2) In subsection (2), for “research purposes within the meaning given by section 33 of the Data Protection Act 1998 (c. 29) (research, history and statistics)” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”.(3) After subsection (9) insert—“(10) In this section, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).””

251: Schedule 18, page 222, line 29, at end insert—“Companies (Audit, Investigations and Community Enterprise) Act 2004 (c. 27)76A The Companies (Audit, Investigations and Community Enterprise) Act 2004 is amended as follows.76B (1) Section 15A (disclosure of information by tax authorities) is amended as follows.(2) In subsection (2)—(a) omit “within the meaning of the Data Protection Act 1998”, and(b) for “that Act” substitute “the data protection legislation”. (3) After subsection (7) insert—“(8) In this section—“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act); “personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”76C (1) Section 15D (permitted disclosure of information obtained under compulsory powers) is amended as follows. (2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (7) insert—“(8) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

252: Schedule 18, page 223, line 35, leave out “162” and insert “(Applications in respect of urgent notices)”

253: Schedule 18, page 224, line 32, leave out “162” and insert “(Applications in respect of urgent notices)”

254: Schedule 18, page 225, line 10, at end insert—“88A(1) Section 264C (provision and disclosure of information about health service products: supplementary) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

255: Schedule 18, page 225, line 28, at end insert—“Companies Act 2006 (c. 46)92A The Companies Act 2006 is amended as follows.92B In section 458(2) (disclosure of information by tax authorities)—(a) for “within the meaning of the Data Protection Act 1998 (c. 29)” substitute “within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)”, and(b) for “that Act” substitute “the data protection legislation”.92C In section 461(7) (permitted disclosure of information obtained under compulsory powers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.92D In section 948(9) (restrictions on disclosure) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.92E In section 1173(1) (minor definitions: general), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.92F In section 1224A(7) (restrictions on disclosure), for “the Data Protection Act 1998” substitute “the data protection legislation”.92G In section 1253D(3) (restriction on transfer of audit working papers to third countries), for “the Data Protection Act 1998” substitute “the data protection legislation”.92H In section 1261(1) (minor definitions: Part 42), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.92I In section 1262 (index of defined expressions: Part 42), at the appropriate place insert—“the data protection legislationsection 1261(1)”.92J In Schedule 8 (index of defined expressions: general), at the appropriate place insert—“the data protection legislationsection 1173(1)”.”

256: Schedule 18, page 225, line 38, at end insert—“96A(1) Section 45 (information held by HMRC) is amended as follows.(2) In subsection (4A), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.(3) In subsection (4B), for “the Data Protection Act 1998” substitute “the Data Protection Act 2018”.”

257: Schedule 18, page 226, line 27, leave out sub-paragraph (2) and insert — “( ) In subsection (6), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 122 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.”

258: Schedule 18, page 230, line 16, at end insert—“Coroners and Justice Act 2009 (c. 25)122A In Schedule 21 of the Coroners and Justice Act 2009 (minor and consequential amendments), omit paragraph 29(3).”

259: Schedule 18, page 231, line 29, leave out “162” and insert “(Applications in respect of urgent notices)”

260: Schedule 18, page 231, line 33, leave out “162” and insert “(Applications in respect of urgent notices)”

261: Schedule 18, page 232, line 39, after “after “” insert “this”

262: Schedule 18, page 238, line 40, leave out “162” and insert “(Applications in respect of urgent notices)”

263: Schedule 18, page 239, line 38, leave out “162” and insert “(Applications in respect of urgent notices)”

264: Schedule 18, page 241, line 12, leave out sub-paragraph (2) and insert —“( ) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 122 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.”

265: Schedule 18, page 241, line 26, leave out sub-paragraph (2) and insert —“( ) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 122 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.”

266: Schedule 18, page 242, line 1, leave out sub-paragraph (2) and insert —“( ) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 122 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.”

267: Schedule 18, page 242, line 16, leave out sub-paragraph (2) and insert —“( ) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 122 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.”

268: Schedule 18, page 242, line 40, at end insert—“Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (anaw 2) 186A(1) Section 4 of the Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (additional learning needs code) is amended as follows.(2) In the English language text—(a) in subsection (9), omit from “and in this subsection” to the end, and(b) after subsection (9) insert—“(9A) In subsection (9)—“data subject” (“testun y data”) has the meaning given by section 3(5) of the Data Protection Act 2018;“personal data” (“data personol”) has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”(3) In the Welsh language text—(a) in subsection (9), omit from “ac yn yr is-adran hon” to the end, and(b) after subsection (9) insert—“(9A) Yn is-adran (9)—mae i “data personol” yr un ystyr ag a roddir i “personal data” yn Rhannau 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o’r Ddeddf honno);mae i “testun y data” yr ystyr a roddir i “data subject” gan adran 3(5) o’r Ddeddf honno.”

269: Schedule 18, page 243, line 14, at end insert—“Estate Agents (Specific Offences) (No. 2) Order 1991 (S.I. 1991/1091)187A In the table in the Schedule to the Estate Agents (Specified Offences) (No.2) Order 1991 (specified offences), at the end insert—“Data Protection Act 2018Section 145 Section (Destroying or falsifying information and documents etc)False statements made in response to an information noticeDestroying or falsifying information and documents etc””

270: Schedule 18, page 243, line 22, after “controller”,” insert—“(ba) after “in the context of” insert “the activities of”,”

271: Schedule 18, page 243, line 27, after “controller”,” insert—“(ba) after “in the context of” insert “the activities of”,”

272: Schedule 18, page 243, line 28, at end insert—“Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))188A The Access to Health Records (Northern Ireland) Order 1993 is amended as follows.188B In Article 4 (health professionals), for paragraph (1) substitute—“(1) In this Order, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 197 of that Act).”188C In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “made by the Department”.Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)188D In article 4 of the Channel Tunnel (Miscellaneous Provisions) Order 1994 (application of enactments), for paragraphs (2) and (3) substitute—“(2) For the purposes of section 200 of the Data Protection Act 2018 (“the 2018 Act”), data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the United Kingdom is to be treated as processed by a controller established in the United Kingdom in the context of the activities of that establishment (and accordingly the 2018 Act applies in respect of such data).(3) For the purposes of section 200 of the 2018 Act, data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the Kingdom of Belgium is to be treated as processed by a controller established in the Kingdom of Belgium in the context of the activities of that establishment (and accordingly the 2018 Act does not apply in respect of such data).”European Primary and Specialist Dental Qualifications Regulations 1998 (S.I. 1998/811)188E The European Primary and Specialist Dental Qualifications Regulations 1998 are amended as follows.188F(1) Regulation 2(1) (interpretation) is amended as follows. (2) Omit the definition of “Directive 95/46/EC”.(3) At the appropriate place insert—““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.188G(1) The table in Schedule A1 (functions of the GDC under Directive 2005/36) is amended as follows.(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/ EC” substitute “the GDPR”.(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”. Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)188H For article 7 of the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 substitute—“7 Data Protection Act 2018(1) The Parliamentary corporation is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.(2) The Parliamentary corporation is to be treated as a government department for the purposes of the following provisions—(a) section 8(d) (lawfulness of processing under the GDPR: public interest etc),(b) section 202 (application to the Crown),(c) paragraph 6 of Schedule 1 (statutory etc and government purposes),(d) paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and(e) paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).(3) In the provisions mentioned in paragraph (4)—(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Parliamentary corporation, and(b) references to a person in the service of the Crown are to be treated as including a person so employed.(4) The provisions are—(a) section 24(3) (exemption for certain data relating to employment under the Crown), and(b) section 202(6) (application of certain provisions to a person in the service of the Crown).(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”Northern Ireland Assembly Commission (Crown Status) Order 1999 (S.I. 1999/3145)188I For article 9 of the Northern Ireland Assembly Commission (Crown Status) Order 1999 substitute—“9 Data Protection Act 2018(1) The Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.(2) The Commission is to be treated as a government department for the purposes of the following provisions—(a) section 8(d) (lawfulness of processing under the GDPR: public interest etc),(b) section 202 (application to the Crown),(c) paragraph 6 of Schedule 1 (statutory etc and government purposes),(d) paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and(e) paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).(3) In the provisions mentioned in paragraph (4)—(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Commission, and(b) references to a person in the service of the Crown are to be treated as including a person so employed.(4) The provisions are—(a) section 24(3) (exemption for certain data relating to employment under the Crown), and(b) section 202(6) (application of certain provisions to a person in the service of the Crown).(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).” Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184)188J The Data Protection (Corporate Finance Exemption) Order 2000 is revoked.Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 (S.I.2000/185)188K The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 is revoked.Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186)188L The Data Protection (Functions of Designated Authority) Order 2000 is revoked.Data Protection (International Co-operation) Order 2000 (S.I. 2000/190)188M The Data Protection (International Co-operation) Order 2000 is revoked.Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (S.I. 2000/191)188N The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 are revoked.Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290)188O In the Consumer Credit (Credit Reference Agency) Regulations 2000, regulation 4(1) and Schedule 1 (statement of rights under section 9(3) of the Data Protection Act 1998) are revoked.Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413)188P The Data Protection (Subject Access Modification) (Health) Order 2000 is revoked.Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414)188Q The Data Protection (Subject Access Modification) (Education) Order 2000 is revoked.Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415)188R The Data Protection (Subject Access Modification) (Social Work) Order 2000 is revoked.Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416)188S The Data Protection (Crown Appointments) Order 2000 is revoked.Data Protection (Processing of Sensitive Personal Data) Order 2000 (S.I. 2000/417)188T The Data Protection (Processing of Sensitive Personal Data) Order 2000 is revoked.Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419)188U The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 is revoked.Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864)188V The Data Protection (Designated Codes of Practice) (No. 2) Order 2000 is revoked.Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)188W The Representation of the People (England and Wales) Regulations 2001 are amended as follows.188X In regulation 3(1) (interpretation), at the appropriate places insert— ““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”. 188Y In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.188Z In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.188AA In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.188AB In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—“(a) Article 89 GDPR purposes;”.188AC(1)Regulation 92(2) (interpretation and application of Part VI etc) is amended as follows.(2) After sub-paragraph (b) insert—“(ba) “relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”(3) Omit sub-paragraphs (c) and (d).188AD In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section 123(5) of the Data Protection Act 2018”.188AE In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.188AF In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.188AG In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.188AH In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.188AI In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—“(i) Article 89 GDPR purposes;”.Representation of the People (Scotland) Regulations 2001 (S.I. 2001/497)188AJ The Representation of the People (Scotland) Regulations 2001 are amended as follows.188AK In regulation 3(1) (interpretation), at the appropriate places, insert— ““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.188AL In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.188AM In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”. 188AN In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.188AO In regulation 61(3) (records and lists kept under Schedule 4), for paragraph (a) (but not the final “or”) substitute—“(a) Article 89 GDPR purposes;”.188AP In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—“(a) Article 89 GDPR purposes;”.188AQ(1)Regulation 92(2) (interpretation of Part VI etc) is amended as follows. (2) After sub-paragraph (b) insert—“(ba) “relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”(3) Omit sub-paragraphs (c) and (d).188AR In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section 123(5) of the Data Protection Act 2018”.188AS In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.188AT In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.188AU In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.188AV In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—“(i) Article 89 GDPR purposes;”.Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001 (S.I. 2001/2188)188AW(1)Article 9 of the Financial Services and Markets 2000 (Disclosure of Confidential Information) Regulations 2001 (disclosure by regulators or regulator workers to certain other persons) is amended as follows.(2) In paragraph (2B), for sub-paragraph (a) substitute—“(a) the disclosure is made in accordance with Chapter V of the GDPR;”.(3) After paragraph (5) insert—“(6) In this article, “the GDPR” has the same meaning as in Parts 5 to7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”Nursing and Midwifery Order 2001 (S.I. 2002/253)188AX The Nursing and Midwifery Order 2001 is amended as follows.188AY(1)Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.(2) In paragraph (18), after “enactment” insert “or the GDPR”. (3) After paragraph (18) insert—“(19) In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”188AZ(1)Article 25 (the Council’s power to require disclosure of information) is amended as follows.(2) In paragraph (3), after “enactment” insert “or the GDPR”. (3) In paragraph (6)—(a) for “paragraph (5),” substitute “paragraph (3)—”, and (b) at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”188BA In article 39B (European professional card), after paragraph (2) insert— “(3) For the purposes of Schedule 2B, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”188BB In article 40(6) (Directive 2005/36/EC: designation of competent authority etc), at the appropriate place insert—““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.188BC(1)Schedule 2B (Directive 2005/36/EC: European professional card) is amended as follows.(2) In paragraph 8(1) (access to data) for “Directive 95/46/EC” substitute “the GDPR”.(3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).188BD(1)The table in Schedule 3 (functions of the Council under Directive 2005/36) is amended as follows.(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/ EC” substitute “the GDPR”.(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.188BE In Schedule 4 (interpretation), omit the definition of “Directive 95/46/ EC”.Electronic Commerce (EC Directive) Regulations 2002 (S.I. 2002/2013)188BF Regulation 3 of the Electronic Commerce (EC Directive) Regulations 2002 (exclusions) is amended as follows.188BG In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “the GDPR”.188BH In paragraph (3)—(a) omit the definitions of “Data Protection Directive” and“Telecommunications Data Protection Directive”, and(b) at the appropriate place insert—““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 (S.I. 2002/2905)188BI The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 is revoked.Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426)188BJ The Privacy and Electronic Communications (EC Directive) Regulations 2003 are amended as follows.188BK In regulation 2(1) (interpretation), in the definition of “the Information Commissioner” and “the Commissioner”, for “section 6 of the Data Protection Act 1998” substitute “the Data Protection Act 2018”.188BL(1)Regulation 4 (relationship between these Regulations and the Data Protection Act 1998) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that sub-paragraph insert— “(2) In this regulation—“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act); “personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act).”(3) Regulation 2(2) and (3) (meaning of certain expressions) do not apply for the purposes of this regulation.”(5) In the heading of that regulation, for “the Data Protection Act 1998” substitute “the data protection legislation”.”

273: Schedule 18, page 244, line 1, at end insert—“(d) for “data controller” substitute “controller”, and(e) after “in the context of” insert “the activities of”.Pupils’ Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)191A The Pupils’ Educational Records (Scotland) Regulations 2003 are amended as follows.191B(1) Regulation 2 (interpretation) is amended as follows. (2) Omit the definition of “the 1998 Act”.(3) At the appropriate place insert—““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.191C(1) Regulation 6 (circumstances where information should not be disclosed) is amended as follows.(2) After “any information” insert “to the extent that any of the following conditions are satisfied”.(3) For paragraphs (a) to (c) substitute—“(aa) the pupil to whom the information relates would have no right of access to the information under the GDPR;(ab) the information is personal data described in Article9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences);”.(4) In paragraph (d), for “to the extent that its disclosure” substitute “the disclosure of the information”.(5) In paragraph (e), for “that” substitute “the information”.191D In regulation 9 (fees), for paragraph (1) substitute—“(1A) In complying with a request made under regulation 5(2), the responsible body may only charge a fee where Article 12(5) or Article 15(3) of the GDPR would permit the charging of a fee if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.(1B) Where paragraph (1A) permits the charging of a fee, the responsible body may not charge a fee that—(a) exceeds the cost of supply, or(b) exceeds any limit in regulations made under section 12 of the Data Protection Act 2018 that would apply if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.”European Parliamentary Elections (Northern Ireland) Regulations 2004 (S.I. 2004/1267)191E Schedule 1 to the European Parliamentary Elections (Northern Ireland) Regulations 2004 (European Parliamentary elections rules) is amended as follows.191F(1) Paragraph 74(1) (interpretation) is amended as follows.(2) Omit the definitions of “relevant conditions” and “research purposes”.(3) At the appropriate places insert—““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”. 191G In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244)191H In regulation 3(1) of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, omit “the appropriate limit referred to in section 9A(3) and (4) of the 1998 Act and”.”

274: Schedule 18, page 244, line 13, leave out from “GDPR”” to “(see” in line 14 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

275: Schedule 18, page 246, line 31, leave out from “GDPR”” to “(see” in line 32 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

276: Schedule 18, page 247, line 40, at end insert—“Licensing Act 2003 (Personal Licences) Regulations 2005 (S.I. 2005/41)199A(1) Regulation 7 of the Licensing Act 2003 (Personal Licences) Regulations 2005 (application for grant of a personal licence) is amended as follows.(2) In paragraph (1)(b)—(a) for paragraph (iii) (but not the final “, and”) substitute—“(iii) the results of a request made under Article 15 of the GDPR or section 45 of the Data Protection Act 2018 (rights of access by the data subject) to the National Identification Service for information contained in the Police National Computer”, and(b) in the words following paragraph (iii), omit “search”. (3) After paragraph (2) insert—“(3) In this regulation, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”Education (Pupil Information) (England) Regulations 2005 (S.I. 2005/1437)199B The Education (Pupil Information) (England) Regulations 2005 are amended as follows.199C In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “section 3(4) of the Data Protection Act 2018”.199D(1) Regulation 5 (disclosure of curricular and educational records) is amended as follows.(2) In paragraph (4)—(a) in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and(b) in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “the GDPR”.(3) After paragraph (6) insert—“(7) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.””

277: Schedule 18, page 248, line 37, leave out from “GDPR”” to “(see” in line 38 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

278: Schedule 18, page 249, line 1, at end insert—“Register of Judgments, Orders and Fines Regulations 2005 (S.I. 2005/3595)200A In regulation 3 of the Register of Judgments, Orders and Fines Regulations 2005 (interpretation)—(a) for the definition of “data protection principles” substitute— ““data protection principles” means the principles set out in Article 5(1) of the GDPR;”, and(b) at the appropriate place insert— ““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);”.Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494)200B The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 are amended as follows.200C(1) Regulation 39 (sensitive information) is amended as follows. (2) In paragraph (1)(d)—(a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and(b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.(3) After paragraph (1) insert—“(1A) The condition in this paragraph is that the disclosure of the information to a member of the public—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.(1B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—(a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).(1C) The condition in this paragraph is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,(b) on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.(1D) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 34(1) of the Data Protection Act 2018, and(c) section 85(1) of that Act;“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).(1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”(4) Omit paragraphs (2) to (4).Data Protection (Processing of Sensitive Personal Data) Order 2006 (S.I. 2006/2068)200D The Data Protection (Processing of Sensitive Personal Data) Order 2006 is revoked.National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)200E(1) Paragraph 14 of Schedule 1 to the National Assembly for Wales (Representation of the People) Order 2007 (absent voting at Assembly elections: conditions on the use, supply and inspection of absent vote records or lists) is amended as follows. (2) The existing text becomes sub-paragraph (1).(3) For paragraph (a) of that sub-paragraph (but not the final “or”) substitute—“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.(4) After that sub-paragraph insert—“(2) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (S.I. 2007/679)200F In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity), for paragraph (b) substitute—“(b) any material used consists of or includes human cells or human DNA,”.National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118)200G For article 5 of the National Assembly for Wales Commission (Crown Status) Order 2007 substitute—“5 Data Protection Act 2018(1) The Assembly Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.(2) The Assembly Commission is to be treated as a government department for the purposes of the following provisions—(a) section 8(d) (lawfulness of processing under the GDPR: public interest etc),(b) section 202 (application to the Crown),(c) paragraph 6 of Schedule 1 (statutory etc and government purposes),(d) paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and(e) paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).(3) In the provisions mentioned in paragraph (4)—(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Assembly Commission, and(b) references to a person in the service of the Crown are to be treated as including a person so employed.(4) The provisions are—(a) section 24(3) (exemption for certain data relating to employment under the Crown), and(b) section 202(6) (application of certain provisions to a person in the service of the Crown).(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (S.I. 2007/837 (W.72))200H In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity)—(a) in the English language text, for paragraph (c) substitute—“(c) any material used consists of or includes human cells or human DNA; and”, and(b) in the Welsh language text, for paragraph (c) substitute—“(c) os yw unrhyw ddeunydd a ddefnyddir yn gelloedd dynol neu’n DNA dynol neu yn eu cynnwys; ac”.Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (S.S.I. 2007/170)200I (1) Regulation 18 of the Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (conditions on the supply and inspection of absent voter records or lists) is amended as follows. (2) In paragraph (1), for sub-paragraph (a) (but not the final “or”) substitute—“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.(3) After paragraph (1) insert—“(2) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (S.S.I. 2007/264)200J In regulation 5 of the Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (conditions on the use, supply and disclosure of documents open to public inspection)—(a) in paragraph (2), for sub-paragraph (i) (but not the final “or”) substitute—“(i) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and(b) after paragraph (3) insert—“(4) In this regulation, “the GDPR” means Regulation (EU)2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 (S.R. (N.I.) 2007 No. 43)200K The Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 is amended as follows.200L In regulation 2 (interpretation), at the appropriate place insert—““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.200M In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “information to which the pupil to whom the information relates would have no right of access under the GDPR”.Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)200N In regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)—(a) in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”, and(b) after paragraph (3) insert—“(4) In this regulation, “the GDPR” means Regulation (EU)2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (S.I. 2008/3122)200O In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act 1998 (c 29)” substitute “the data protection legislation”. Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 (S.I. 2008/3239 (W.286))200P The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 are amended as follows.200Q In regulation 2(1) (interpretation)—(a) at the appropriate place in the English language text insert— ““the GDPR” (“y GDPR”) and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”, and(b) at the appropriate place in the Welsh language text insert—“mae i “y GDPR” a chyfeiriadau at Atodlen 2 i Ddeddf Diogelu Data 2018 yr un ystyr ag a roddir i “the GDPR” a chyfeiriadau at yr Atodlen honno yn Rhannau 5 i 7 o’r Ddeddf honno (gweler adran3(10), (11) a (14) o’r Ddeddf honno);”.200R(1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.(2) In paragraph (7)—(a) in the English language text, at the end insert “or the GDPR”, and(b) in the Welsh language text, at the end insert “neu’r GDPR”.(3) For paragraph (8)—(a) in the English language text substitute—“(8) In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and(b) in the Welsh language text substitute—“(8) Wrth benderfynu at ddibenion paragraff (7) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”200S (1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.(2) In paragraph (6)—(a) in the English language text, at the end insert “or the GDPR”, and(b) in the Welsh language text, at the end insert “neu’r GDPR”.(3) For paragraph (7)—(a) in the English language text substitute—“(7) In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and(b) in the Welsh language text substitute—“(7) Wrth benderfynu at ddibenion paragraff (6) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”200T(1) Regulation 29 (occurrence reports) is amended as follows. (2) In paragraph (3)—(a) in the English language text, at the end insert “or the GDPR”, and(b) in the Welsh language text, at the end insert “neu’r GDPR”.(3) For paragraph (4)— (a) in the English language text substitute—“(4) In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and(b) in the Welsh language text substitute—“(4) Wrth benderfynu at ddibenion paragraff (3) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (S.R. (N.I.) 2008 No. 3)200U(1) Regulation 5 of the Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (information whose disclosure would be affected by the application of other legislation) is amended as follows.(2) In paragraph (3)—(a) omit “within the meaning of section 1(1) of the Data Protection Act 1998”, and(b) for the words from “where” to the end substitute “if the condition in paragraph (3A) or (3B) is satisfied”.(3) After paragraph (3) insert—“(3A) The condition in this paragraph is that the disclosure of the information to a member of the public—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.(3B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—(a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”(4) After paragraph (4) insert— “(5) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 34(1) of the Data Protection Act 2018, and(c) section 85(1) of that Act;“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”Companies (Disclosure of Address) Regulations 2009 (S.I. 2009/214)200V(1) Paragraph 6 of Schedule 2 to the Companies (Disclosure of Address) Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—“(ii) for the purposes of ensuring that it complies with its data protection obligations;”.(4) In paragraph (c) of that sub-paragraph—(a) omit “or” at the end of sub-paragraph (i), and(b) at the end insert “; or(iii) section 145 of the Data Protection Act 2018 (false statements made in response to an information notice) or section (Destroying or falsifying information and documents etc) of that Act (destroying or falsifying information and documents etc);”. (5) After paragraph (c) of that sub-paragraph insert—“(d) has not been given a penalty notice under section 154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”(6) After sub-paragraph (1) insert—“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—(i) the GDPR (as defined in section 3(10) of the Data Protection Act 2018),(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and(iii) legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”Overseas Companies Regulations 2009 (S.I. 2009/1801)200W(1) Paragraph 6 of Schedule 2 to the Overseas Companies Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—“(ii) for the purposes of ensuring that it complies with its data protection obligations;”.(4) In paragraph (c) of that sub-paragraph—(a) omit “or” at the end of sub-paragraph (i), and(b) at the end insert “; or(iii) section 145 of the Data Protection Act 2018 (false statements made in response to an information notice) or section(Destroying or falsifying information and documents etc) of that Act (destroying or falsifying information and documents etc);”.(5) After paragraph (c) of that sub-paragraph insert—“(d) has not been given a penalty notice under section 154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”(6) After sub-paragraph (1) insert—“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—(i) the GDPR (as defined in section 3(10) of the Data Protection Act 2018),(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and(iii) legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”Data Protection (Processing of Sensitive Personal Data) Order 2009 (S.I. 2009/1811)200X The Data Protection (Processing of Sensitive Personal Data) Order 2009 is revoked.Provision of Services Regulations 2009 (S.I. 2009/2999)200Y In regulation 25 of the Provision of Services Regulations 2009 (derogations from the freedom to provide services), for paragraph (d) substitute—“(d) matters covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.”

279: Schedule 18, page 249, line 32, at end insert—“INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440)201A(1) Regulation 10 of the INSPIRE (Scotland) Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.(2) In paragraph (2)—(a) omit “or” at the end of sub-paragraph (a), (b) for sub-paragraph (b) substitute—“(b) Article 21 of the GDPR (general processing: right to object to processing), or(c) section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”, and(c) omit the words following sub-paragraph (b). (3) After paragraph (6) insert—“(7) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 34(1) of the Data Protection Act 2018, and(c) section 85(1) of that Act;“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).(8) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 (S.R (N.I.) 2009 No. 225)201B The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 are amended as follows.201C In regulation 2(2) (interpretation), at the appropriate place insert—““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”.”201D(1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.(2) In paragraph (7), at the end insert “or the GDPR”.(3) For paragraph (8) substitute—“(8) In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”201E(1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.(2) In paragraph (6), at the end insert “or the GDPR”. (3) For paragraph (7) substitute—“(7) In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”201F(1) Regulation 29 (occurrence reports) is amended as follows. (2) In paragraph (3), at the end insert “or the GDPR”.(3) For paragraph (4) substitute—“(4) In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31)201G The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 are revoked.Pharmacy Order 2010 (S.I. 2010/231)201H The Pharmacy Order 2010 is amended as follows.201I In article 3(1) (interpretation), omit the definition of “Directive 95/46/ EC”.201J (1) Article 9 (inspection and enforcement) is amended as follows.(2) For paragraph (4) substitute—“(4) If a report that the Council proposes to publish pursuant to paragraph (3) includes personal data, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure of the personal data is required by paragraph (3) of this article.”(3) After paragraph (4) insert—“(5) In this article, “personal data” and references to Schedule 2 to theData Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”201K In article 33A (European professional card), after paragraph (2) insert— “(3) In Schedule 2A, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”201L(1) Article 49 (disclosure of information: general) is amended as follows. (2) In paragraph (2)(a), after “enactment” insert “or the GDPR”.(3) For paragraph (3) substitute—“(3) In determining for the purposes of paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (1) of this article.”(4) After paragraph (5) insert—“(6) In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”201M(1) Article 55 (professional performance assessments) is amended as follows.(2) In paragraph (5)(a), after “enactment” insert “or the GDPR”. (3) For paragraph (6) substitute—“(6) In determining for the purposes of paragraph (5)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (4) of this article.”(4) After paragraph (8) insert—“(9) In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”201N In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.), after sub-paragraph (a) insert—“(aa) “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.201O(1) Schedule 2A (Directive 2005/36/EC: European professional card) is amended as follows.(2) In paragraph 8(1) (access to data), for “Directive 95/46/EC)” substitute “the GDPR”.(3) In paragraph 9 (processing data)—(a) omit sub-paragraph (2) (deeming the Council to be the controller for the purposes of Directive 95/46/EC), and(b) after sub-paragraph (2) insert—“(3) In this paragraph, “personal data” has the same meaning as in the Data Protection Act 2018 (see section 3(2) of that Act).”201P(1) The table in Schedule 3 (Directive 2005/36/EC: designation of competent authority etc.) is amended as follows.(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/ EC” substitute “the GDPR”.(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910)201Q The Data Protection (Monetary Penalties) Order 2010 is revoked.National Employment Savings Trust Order 2010 (S.I. 2010/917)201R The National Employment Savings Trust Order 2010 is amended as follows.201S In article 2 (interpretation)—(a) omit the definition of “data” and “personal data”, and(b) at the appropriate place insert—““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”201T(1) Article 10 (disclosure of requested data to the Secretary of State) is amended as follows.(2) In paragraph (1)—(a) for “disclosure of data” substitute “disclosure of information”, and(b) for “requested data” substitute “requested information”.(3) In paragraph (2)—(a) for “requested data” substitute “requested information”, (b) for “those data are” substitute “the information is”, and(c) for “receive those data” substitute “receive that information”.(4) In paragraph (3), for “requested data” substitute “requested information”.(5) In paragraph (4), for “requested data” substitute “requested information”.Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)201U(1) Schedule 3 to the Local Elections (Northern Ireland) Order 2010 (access to marked registers and other documents open to public inspection after an election) is amended as follows.(2) In paragraph 1(1) (interpretation and general)—(a) omit the definition of “research purposes”, and(b) at the appropriate places insert—““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.(3) In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))201V(1) Regulation 5 of the Pupil Information (Wales) Regulations 2011 (duties of head teacher - educational records) is amended as follows.(2) In paragraph (5)— (a) in the English language text, for “documents which are subject to any order under section 30(2) of the Data Protection Act 1998” substitute “information—(a) which the head teacher could not lawfully disclose to the pupil under the GDPR, or(b) to which the pupil would have no right of access under the GDPR.”, and(b) in the Welsh language text, for “ddogfennau sy’n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute “wybodaeth—(a) na allai’r pennaeth ei datgelu’n gyfreithlon i’r disgybl o dan y GDPR, neu(b) na fyddai gan y disgybl hawl mynediad ati o dan y GDPR.”(3) After paragraph (5)—(a) in the English language text insert—“(6) In this regulation, “the GDPR” (“y GDPR”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part2 of the Data Protection Act 2018.”, and(b) in the Welsh language text insert—“(6) Yn y rheoliad hwn, ystyr “y GDPR” (“the GDPR”) yw Rheoliad (EU) 2016/679 Senedd Ewrop a’r Cyngor dyddiedig 27 Ebrill 2016 ar ddiogelu personau naturiol o ran prosesu data personol a rhyddid symud data o’r fath (y Rheoliad Diogelu Data Cyffredinol), fel y’i darllenir ynghyd â Phennod 2 o Ran 2 o Ddeddf Diogelu Data 2018.”Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)201W In Schedule 4 to the Debt Arrangement Scheme (Scotland) Regulations 2011 (payments distributors), omit paragraph 2.Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)201X The Police and Crime Commissioner Elections Order 2012 is amended as follows.201Y(1) Schedule 2 (absent voting in Police and Crime Commissioner elections) is amended as follows.(2) In paragraph 20 (absent voter lists: supply of copies etc)—(a) in sub-paragraph (8), for paragraph (a) (but not the final “or”) substitute—“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and(b) after sub-paragraph (10) insert—“(11) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”(3) In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and(b) after that sub-paragraph insert—“(4) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”201Z(1) Schedule 10 (access to marked registers and other documents open to public inspection after an election) is amended as follows. (2) In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).(3) In paragraph 5 (restriction on use of documents or of information contained in them)—(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and(b) after sub-paragraph (4) insert—“(5) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”Data Protection (Processing of Sensitive Personal Data) Order 2012 (S.I. 2012/1978)201AA The Data Protection (Processing of Sensitive Personal Data) Order 2012 is revoked.Neighbourhood Planning (Referendums) Regulations 2012 (S.I. 2012/2031)201AB Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (registering to vote in a business referendum) is amended as follows.201AC(1)Paragraph 29(1) (interpretation of Part 8) is amended as follows.(2) At the appropriate places insert—““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.(3) For the definition of “relevant conditions” substitute—““relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards;”.(4) Omit the definition of “research purposes”.201AD In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “section 123(5) of the Data Protection Act 2018”.201AE In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.201AF In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.201AG In paragraph 39(8) and (9) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.201AH In paragraph 45(2) (conditions on the use, supply and disclosure of documents open to public inspection), for paragraph (a) (but not the final “or”) substitute—“(a) Article 89 GDPR purposes (as defined in paragraph 29),”.Controlled Drugs (Supervision of Management and Use) Regulations 2013 (S.I. 2013/373)201AI(1)Regulation 20 of the Controlled Drugs (Supervision of Management and Use) Regulations 2013 (information management) is amended as follows. (2) For paragraph (4) substitute—“(4) Where a CDAO, a responsible body or someone acting on their behalf is permitted to share information which includes personal data by virtue of a function under these Regulations, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”(3) In paragraph (5), after “enactment” insert “or the GDPR”. (4) After paragraph (6) insert—“(7) In this regulation, “the GDPR”, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (10), (11) and (14) of that Act).”Communications Act 2003 (Disclosure of Information) Order 2014 (S.I. 2014/1825)201AJ(1)Article 3 of the Communications Act 2003 (Disclosure of Information) Order 2014 (specification of relevant functions) is amended as follows.(2) The existing text becomes paragraph (1).(3) In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that paragraph insert—“(2) In this article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

280: Schedule 18, page 249, line 36, at end insert—“Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 (S.I. 2014/3282) 202A The Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 is revoked.”

281: Schedule 18, page 250, line 7, at end insert—“Companies (Disclosure of Date of Birth Information) Regulations 2015 (S.I. 2015/1694)204A(1) Paragraph 6 of Schedule 2 to the Companies (Disclosure of Date of Birth Information) Regulations 2015 (conditions for permitted disclosure to a credit reference agency) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—“(ii) for the purposes of ensuring that it complies with its data protection obligations;”.(4) In paragraph (c) of that sub-paragraph—(a) omit “or” at the end of sub-paragraph (i), and(b) at the end insert “; or(iii) section 145 of the Data Protection Act 2018 (false statements made in response to an information notice) or section (Destroying or falsifying information and documents etc) of that Act (destroying or falsifying information and documents etc);”.(5) After paragraph (c) of that sub-paragraph insert—“(d) has not been given a penalty notice under section 154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”(6) After sub-paragraph (1) insert—“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—(i) the GDPR (as defined in section 3(10) of the Data Protection Act 2018), (ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and(iii) legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”Small and Medium Sized Business (Credit Information) Regulations 2015 (S.I. 2015/1945)204B The Small and Medium Sized Business (Credit Information) Regulations 2015 are amended as follows.204C(1) Regulation 12 (criteria for the designation of a credit reference agency) is amended as follows.(2) In paragraph (1)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After paragraph (2) insert—“(3) In this regulation, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”204D(1) Regulation 15 (access to and correction of information for individuals and small firms) is amended as follows.(2) For paragraph (1) substitute—“(1) Section 13 of the Data Protection Act 2018 (rights of the data subject under the GDPR: obligations of credit reference agencies) applies in respect of a designated credit reference agency which is not a credit reference agency within the meaning of section 145(8) of the Consumer Credit Act 1974 as if it were such an agency.”(3) After paragraph (3) insert—“(4) In this regulation, the reference to section 13 of the Data Protection Act 2018 has the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”European Union (Recognition of Professional Qualifications) Regulations 2015 (S.I. 2015/2059)204E The European Union (Recognition of Professional Qualifications) Regulations 2015 are amended as follows.204F(1) Regulation 2(1) (interpretation) is amended as follows. (2) Omit the definition of “Directive 95/46/EC”.(3) At the appropriate place insert—““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.204G In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives 95/46/EC” substitute “the GDPR and Directive”.204H In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.204I In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.204J In regulation 48(2) (processing and access to data regarding the European Professional Card), omit paragraph (2) (deeming the relevant designated competent authorities to be controllers for the purposes of Directive 95/46/EC).204K In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute “the GDPR and Directive”.Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)204L The Scottish Parliament (Elections etc) Order 2015 is amended as follows.204M(1) Schedule 3 (absent voting) is amended as follows.(2) In paragraph 16 (absent voting lists: supply of copies etc)—(a) in sub-paragraph (4), for paragraph (a) (but not the final “or”) substitute—“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and(b) after sub-paragraph (10) insert— “(11) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”(3) In paragraph 20 (restriction on use of absent voting lists)—(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and(b) after that sub-paragraph insert—“(4) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”204N(1) Schedule 8 (access to marked registers and other documents open to public inspection after an election) is amended as follows.(2) In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).(3) In paragraph 5 (restriction on use of documents or of information contained in them)—(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and(b) after sub-paragraph (4) insert—“(5) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (S.I. 2016/295)204O In paragraph 1(3) of Schedule 3 to the Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (access to marked registers after a petition), omit the definition of “relevant conditions”.Register of People with Significant Control Regulations 2016 (S.I. 2016/339)204P Schedule 4 to the Register of People with Significant Control Regulations 2016 (conditions for permitted disclosure) is amended as follows.204Q(1) Paragraph 6 (disclosure to a credit reference agency) is amended as follows.(2) In sub-paragraph (b), for paragraph (ii) (together with the final “; and”) substitute—“(ii) for the purposes of ensuring that it complies with its data protection obligations;”.(3) In sub-paragraph (c)—(a) omit “or” at the end of paragraph (ii), and(b) at the end insert—“(iv) section 145 of the Data Protection Act 2018 (false statements made in response to an information notice); or(v) section (Destroying or falsifying information and documents etc) of that Act (destroying or falsifying information and documents etc);”(4) After sub-paragraph (c) insert—“(d) has not been given a penalty notice under section 154 of the Data Protection Act 2018 in circumstances described in sub-paragraph (c)(iii), other than a penalty notice that has been cancelled.”204R In paragraph 12A (disclosure to a credit institution or a financial institution), for sub-paragraph (b) substitute—“(b) for the purposes of ensuring that it complies with its data protection obligations.” 204S (1) In Part 3 (interpretation), after paragraph 13 insert—“14 In this Schedule, “data protection obligations”, in relation to a credit reference agency, a credit institution or a financial institution, means—(a) where the agency or institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);(b) where the agency or institution carries on business in a EEA State other than the United Kingdom, obligations under—(i) the GDPR (as defined in section 3(10) of the Data Protection Act 2018),(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and(iii) legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)204T The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 are amended as follows.204U In regulation 2(1) (interpretation), omit the definition of “the 1998 Act”.204V In regulation 3(3) (supervision), omit “under the 1998 Act”.204W For Schedule 2 substitute—“SCHEDULE 2INFORMATION COMMISSIONER’S ENFORCEMENT POWERSProvisions applied for enforcement purposes1 For the purposes of enforcing these Regulations and the eIDAS Regulation, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 24—(a) section 140 (publication by the Commissioner); (b) section 141 (notices from the Commissioner); (c) section 143 (information notices);(d) section 144 (information notices: restrictions);(e) section 145 (false statements made in response to an information notice);(f) section (Information orders) (information orders); (g) section 146 (assessment notices);(h) section (Destroying or falsifying information and documents etc) (destroying or falsifying information and documents etc);(i) section 147 (assessment notices: restrictions); (j) section 148 (enforcement notices);(k) section 149 (enforcement notices: supplementary); (l) section 151 (enforcement notices: restrictions);(m) section 152 (enforcement notices: cancellation and variation);(n) section 153 and Schedule 15 (powers of entry and inspection);(o) section 154 and Schedule 16 (penalty notices); (p) section 155(4)(a) (penalty notices: restrictions); (q) section 156 (maximum amount of penalty);(r) section 158 (amount of penalties: supplementary); (s) section 159 (guidance about regulatory action);(t) section 160 (approval of first guidance about regulatory action);(u) section (Applications in respect of urgent notices) (applications in respect of urgent notices);(v) section 177 (jurisdiction);”(w) section 161 (rights of appeal);(x) section 162 (determination of appeals);(y) section 179(1), (2), (5), (7) and (12) (regulations and consultation);(z) section 189 (penalties for offences); (z1) section 190 (prosecution);(z2) section 195 (proceedings in the First-tier Tribunal: contempt); (z3) section 196 (Tribunal Procedure Rules).General modification of references to the Data Protection Act 20182 The provisions listed in paragraph 1 have effect as if—(a) references to the Data Protection Act 2018 were references to the provisions of that Act as applied by these Regulations;(b) references to a particular provision of that Act were references to that provision as applied by these Regulations.Modification of section 143 (information notices)3 (1) Section 143 has effect as if subsections (9) and (10) were omitted.(2) In that section, subsection (1) has effect as if— (a) in paragraph (a)—(i) for “controller or processor” there were substituted “trust service provider”;(ii) for “the data protection legislation” there were substituted “the eIDAS Regulation and the EITSET Regulations”;(b) paragraph (b) were omitted.(3) In that section, subsection (2) has effect as if paragraph (a) were omitted.Modification of section 144 (information notices: restrictions)4 (1) Section 144 has effect as if subsections (1) and (9) were omitted. (2) In that section—(a) subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”;(b) subsection (7)(a) has effect as if for “this Act” there were substituted “section 145 or (Destroying or falsifying information and documents etc) or paragraph 15 of Schedule 15”;(c) subsection (8) has effect as if for “this Act (other than an offence under section 145)” there were substituted “section (Destroying or falsifying information and documents etc) or paragraph 15 of Schedule 15”.Modification of section (Information orders) (information orders)5 Section (Information orders)(2)(b) has effect as if for “section 143(2)(b)” there were substituted “section 143(2)”.Modification of section 146 (assessment notices)6 (1) Section 146 has effect as if subsection (10) were omitted. (2) In that section—(a) subsection (1) has effect as if—(i) for “controller or processor” (in both places) there were substituted “trust service provider”;(ii) for “the data protection legislation” there were substituted “the eIDAS requirements”;(b) subsection (2) has effect as if paragraphs (g) and (h) were omitted;(c) subsections (7), (8), (8A) and (9) have effect as if for “controller or processor” (in each place) there were substituted “trust service provider;(d) subsection (8A)(a) has effect as if for “as described in section 148(2) or that an offence under this Act” there were substituted “to comply with the eIDAS requirements or that an offence under section 145 or (Destroying or falsifying information and documents etc) or paragraph 15 of Schedule 15”.Modification of section 147(assessment notices: restrictions)7 (1) Section 147 has effect as if subsections (5) and (6) were omitted. (2) In that section, subsections (2)(b) and (3)(b) have effect as if for“the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.Modification of section 148 (enforcement notices) 8 (1) Section 148 has effect as if subsections (2) to (5) and (7) to (9) were omitted.(2) In that section—(a) subsection (1) has effect as if— (i) for “as described in subsection (2), (3), (4) or (5)” there were substituted “to comply with the eIDAS requirements”;(ii) for “sections 149 and 150” there were substituted “section 149”;(b) subsection (6) has effect as if the words “given in reliance on subsection (2), (3) or (5)” were omitted.Modification of section 149 (enforcement notices: supplementary)9 (1) Section 149 has effect as if subsection (3) were omitted.(2) In that section, subsection (2) has effect as if the words “in reliance on section 148(2)” and “or distress” were omitted.Modification of section 151 (enforcement notices: restrictions)10 Section 151 has effect as if subsections (1), (2) and (4) were omitted.Withdrawal notices11 The provisions listed in paragraph 1 have effect as if after section 152 there were inserted—“Withdrawal notices152A Withdrawal notices(1) The Commissioner may, by written notice (a “withdrawal notice”), withdraw the qualified status from a trust service provider, or the qualified status of a service provided by a trust service provider, if—(a) the Commissioner is satisfied that the trust service provider has failed to comply with an information notice or an enforcement notice, and(b) the condition in subsection (2) or (3) is met.(2) The condition in this subsection is met if the period for the trust service provider to appeal against the information notice or enforcement notice has ended without an appeal having been brought.(3) The condition in this subsection is met if an appeal against the information notice or enforcement notice has been brought and—(a) the appeal and any further appeal in relation to the notice has been decided or has otherwise ended, and(b) the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.(4) A withdrawal notice must—(a) state when the withdrawal takes effect, and(b) provide information about the rights of appeal under section 161.”Modification of Schedule 15 (powers of entry and inspection)12 (1) Schedule 15 has effect as if paragraph 3 were omitted.(2) Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—“(a) there are reasonable grounds for suspecting that—(i) a trust service provider has failed or is failing to comply with the eIDAS requirements, or(ii) an offence under section 145 or (Destroying or falsifying information and documents etc) or paragraph 15 of Schedule 15 has been or is being committed,”.(3) Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—(a) in sub-paragraph (1) and (2), for “controller or processor” there were substituted “trust service provider”;(b) in sub-paragraph (2), for “the data protection legislation” there were substituted “the eIDAS requirements”.(4) Paragraph 5 of that Schedule (content of warrants) has effect as if—(a) in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “the provision of trust services”;(b) in sub-paragraph (2)(c)—(i) for “controller or processor” there were substituted “trust service provider”; (ii) for “as described in section 148(2)” there were substituted “to comply with the eIDAS requirements”;(c) in sub-paragraph (3)(a) and (c)—(i) for “controller or processor” there were substituted “trust service provider”;(ii) for “the data protection legislation” there were substituted “the eIDAS requirements”.(5) Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.Modification of section 154 (penalty notices)13 (1) Section 154 has effect as if subsections (1)(a), (2)(a), (3)(g), (3A) and (5) to (7) were omitted.(2) Subsection (2) of that section has effect as if—(a) the words “Subject to subsection (3A),” were omitted; (b) in paragraph (b), the words “to the extent that the notice concerns another matter,” were omitted.(3) Subsection (3) of that section has effect as if—(a) for “controller or processor”, in each place, there were substituted “trust services provider”;(b) in paragraph (c), the words “or distress” were omitted; (c) in paragraph (c), for “data subjects” there were substituted “relying parties”;(d) in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “Article 19(1) of the eIDAS Regulation”.Modification of Schedule 16 (penalties)14 Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.Modification of section 156 (maximum amount of penalty)15 Section 156 has effect as if subsections (1) to (3) and (6) were omitted.Modification of section 158 (amount of penalties: supplementary)16 Section 158 has effect as if—(a) in subsection (1), the words “Article 83 of the GDPRand” were omitted;(b) in subsection (2), the words “Article 83 of the GDPR”and “and section 157” were omitted.Modification of section 159 (guidance about regulatory action)17 (1) Section 159 has effect as if subsections (4) and (10) were omitted.(2) In that section, subsection (3)(e) has effect as if for “controllers and processors” there were substituted “trust service providers”.Modification of section 161 (rights of appeal)18 (1) Section 161 has effect as if subsection (5) were omitted.(2) In that section, subsection (1) has effect as if, after paragraph(c), there were inserted—“(ca) a withdrawal notice;”.Modification of section 162 (determination of appeals)19 Section 162 has effect as if subsection (7) were omitted.Modification of section 177 (jurisdiction)20 (1) Section 177 has effect as if subsections (2)(c) and (d) and (3) were omitted.(2) Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “subsection (4)”.Modification of section 179 (regulations and consultation)21 Section 179 has effect as if subsections (3), (4), (6), (8) to (11) and (13) were omitted.Modification of section 189 (penalties for offences)22 (1) Section 189 has effect as if subsections (3) to (5) were omitted. (2) In that section—(a) subsection (1) has effect as if the words “section 119 or 173 or” were omitted; (b) subsection (2) has effect as if for “section 132, 145, (Destroying or falsifying information and documents etc), 170, 171 or 181” there were substituted “section 145 or (Destroying or falsifying information and documents etc)”.Modification of section 190 (prosecution)23 Section 190 has effect as if subsections (3) to (6) were omitted.Modification of section 195 (proceedings in the First-tier Tribunal: contempt)24 Section 195 has effect as if in subsection (1)(a), for sub- paragraphs (i) and (ii) there were substituted “on an appeal under section 161”.Modification of section 196 (Tribunal Procedure Rules)25 Section 196 has effect as if—(a) in subsection (1), for paragraphs (a) and (b) there were substituted “the exercise of the rights of appeal conferred by section 161”;(b) in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “the provision of trust services”.Approval of first guidance about regulatory action26 (1) This paragraph applies if the first guidance produced under section 159(1) of the Data Protection Act 2018 and the first guidance produced under that provision as applied by this Schedule are laid before Parliament as a single document (“the combined guidance”).(2) Section 160 of that Act (including that section as applied by this Schedule) has effect as if the references to “the guidance” were references to the combined guidance, except in subsections (2)(b) and (4).(3) Nothing in subsection (2)(a) of that section (including as applied by this Schedule) prevents another version of the combined guidance being laid before Parliament.(4) Any duty under subsection (2)(b) of that section (including as applied by this Schedule) may be satisfied by producing another version of the combined guidance.Interpretation27 In this Schedule—“the eIDAS requirements” means the requirements of Chapter III of the eIDAS Regulation;“the EITSET Regulations” means these Regulations; “withdrawal notice” has the meaning given in section 146A of the Data Protection Act 2018 (as inserted in that Act by this Schedule).”Court Files Privileged Access Rules (Northern Ireland) 2016 (S.R. (N.I.) 2016 No. 123)204X The Court Files Privileged Access Rules (Northern Ireland) 2016 are amended as follows.204Y In rule 5 (information that may released) for “Schedule 1 of the Data Protection Act 1998” substitute “—(a) Article 5(1) of the GDPR, and(b) section 34(1) of the Data Protection Act 2018.”204Z In rule 7(2) (provision of information) for “Schedule 1 of the Data Protection Act 1998” substitute “—(a) Article 5(1) of the GDPR, and(b) section 34(1) of the Data Protection Act 2018.”Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (S.I. 2017/692)204AA The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are amended as follows.204AB In regulation 3(1) (interpretation), at the appropriate places insert— ““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of thatAct);”;““the GDPR” and references to provisions of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”. 204AC In regulation 16(8) (risk assessment by the Treasury and Home Office), for “the Data Protection Act 1998 or any other enactment” substitute “— (a) the Data Protection Act 2018 or any other enactment, or(b) the GDPR.”204AD In regulation 17(9) (risk assessment by supervisory authorities), for “the Data Protection Act 1998 or any other enactment” substitute “—(a) the Data Protection Act 2018 or any other enactment, or(b) the GDPR.”204AE For regulation 40(9)(c) (record keeping) substitute—“(c) “data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);(d) “personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”204AF(1)Regulation 41 (data protection) is amended as follows. (2) Omit paragraph (2).(3) In paragraph (3)(a), after “Regulations” insert “or the GDPR”. (4) Omit paragraphs (4) and (5).(5) After those paragraphs insert—“(6) Before establishing a business relationship or entering into an occasional transaction with a new customer, as well as providing the customer with the information required under Article 13 of the GDPR (information to be provided where personal data are collected from the data subject), relevant persons must provide the customer with a statement that any personal data received from the customer will be processed only—(a) for the purposes of preventing money laundering or terrorist financing, or(b) as permitted under paragraph (3).(7) In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest includes processing of personal data in accordance with these Regulations that is necessary for the prevention of money laundering or terrorist financing.(8) In the case of sensitive processing of personal data for the purposes of the prevention of money laundering or terrorist financing, section 10 of, and Schedule 1 to, the Data Protection Act 2018 make provision about when the processing meets a requirement in Article 9(2) or 10 of the GDPR for authorisation under the law of the United Kingdom (see, for example, paragraphs 9, 10 and 10A of that Schedule).(9) In this regulation—“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act);“sensitive processing” means the processing of personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences etc).”204AG(1)Regulation 84 (publication: the Financial Conduct Authority) is amended as follows.(2) In paragraph (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) For paragraph (11) substitute—“(11) For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”204AH(1)Regulation 85 (publication: the Commissioners) is amended as follows.(2) In paragraph (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) For paragraph (10) substitute—“(10) For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).” 204AI For regulation 106(a) (general restrictions) substitute—“(a) a disclosure in contravention of the data protection legislation; or”.204AJ After paragraph 27 of Schedule 3 (relevant offences) insert—“27A An offence under the Data Protection Act 2018, apart from an offence under section 173 of that Act.”Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (S.I.2017/694)204AK(1)Paragraph 6 of Schedule 5 to the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (conditions for permitted disclosure to a credit institution or a financial institution) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) For paragraph (b) of that sub-paragraph substitute—“(b) for the purposes of ensuring that it complies with its data protection obligations.”(4) After sub-paragraph (1) insert—“(2) In this paragraph, “data protection obligations”, in relation to a relevant institution, means—(a) where the institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);(b) where the institution carries on business in a EEA State other than the United Kingdom, obligations under—(i) the GDPR (as defined in section 3(10) of the Data Protection Act 2018),(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and(iii) legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).Data Protection (Charges and Information) Regulations 2018 (S.I. 2018/480)204AL In regulation 1(2) of the Data Protection (Charges and Information) Regulations 2018 (interpretation), at the appropriate places insert—““data controller” means a person who is a controller for the purposes of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);”.National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 (S.S.I. 2018/66)204AM The National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 are amended as follows.204AN(1)Regulation 1 (citation and commencement) is amended as follows. (2) In paragraph (2), omit “Subject to paragraph (3),”.(3) Omit paragraph (3).204AO In regulation 3(1) (interpretation)—(a) omit the definition of “the 1998 Act”, (b) at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and(c) omit the definition of “GDPR”.204AP(1)Schedule 6 (other contractual terms) is amended as follows.(2) In paragraph 63(2) (interpretation: general), for “the 1998 Act or any directly applicable EU instrument relating to data protection” substitute “—(a) the data protection legislation, or(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”(3) For paragraph 64 (meaning of data controller etc.) substitute—“Meaning of controller etc.64A For the purposes of this Part— “controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);“data protection officer” means a person designated as a data protection officer under the data protection legislation;“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).”(4) In paragraph 65(2)(b) (roles, responsibilities and obligations: general), for “data controllers” substitute “controllers”.(5) In paragraph 69(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—(i) the data protection legislation, and(ii) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.(6) In paragraph 94(4) (variation of a contract: general)— (a) omit paragraph (b), and(b) after paragraph (d) (but before the final “and”) insert—“(da) the data protection legislation;(db) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 (S.S.I. 2018/67)204AQ The National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 are amended as follows.204AR(1)Regulation 1 (citation and commencement) is amended as follows. (2) In paragraph (2), omit “Subject to paragraph (3),”.(3) Omit paragraph (3).204AS In regulation 3(1) (interpretation)—(a) omit the definition of “the 1998 Act”, and(b) at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and(c) omit the definition of “GDPR”.204AT(1)Schedule 1 (content of agreements) is amended as follows. (2) In paragraph 34 (interpretation)—(a) in sub-paragraph (1)—(i) omit “Subject to sub-paragraph (3),”, (ii) before paragraph (a) insert—“(za) “controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act2018 (see section 3(6) and (14) of that Act);(zb) “data protection officer” means a person designated as a data protection officer under the data protection legislation;”, and(iii) for paragraph (d) substitute—“(e) “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).”,(b) omit sub-paragraphs (2) and (3),(c) in sub-paragraph (4), for “the 1998 Act and any directly applicable EU instrument relating to data protection” substitute “—(a) the data protection legislation, or(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”, and(d) in sub-paragraph (6)(b), for “data controllers” substitute “controllers”.(3) In paragraph 37(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—(i) the data protection legislation, and(ii) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”. (4) In paragraph 61(3) (variation of agreement: general)— (a) omit paragraph (b), and(b) after paragraph (d) (but before the final “and”) insert—“(da) the data protection legislation;(db) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.PART 3MODIFICATIONSIntroduction204AU(1)Unless the context otherwise requires, legislation described in sub- paragraph (2) has effect on and after the day on which this Part of this Schedule comes into force as if it were modified in accordance with this Part of this Schedule.(2) That legislation is—(a) subordinate legislation made before the day on which this Part of this Schedule comes into force;(b) primary legislation that is passed or made before the end of the Session in which this Act is passed.(3) In this Part of this Schedule—“primary legislation” has the meaning given in section 204(7); “references” includes any references, however expressed.General modifications204AV(1)References to a particular provision of, or made under, the Data Protection Act 1998 have effect as references to the equivalent provision or provisions of, or made under, the data protection legislation.(2) Other references to the Data Protection Act 1998 have effect as references to the data protection legislation.(3) References to disclosure, use or other processing of information that is prohibited or restricted by an enactment which include disclosure, use or other processing of information that is prohibited or restricted by the Data Protection Act 1998 have effect as if they included disclosure, use or other processing of information that is prohibited or restricted by the GDPR or the applied GDPR.Specific modification of references to terms used in the Data Protection Act 1998204AW(1)References to personal data, and to the processing of such data, as defined in the Data Protection Act 1998, have effect as references to personal data, and to the processing of such data, as defined for the purposes of Parts 5 to 7 of this Act (see section 3(2), (4) and (14)).(2) References to processing as defined in the Data Protection Act 1998, in relation to information, have effect as references to processing as defined in section 3(4).(3) References to a data subject as defined in the Data Protection Act 1998 have effect as references to a data subject as defined in section 3(5).(4) References to a data controller as defined in the Data Protection Act 1998 have effect as references to a controller as defined for the purposes of Parts 5 to 7 of this Act (see section 3(6) and (14)).(5) References to the data protection principles set out in the Data Protection Act 1998 have effect as references to the principles set out in—(a) Article 5(1) of the GDPR and the applied GDPR, and(b) sections 34(1) and 85(1) of this Act.(6) References to direct marketing as defined in section 11 of the Data Protection Act 1998 have effect as references to direct marketing as defined in section 123 of this Act.(7) References to a health professional within the meaning of section 69(1) of the Data Protection Act 1998 have effect as references to a health professional within the meaning of section 197 of this Act.(8) References to a health record within the meaning of section 68(2) of the Data Protection Act 1998 have effect as references to a health record within the meaning of section 198 of this Act. PART 4SUPPLEMENTARYDefinitions204AX Section 3(14) does not apply to this Schedule.”

282: After Schedule 18, insert the following new Schedule—“TRANSITIONAL PROVISION ETCPART 1GENERALInterpretation1 (1) In this Schedule—“the 1984 Act” means the Data Protection Act 1984; “the 1998 Act” means the Data Protection Act 1998;“the 2014 Regulations” means the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141);“data controller” has the same meaning as in the 1998 Act (see section 1 of that Act);“the old data protection principles” means the principles set out in—(a) Part 1 of Schedule 1 to the 1998 Act, and(b) regulation 30 of the 2014 Regulations.(2) A provision of the 1998 Act that has effect by virtue of this Schedule is not, by virtue of that, part of the data protection legislation (as defined in section 3).PART 2RIGHTS OF DATA SUBJECTSRight of access to personal data under the 1998 Act2 (1) The repeal of sections 7 to 9A of the 1998 Act (right of access to personal data) does not affect the application of those sections after the relevant time in a case in which a data controller received a request under section 7 of that Act (right of access to personal data) before the relevant time.(2) The repeal of sections 7 and 8 of the 1998 Act and the revocation of regulation 44 of the 2014 Regulations (which applies those sections with modifications) do not affect the application of those sections and that regulation after the relevant time in a case in which a UK competent authority received a request under section 7 of the 1998 Act (as applied by that regulation) before the relevant time.(3) The revocation of the relevant regulations, or their amendment by Schedule 18 to this Act, and the repeals and revocation mentioned in sub-paragraphs (1) and (2), do not affect the application of the relevant regulations after the relevant time in a case described in those sub- paragraphs.(4) In this paragraph—“the relevant regulations” means—(a) the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (S.I. 2000/191);(b) regulation 4 of, and Schedule 1 to, the Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290);(c) regulation 3 of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244);“the relevant time” means the time when the repeal of section 7 of the 1998 Act comes into force;“UK competent authority” has the same meaning as in Part 4 of the 2014 Regulations (see regulation 27 of those Regulations).Right to prevent processing likely to cause damage or distress under the 1998 Act3 (1) The repeal of section 10 of the 1998 Act (right to prevent processing likely to cause damage or distress) does not affect the application of that section after the relevant time in a case in which an individual gave notice in writing to a data controller under that section before the relevant time.(2) In this paragraph, “the relevant time” means the time when the repeal of section 10 of the 1998 Act comes into force. Right to prevent processing for purposes of direct marketing under the 1998 Act4 (1) The repeal of section 11 of the 1998 Act (right to prevent processing for purposes of direct marketing) does not affect the application of that section after the relevant time in a case in which an individual gave notice in writing to a data controller under that section before the relevant time.(2) In this paragraph, “the relevant time” means the time when the repeal of section 11 of the 1998 Act comes into force.Automated processing under the 1998 Act5 (1) The repeal of section 12 of the 1998 Act (rights in relation to automated decision-taking) does not affect the application of that section after the relevant time in relation to a decision taken by a person before that time if—(a) in taking the decision the person failed to comply with section 12(1) of the 1998 Act, or(b) at the relevant time—(i) the person had not taken all of the steps required under section 12(2) or (3) of the 1998 Act, or(ii) the period specified in section 12(2)(b) of the 1998 Act (for an individual to require a person to reconsider a decision) had not expired.(2) In this paragraph, “the relevant time” means the time when the repeal of section 12 of the 1998 Act comes into force.Compensation for contravention of the 1998 Act or Part 4 of the 2014 Regulations6 (1) The repeal of section 13 of the 1998 Act (compensation for failure to comply with certain requirements) does not affect the application of that section after the relevant time in relation to damage or distress suffered at any time by reason of an act or omission before the relevant time.(2) The revocation of regulation 45 of the 2014 Regulations (right to compensation) does not affect the application of that regulation after the relevant time in relation to damage or distress suffered at any time by reason of an act or omission before the relevant time.(3) “The relevant time” means—(a) in sub-paragraph (1), the time when the repeal of section 13 of the1998 Act comes into force;(b) in sub-paragraph (2), the time when the revocation of regulation 45 of the 2014 Regulation comes into force.Rectification, blocking, erasure and destruction under the 1998 Act7 (1) The repeal of section 14(1) to (3) and (6) of the 1998 Act (rectification, blocking, erasure and destruction of inaccurate personal data) does not affect the application of those provisions after the relevant time in a case in which an application was made under subsection (1) of that section before the relevant time.(2) The repeal of section 14(4) to (6) of the 1998 Act (rectification, blocking, erasure and destruction: risk of further contravention in circumstances entitling data subject to compensation under section 13 of the 1998 Act) does not affect the application of those provisions after the relevant time in a case in which an application was made under subsection (4) of that section before the relevant time.(3) In this paragraph, “the relevant time” means the time when the repeal of section 14 of the 1998 Act comes into force.Jurisdiction and procedure under the 1998 Act8 The repeal of section 15 of the 1998 Act (jurisdiction and procedure) does not affect the application of that section in connection with sections 7 to 14 of the 1998 Act as they have effect by virtue of this Schedule.Exemptions under the 1998 Act9 (1) The repeal of Part 4 of the 1998 Act (exemptions) does not affect the application of that Part after the relevant time in connection with a provision of Part 2 of the 1998 Act as it has effect after that time by virtue of paragraphs 2 to 7 of this Schedule. (2) The revocation of the relevant Orders, and the repeal mentioned in sub- paragraph (1), do not affect the application of the relevant Orders after the relevant time in connection with a provision of Part 2 of the 1998 Act as it has effect as described in sub-paragraph (1).(3) In this paragraph—“the relevant Orders” means—(a) the Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184);(b) the Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413);(c) the Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414);(d) the Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415);(e) the Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416);(f) Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419);(g) Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864);“the relevant time” means the time when the repeal of the provision of Part 2 of the 1998 Act in question comes into force.(4) As regards certificates issued under section 28(2) of the 1998 Act, see Part 5 of this Schedule.Prohibition by this Act of requirement to produce relevant records10 (1) In Schedule 17 to this Act, references to a record obtained in the exercise of a data subject access right include a record obtained at any time in the exercise of a right under section 7 of the 1998 Act.(2) In section 177 of this Act, references to a “relevant record” include a record which does not fall within the definition in Schedule 17 to this Act (read with sub-paragraph (1)) but which, immediately before the relevant time, was a “relevant record” for the purposes of section 56 of the 1998 Act.(3) In this paragraph, “the relevant time” means the time when the repeal of section 56 of the 1998 Act comes into force.Avoidance under this Act of certain contractual terms relating to health records11 In section 178 of this Act, references to a record obtained in the exercise of a data subject access right include a record obtained at any time in the exercise of a right under section 7 of the 1998 Act.PART 3THE GDPR AND PART 2 OF THIS ACTExemptions from the GDPR: restrictions of rules in Articles 13 to 15 of the GDPR12 In paragraph 20(2) of Schedule 2 to this Act (self-incrimination), the reference to an offence under this Act includes an offence under the 1998 Act or the 1984 Act.Manual unstructured data held by FOI public authorities13 Until the first regulations under section 24(8) of this Act come into force, “the appropriate maximum” for the purposes of that section is—(a) where the controller is a public authority listed in Part 1 of Schedule 1 to the Freedom of Information Act 2000, £600, and(b) otherwise, £450.PART 4LAW ENFORCEMENT AND INTELLIGENCE SERVICES PROCESSINGLogging14 (1) In relation to an automated processing system set up before 6 May 2016, subsections (1) to (3) of section 62 of this Act do not apply if and to the extent that compliance with them would involve disproportionate effort. (2) Sub-paragraph (1) ceases to have effect at the beginning of 6 May 2023.Regulation 50 of the 2014 Regulations (disapplication of the 1998 Act)15 Nothing in this Schedule, read with the revocation of regulation 50 of the 2014 Regulations, has the effect of applying a provision of the 1998 Act to the processing of personal data to which Part 4 of the 2014 Regulations applies in a case in which that provision did not apply before the revocation of that regulation.Maximum fee for data subject access requests to intelligence services16 Until the first regulations under section 94(4)(b) of this Act come into force, the maximum amount of a fee that may be required by a controller under that section is £10.PART 5NATIONAL SECURITY CERTIFICATESNational security certificates: processing of personal data under the 1998 Act17 (1) The repeal of section 28(2) to (12) of the 1998 Act does not affect the application of those provisions after the relevant time with respect to the processing of personal data to which the 1998 Act (including as it has effect by virtue of this Schedule) applies.(2) A certificate issued under section 28(2) of the 1998 Act continues to have effect after the relevant time with respect to the processing of personal data to which the 1998 Act (including as it has effect by virtue of this Schedule) applies.(3) Where a certificate continues to have effect under sub-paragraph (2) after the relevant time, it may be revoked or quashed in accordance with section 28 of the 1998 Act after the relevant time.(4) In this paragraph, “the relevant time” means the time when the repeal of section 28 of the 1998 Act comes into force.National security certificates: processing of personal data under the 2018 Act18 (1) This paragraph applies to a certificate issued under section 28(2) of the1998 Act (an “old certificate”) which has effect immediately before the relevant time.(2) If and to the extent that the old certificate provides protection with respect to personal data which corresponds to protection that could be provided by a certificate issued under section 27, 79 or 111 of this Act, the old certificate also has effect to that extent after the relevant time as if—(a) it were a certificate issued under one or more of sections 27, 79 and 111 (as the case may be),(b) it provided protection in respect of that personal data in relation to the corresponding provisions of this Act or the applied GDPR, and(c) where it has effect as a certificate issued under section 79, it certified that each restriction in question is a necessary and proportionate measure to protect national security.(3) Where an old certificate also has effect as if it were a certificate issued under one or more of sections 27, 79 and 111, that section has, or those sections have, effect accordingly in relation to the certificate.(4) Where an old certificate has an extended effect because of sub-paragraph(2), section 129 of this Act does not apply in relation to it.(5) An old certificate that has an extended effect because of sub-paragraph (2) provides protection only with respect to the processing of personal data that occurs during the period of 1 year beginning with the relevant time (and a Minister of the Crown may curtail that protection by wholly or partly revoking the old certificate).(6) For the purposes of this paragraph—(a) a reference to the protection provided by a certificate issued under—(i) section 28(2) of the 1998 Act, or(ii) section 27, 79 or 111 of this Act,is a reference to the effect of the evidence that is provided by the certificate; (b) protection provided by a certificate under section 28(2) of the 1998 Act is to be regarded as corresponding to protection that could be provided by a certificate under section 27, 79 or 111 of this Act where, in respect of provision in the 1998 Act to which the certificate under section 28(2) relates, there is corresponding provision in this Act or the applied GDPR to which a certificate under section 27, 79 or 111 could relate.(7) In this paragraph, “the relevant time” means the time when the repeal of section 28 of the 1998 Act comes into force.PART 6THE INFORMATION COMMISSIONERAppointment etc19 (1) On and after the relevant day, the individual who was the Commissioner immediately before that day—(a) continues to be the Commissioner,(b) is to be treated as having been appointed under Schedule 12 to this Act, and(c) holds office for the period—(i) beginning with the relevant day, and(ii) lasting for 7 years less a period equal to the individual’s pre-commencement term.(2) On and after the relevant day, a resolution passed by the House of Commons for the purposes of paragraph 3 of Schedule 5 to the 1998 Act (salary and pension of Commissioner), and not superseded before that day, is to be treated as having been passed for the purposes of paragraph4 of Schedule 12 to this Act.(3) In this paragraph—“pre-commencement term”, in relation to an individual, means the period during which the individual was the Commissioner before the relevant day;“the relevant day” means the day on which Schedule 12 to this Act comes into force.Accounts20 (1) The repeal of paragraph 10 of Schedule 5 to the 1998 Act does not affect the duties of the Commissioner and the Comptroller and Auditor General under that paragraph in respect of the Commissioner’s statement of account for the financial year beginning with 1 April 2017.(2) The Commissioner’s duty under paragraph 11 of Schedule 12 to this Act to prepare a statement of account for each financial year includes a duty to do so for the financial year beginning with 1 April 2018.Annual report21 (1) The repeal of section 52(1) of the 1998 Act (annual report) does not affect the Commissioner’s duty under that subsection to produce a general report on the exercise of the Commissioner’s functions under the 1998 Act during the period of 1 year beginning with 1 April 2017 and to lay it before Parliament.(2) The repeal of section 49 of the Freedom of Information Act 2000 (annual report) does not affect the Commissioner’s duty under that section to produce a general report on the exercise of the Commissioner’s functions under that Act during the period of 1 year beginning with 1 April 2017 and to lay it before Parliament.(3) The first report produced by the Commissioner under section 138 of this Act must relate to the period of 1 year beginning with 1 April 2018.Fees etc received by the Commissioner22 (1) The repeal of Schedule 5 to the 1998 Act (Information Commissioner) does not affect the application of paragraph 9 of that Schedule after the relevant time to amounts received by the Commissioner before the relevant time.(2) In this paragraph, “the relevant time” means the time when the repeal of Schedule 5 to the 1998 Act comes into force.23 Paragraph 10 of Schedule 12 to this Act applies only to amounts received by the Commissioner after the time when that Schedule comes into force.Functions in connection with the Data Protection Convention24 (1) The repeal of section 54(2) of the 1998 Act (functions to be discharged by the Commissioner for the purposes of Article 13 of the Data Protection Convention), and the revocation of the Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186), do not affect the application of articles 1 to 5 of that Order after the relevant time in relation to a request described in those articles which was made before that time.(2) The references in paragraph 9 of Schedule 13 to this Act (Data Protection Convention: restrictions on use of information) to requests made or received by the Commissioner under paragraph 6 or 7 of that Schedule include a request made or received by the Commissioner under article 3 or 4 of the Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186).(3) The repeal of section 54(7) of the 1998 Act (duty to notify the European Commission of certain approvals and authorisations) does not affect the application of that provision after the relevant time in relation to an approval or authorisation granted before the relevant time.(4) In this paragraph, “the relevant time” means the time when the repeal of section 54 of the 1998 Act comes into force.Co-operation with the European Commission: transfers of personal data outside the EEA25 (1) The repeal of section 54(3) of the 1998 Act (co-operation by the Commissioner with the European Commission etc), and the revocation of the Data Protection (International Co-operation) Order 2000 (S.I. 2000/190), do not affect the application of articles 1 to 4 of that Order after the relevant time in relation to transfers that took place before the relevant time.(2) In this paragraph—“the relevant time” means the time when the repeal of section 54 of the 1998 Act comes into force;“transfer” has the meaning given in article 2 of the Data Protection (International Co-operation) Order 2000 (S.I. 2000/190).Charges payable to the Commissioner by controllers26 (1) The Data Protection (Charges and Information) Regulations 2018 (S.I. 2018/480) have effect after the relevant time (until revoked) as if they were made under section 136 of this Act.(2) In this paragraph, “the relevant time” means the time when section 136 of this Act comes into force.Requests for assessment27 (1) The repeal of section 42 of the 1998 Act (requests for assessment) does not affect the application of that section after the relevant time in a case in which the Commissioner received a request under that section before the relevant time, subject to sub-paragraph (2).(2) The Commissioner is only required to make an assessment of acts and omissions that took place before the relevant time.(3) In this paragraph, “the relevant time” means the time when the repeal of section 42 of the 1998 Act comes into force.Codes of practice28 (1) The repeal of section 52E of the 1998 Act (effect of codes of practice) does not affect the application of that section after the relevant time in relation to legal proceedings or to the exercise of the Commissioner’s functions under the 1998 Act as it has effect by virtue of this Schedule.(2) In section 52E of the 1998 Act, as it has effect by virtue of this paragraph, the references to the 1998 Act include that Act as it has effect by virtue of this Schedule.(3) For the purposes of subsection (3) of that section, as it has effect by virtue of this paragraph, the data-sharing code and direct marketing code in force immediately before the relevant time are to be treated as having continued in force after that time.(4) In this paragraph—“the data-sharing code” and “the direct marketing code” mean the codes respectively prepared under sections 52A and 52AA of the1998 Act and issued under section 52B(5) of that Act;“the relevant time” means the time when the repeal of section 52E of the 1998 Act comes into force. PART 7ENFORCEMENT ETC UNDER THE 1998 ACTInterpretation of this Part29 (1) In this Part of this Schedule, references to contravention of the sixth data protection principle sections are to relevant contravention of any of sections 7, 10, 11 or 12 of the 1998 Act, as they continue to have effect by virtue of this Schedule after their repeal (and references to compliance with the sixth data protection principle sections are to be read accordingly).(2) In sub-paragraph (1), “relevant contravention” means contravention in a manner described in paragraph 8 of Part 2 of Schedule 1 to the 1998 Act (sixth data protection principle).Information notices30 (1) The repeal of section 43 of the 1998 Act (information notices) does not affect the application of that section after the relevant time in a case in which—(a) the Commissioner served a notice under that section before the relevant time (and did not cancel it before that time), or(b) the Commissioner requires information after the relevant time for the purposes of—(i) responding to a request made under section 42 of the 1998 Act before that time,(ii) determining whether a data controller complied with the old data protection principles before that time, or(iii) determining whether a data controller complied with the sixth data protection principle sections after that time.(2) In section 43 of the 1998 Act, as it has effect by virtue of this paragraph— (a) the reference to an offence under section 47 of the 1998 Act includes an offence under section 143 of this Act, and(b) the references to an offence under the 1998 Act include an offence under this Act.(3) In this paragraph, “the relevant time” means the time when the repeal of section 43 of the 1998 Act comes into force.Special information notices31 (1) The repeal of section 44 of the 1998 Act (special information notices) does not affect the application of that section after the relevant time in a case in which—(a) the Commissioner served a notice under that section before the relevant time (and did not cancel it before that time), or(b) the Commissioner requires information after the relevant time for the purposes of—(i) responding to a request made under section 42 of the 1998 Act before that time, or(ii) ascertaining whether section 44(2)(a) or (b) of the 1998 Act was satisfied before that time.(2) In section 44 of the 1998 Act, as it has effect by virtue of this paragraph— (a) the reference to an offence under section 47 of the 1998 Act includes an offence under section 143 of this Act, and(b) the references to an offence under the 1998 Act include an offence under this Act.(3) In this paragraph, “the relevant time” means the time when the repeal of section 44 of the 1998 Act comes into force.Assessment notices32 (1) The repeal of sections 41A and 41B of the 1998 Act (assessment notices) does not affect the application of those sections after the relevant time in a case in which—(a) the Commissioner served a notice under section 41A of the 1998 Act before the relevant time (and did not cancel it before that time), or(b) the Commissioner considers it appropriate, after the relevant time, to investigate—(i) whether a data controller complied with the old data protection principles before that time, or(ii) whether a data controller complied with the sixth data protection principle sections after that time. (2) The revocation of the Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 (S.I. 2014/3282), and the repeals mentioned in sub-paragraph (1), do not affect the application of that Order in a case described in sub-paragraph (1).(3) Sub-paragraph (1) does not enable the Secretary of State, after the relevant time, to make an order under section 41A(2)(b) or (c) of the 1998 Act (data controllers on whom an assessment notice may be served) designating a public authority or person for the purposes of that section.(4) Section 41A of the 1998 Act, as it has effect by virtue of sub-paragraph (1), has effect as if subsections (8) and (11) (duty to review designation orders) were omitted.(5) The repeal of section 41C of the 1998 Act (code of practice about assessment notice) does not affect the application, after the relevant time, of the code issued under that section and in force immediately before the relevant time in relation to the exercise of the Commissioner’s functions under and in connection with section 41A of the 1998 Act, as it has effect by virtue of sub-paragraph (1).(6) In this paragraph, “the relevant time” means the time when the repeal of section 41A of the 1998 Act comes into force.Enforcement notices33 (1) The repeal of sections 40 and 41 of the 1998 Act (enforcement notices) does not affect the application of those sections after the relevant time in a case in which—(a) the Commissioner served a notice under section 40 of the 1998 Act before the relevant time (and did not cancel it before that time), or(b) the Commissioner is satisfied, after that time, that a data controller —(i) contravened the old data protection principles before that time, or(ii) contravened the sixth data protection principle sections after that time.(2) In this paragraph, “the relevant time” means the time when the repeal of section 40 of the 1998 Act comes into force.Determination by Commissioner as to the special purposes34 (1) The repeal of section 45 of the 1998 Act (determination by Commissioner as to the special purposes) does not affect the application of that section after the relevant time in a case in which—(a) the Commissioner made a determination under that section before the relevant time, or(b) the Commissioner considers it appropriate, after the relevant time, to make a determination under that section.(2) In this paragraph, “the relevant time” means the time when the repeal of section 45 of the 1998 Act comes into force.Restriction on enforcement in case of processing for the special purposes35 (1) The repeal of section 46 of the 1998 Act (restriction on enforcement in case of processing for the special purposes) does not affect the application of that section after the relevant time in relation to an enforcement notice or information notice served under the 1998 Act—(a) before the relevant time, or(b) after the relevant time in reliance on this Schedule.(2) In this paragraph, “the relevant time” means the time when the repeal of section 46 of the 1998 Act comes into force.Offences36 (1) The repeal of sections 47, 60 and 61 of the 1998 Act (offences of failing to comply with certain notices and of providing false information etc in response to a notice) does not affect the application of those sections after the relevant time in connection with an information notice, special information notice or enforcement notice served under Part 5 of the 1998Act—(a) before the relevant time, or(b) after that time in reliance on this Schedule. (2) In this paragraph, “the relevant time” means the time when the repeal of section 47 of the 1998 Act comes into force.Powers of entry37 (1) The repeal of sections 50, 60 and 61 of, and Schedule 9 to, the 1998 Act (powers of entry) does not affect the application of those provisions after the relevant time in a case in which—(a) a warrant issued under that Schedule was in force immediately before the relevant time,(b) before the relevant time, the Commissioner supplied information on oath for the purposes of obtaining a warrant under that Schedule but that had not been considered by a circuit judge or a District Judge (Magistrates’ Courts), or(c) after the relevant time, the Commissioner supplies information on oath to a circuit judge or a District Judge (Magistrates’ Courts) in respect of—(i) a contravention of the old data protection principles before the relevant time;(ii) a contravention of the sixth data protection principle sections after the relevant time;(iii) the commission of an offence under a provision of the1998 Act (including as the provision has effect by virtue of this Schedule);(iv) a failure to comply with a requirement imposed by an assessment notice issued under section 41A the 1998 Act (including as it has effect by virtue of this Schedule).(2) In paragraph 16 of Schedule 9 to the 1998 Act, as it has effect by virtue of this paragraph, the reference to an offence under paragraph 12 of that Schedule includes an offence under paragraph 15 of Schedule 15 to this Act.(3) In this paragraph, “the relevant time” means the time when the repeal of Schedule 9 to the 1998 Act comes into force.(4) Paragraphs 14 and 15 of Schedule 9 to the 1998 Act (application of that Schedule to Scotland and Northern Ireland) apply for the purposes of this paragraph as they apply for the purposes of that Schedule.Monetary penalties38 (1) The repeal of sections 55A, 55B, 55D and 55E of the 1998 Act (monetary penalties) does not affect the application of those provisions after the relevant time in a case in which—(a) the Commissioner served a monetary penalty notice under section 55A of the 1998 Act before the relevant time,(b) the Commissioner served a notice of intent under section 55B of the 1998 Act before the relevant time, or(c) the Commissioner considers it appropriate, after the relevant time, to serve a notice mentioned in paragraph (a) or (b) in respect of—(i) a contravention of section 4(4) of the 1998 Act before the relevant time, or(ii) a contravention of the sixth data protection principle sections after the relevant time.(2) The revocation of the relevant subordinate legislation, and the repeals mentioned in sub-paragraph (1), do not affect the application of the relevant subordinate legislation (or of provisions of the 1998 Act applied by them) after the relevant time in a case described in sub-paragraph (1).(3) Guidance issued under section 55C of the 1998 Act (guidance about monetary penalty notices) which is in force immediately before the relevant time continues in force after that time for the purposes of the Commissioner’s exercise of functions under sections 55A and 55B of the 1998 Act as they have effect by virtue of this paragraph.(4) In this paragraph—“the relevant subordinate legislation” means—(a) the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31);(b) the Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910);“the relevant time” means the time when the repeal of section 55A of the 1998 Act comes into force. Appeals39 (1) The repeal of sections 48 and 49 of the 1998 Act (appeals) does not affect the application of those sections after the relevant time in relation to a notice served under the 1998 Act or a determination made under section 45 of that Act—(a) before the relevant time, or(b) after that time in reliance on this Schedule.(2) In this paragraph, “the relevant time” means the time when the repeal of section 48 of the 1998 Act comes into force.Exemptions40 (1) The repeal of section 28 of the 1998 Act (national security) does not affect the application of that section after the relevant time for the purposes of a provision of Part 5 of the 1998 Act as it has effect after that time by virtue of the preceding paragraphs of this Part of this Schedule.(2) In this paragraph, “the relevant time” means the time when the repeal of the provision of Part 5 of the 1998 Act in question comes into force.(3) As regards certificates issued under section 28(2) of the 1998 Act, see Part 5 of this Schedule.Tribunal Procedure Rules41 (1) The repeal of paragraph 7 of Schedule 6 to the 1998 Act (Tribunal Procedure Rules) does not affect the application of that paragraph, or of rules made under that paragraph, after the relevant time in relation to the exercise of rights of appeal conferred by section 28 or 48 of the 1998 Act, as they have effect by virtue of this Schedule.(2) Part 3 of Schedule 18 to this Act does not apply for the purposes of Tribunal Procedure Rules made under paragraph 7(1)(a) of Schedule 6 to the 1998 Act as they apply, after the relevant time, in relation to the exercise of rights of appeal described in sub-paragraph (1).(3) In this paragraph, “the relevant time” means the time when the repeal of paragraph 7 of Schedule 6 to the 1998 Act comes into force.Obstruction etc42 (1) The repeal of paragraph 8 of Schedule 6 to the 1998 Act (obstruction etc in proceedings before the Tribunal) does not affect the application of that paragraph after the relevant time in relation to an act or omission in relation to proceedings under the 1998 Act (including as it has effect by virtue of this Schedule).(2) In this paragraph, “the relevant time” means the time when the repeal of paragraph 8 of Schedule 6 to the 1998 Act comes into force.Enforcement etc under the 2014 Regulations43 (1) The references in the preceding paragraphs of this Part of this Schedule to provisions of the 1998 Act include those provisions as applied, with modifications, by regulation 51 of the 2014 Regulations (other functions of the Commissioner).(2) The revocation of regulation 51 of the 2014 Regulations does not affect the application of those provisions of the 1998 Act (as so applied) as described in those paragraphs.PART 8ENFORCEMENT ETC UNDER THIS ACTInformation notices44 In section 142 of this Act—(a) the reference to an offence under section 143 of this Act includes an offence under section 47 of the 1998 Act (including as it has effect by virtue of this Schedule), and(b) the references to an offence under this Act include an offence under the 1998 Act (including as it has effect by virtue of this Schedule) or the 1984 Act.Powers of entry45 In paragraph 16 of Schedule 15 to this Act (powers of entry: self- incrimination), the reference to an offence under paragraph 15 of that Schedule includes an offence under paragraph 12 of Schedule 9 to the 1998 Act (including as it has effect by virtue of this Schedule). Tribunal Procedure Rules46 (1) Tribunal Procedure Rules made under paragraph 7(1)(a) of Schedule 6 to the 1998 Act (appeal rights under the 1998 Act) and in force immediately before the relevant time have effect after that time as if they were also made under section 194 of this Act.(2) In this paragraph, “the relevant time” means the time when the repeal of paragraph 7(1)(a) of Schedule 6 to the 1998 Act comes into force.PART 9OTHER ENACTMENTSPowers to disclose information to the Commissioner47 (1) The following provisions (as amended by Schedule 18 to this Act) have effect after the relevant time as if the matters they refer to included a matter in respect of which the Commissioner could exercise a power conferred by a provision of Part 5 of the 1998 Act, as it has effect by virtue of this Schedule—(a) section 11AA(1)(a) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner);(b) sections 33A(1)(a) and 34O(1)(a) of the Local Government Act1974 (disclosure of information by Local Commissioner);(c) section 18A(1)(a) of the Health Service Commissioners Act 1993 (disclosure of information by Health Service Commissioner);(d) paragraph 1 of the entry for the Information Commissioner in Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (asp 11) (disclosure of information by the Ombudsman);(e) section 34X(3)(a) of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information by the Ombudsman);(f) section 18(6)(a) of the Commissioner for Older People (Wales) Act 2006 (disclosure of information by the Commissioner);(g) section 22(3)(a) of the Welsh Language (Wales) Measure 2011 (nawm 1) (disclosure of information by the Welsh Language Commissioner);(h) section 49(3)(a) of the Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.)) (disclosure of information by the Ombudsman);(i) section 44(3)(a) of the Justice Act (Northern Ireland) 2016 (c. 21 (N.I.)) (disclosure of information by the Prison Ombudsman for Northern Ireland).(2) The following provisions (as amended by Schedule 18 to this Act) have effect after the relevant time as if the offences they refer to included an offence under any provision of the 1998 Act other than paragraph 12 of Schedule 9 to that Act (obstruction of execution of warrant)—(a) section 11AA(1)(b) of the Parliamentary Commissioner Act 1967; (b) sections 33A(1)(b) and 34O(1)(b) of the Local Government Act 1974;(c) section 18A(1)(b) of the Health Service Commissioners Act 1993; (d) paragraph 2 of the entry for the Information Commissioner in Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (asp 11);(e) section 34X(5) of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information by the Ombudsman);(f) section 18(8) of the Commissioner for Older People (Wales) Act 2006;(g) section 22(5) of the Welsh Language (Wales) Measure 2011 (nawm 1);(h) section 49(5) of the Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.));(i) section 44(3)(b) of the Justice Act (Northern Ireland) 2016 (c. 21 (N.I.)).(3) In this paragraph, “the relevant time”, in relation to a provision of a section or Schedule listed in sub-paragraph (1) or (2), means the time when the amendment of the section or Schedule by Schedule 18 to this Act comes into force. Codes etc required to be consistent with the Commissioner’s data-sharing code48 (1) This paragraph applies in relation to the code of practice issued under each of the following provisions—(a) section 19AC of the Registration Service Act 1953 (code of practice about disclosure of information by civil registration officials);(b) section 43 of the Digital Economy Act 2017 (code of practice about disclosure of information to improve public service delivery);(c) section 52 of that Act (code of practice about disclosure of information to reduce debt owed to the public sector);(d) section 60 of that Act (code of practice about disclosure of information to combat fraud against the public sector);(e) section 70 of that Act (code of practice about disclosure of information for research purposes).(2) During the relevant period, the code of practice does not have effect to the extent that it is inconsistent with the code of practice prepared under section 121 of this Act (data-sharing code) and issued under section 124(4) of this Act (as altered or replaced from time to time).(3) In this paragraph, “the relevant period”, in relation to a code issued under a section mentioned in sub-paragraph (1), means the period—(a) beginning when the amendments of that section in Schedule 18 to this Act come into force, and(b) ending when the code is first reissued under that section.49 (1) This paragraph applies in relation to the original statement published under section 45E of the Statistics and Registration Service Act 2007 (statement of principles and procedures in connection with access to information by the Statistics Board).(2) During the relevant period, the statement does not have effect to the extent that it is inconsistent with the code of practice prepared under section 121 of this Act (data-sharing code) and issued under section 124(4) of this Act (as altered or replaced from time to time).(3) In this paragraph, “the relevant period” means the period—(a) beginning when the amendments of section 45E of the Statistics and Registration Service Act 2007 in Schedule 18 to this Act come into force, and(b) ending when the first revised statement is published under that section.Consumer Credit Act 197450 In section 159(1)(a) of the Consumer Credit Act 1974 (correction of wrong information) (as amended by Schedule 18 to this Act), the reference to information given under Article 15(1) to (3) of the GDPR includes information given at any time under section 7 of the 1998 Act.Freedom of Information Act 200051 Paragraphs 52 to 55 make provision about the Freedom of Information Act 2000 (“the 2000 Act”).52 (1) This paragraph applies where a request for information was made to a public authority under the 2000 Act before the relevant time.(2) To the extent that the request is dealt with after the relevant time, the amendments of sections 2 and 40 of the 2000 Act in Schedule 18 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2000 Act.(3) To the extent that the request was dealt with before the relevant time— (a) the amendments of sections 2 and 40 of the 2000 Act in Schedule 18 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with Part 1 of the 2000 Act, but(b) the powers of the Commissioner and the Tribunal, on an application or appeal under the 2000 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2000 Act as amended by Schedule 18 to this Act. (4) In this paragraph—“public authority” has the same meaning as in the 2000 Act;“the relevant time” means the time when the amendments of sections 2 and 40 of the 2000 Act in Schedule 18 to this Act come into force.53 (1) Tribunal Procedure Rules made under paragraph 7(1)(b) of Schedule 6 to the 1998 Act (appeal rights under the 2000 Act) and in force immediately before the relevant time have effect after that time as if they were also made under section 61 of the 2000 Act (as inserted by Schedule 18 to this Act).(2) In this paragraph, “the relevant time” means the time when the repeal of paragraph 7(1)(b) of Schedule 6 to the 1998 Act comes into force.54 (1) The repeal of paragraph 8 of Schedule 6 to the 1998 Act (obstruction etc in proceedings before the Tribunal) does not affect the application of that paragraph after the relevant time in relation to an act or omission before that time in relation to an appeal under the 2000 Act.(2) In this paragraph, “the relevant time” means the time when the repeal of paragraph 8 of Schedule 6 to the 1998 Act comes into force.55 (1) The amendment of section 77 of the 2000 Act in Schedule 18 to this Act (offence of altering etc record with intent to prevent disclosure: omission of reference to section 7 of the 1998 Act) does not affect the application of that section after the relevant time in relation to a case in which—(a) the request for information mentioned in section 77(1) of the 2000 Act was made before the relevant time, and(b) when the request was made, section 77(1)(b) of the 2000 Act was satisfied by virtue of section 7 of the 1998 Act.(2) In this paragraph, “the relevant time” means the time when the repeal of section 7 of the 1998 Act comes into force.Freedom of Information (Scotland) Act 200256 (1) This paragraph applies where a request for information was made to a Scottish public authority under the Freedom of Information (Scotland) Act 2002 (“the 2002 Act”) before the relevant time.(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2002 Act in Schedule 18 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act.(3) To the extent that the request was dealt with before the relevant time— (a) the amendments of the 2002 Act in Schedule 18 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with Part 1 of the 2002 Act, but(b) the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2002 Act as amended by Schedule 18 to this Act.(4) In this paragraph—“Scottish public authority” has the same meaning as in the 2002 Act; “the relevant time” means the time when the amendments of the 2002 Act in Schedule 18 to this Act come into force.Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))57 Until the first regulations under Article 5(4)(a) of the Access to Health Records (Northern Ireland) Order 1993 (as amended by Schedule 18 to this Act) come into force, the maximum amount of a fee that may be required for giving access under that Article is £10.Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2450)58 (1) The repeal of a provision of the 1998 Act does not affect its operation for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the PECR 2003”) (see regulations 2, 31 and 31B of, and Schedule 1 to, those Regulations). (2) Where subordinate legislation made under a provision of the 1998 Act is in force immediately before the repeal of that provision, neither the revocation of the subordinate legislation nor the repeal of the provision of the 1998 Act affect the application of the subordinate legislation for the purposes of the PECR 2003 after that time.(3) Part 3 of Schedule 18 to this Act (modifications) does not have effect in relation to the PECR 2003.(4) Part 7 of this Schedule does not have effect in relation to the provisions of the 1998 Act as applied by the PECR 2003.Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland) Order 2003 (S.I. 2003/431 (N.I. 9))59 Part 3 of Schedule 18 to this Act (modifications) does not have effect in relation to the reference to an accessible record within the meaning of section 68 of the 1998 Act in regulation 43 of the Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland) Order 2003.Environmental Information Regulations 2004 (S.I. 2004/3391)60 (1) This paragraph applies where a request for information was made to a public authority under the Environmental Information Regulations 2004 (“the 2004 Regulations”) before the relevant time.(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2004 Regulations in Schedule 18 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Parts 2 and 3 of those Regulations.(3) To the extent that the request was dealt with before the relevant time— (a) the amendments of the 2004 Regulations in Schedule 18 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with Parts 2 and 3 of those Regulations, but(b) the powers of the Commissioner and the Tribunal, on an application or appeal under the 2000 Act (as applied by the 2004 Regulations), do not include power to require the authority to take steps which it would not be required to take in order to comply with Parts 2 and 3 of those Regulations as amended by Schedule 18 to this Act.(4) In this paragraph—“public authority” has the same meaning as in the 2004 Regulations; “the relevant time” means the time when the amendments of the 2004 Regulations in Schedule 18 to this Act come into force.Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)61 (1) This paragraph applies where a request for information was made to a Scottish public authority under the Environmental Information (Scotland) Regulations 2004 (“the 2004 Regulations”) before the relevant time.(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2004 Regulations in Schedule 18 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with those Regulations.(3) To the extent that the request was dealt with before the relevant time— (a) the amendments of the 2004 Regulations in Schedule 18 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with those Regulations, but(b) the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act (as applied by the 2004 Regulations), do not include power to require the authority to take steps which it would not be required to take in order to comply with those Regulations as amended by Schedule 18 to this Act.(4) In this paragraph—“Scottish public authority” has the same meaning as in the 2004 Regulations;“the relevant time” means the time when the amendments of the 2004 Regulations in Schedule 18 to this Act come into force.”

Motion on Amendments 176 to 282 agreed.