Minor and Consequential Amendments

Data Protection Bill [Lords] – in a Public Bill Committee at 12:00 pm on 22nd March 2018.

Alert me about debates like this

Amendments made: 191, in schedule 18, page 208, line 25, at end insert—

“Registration Service Act 1953 (c. 37)

A1 (1) Section 19AC of the Registration Service Act 1953 (codes of practice) is amended as follows.

(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 122 of the Data Protection Act 2018 (data-sharing code)”.

(3) In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.

Veterinary Surgeons Act 1966 (c. 36)

A2 (1) Section 1A of the Veterinary Surgeons Act 1966 (functions of the Royal College of Veterinary Surgeons as competent authority) is amended as follows.

(2) In subsection (8)—

(a) omit “personal data protection legislation in the United Kingdom that implements”,

(b) for paragraph (a) substitute—

“(a) the GDPR; and”, and

(c) in paragraph (b), at the beginning insert “legislation in the United Kingdom that implements”.

(3) In subsection (9), after “section” insert “—

“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.”

This amendment makes consequential amendments to primary legislation.

Amendment 192, in schedule 18, page 210, line 4, at end insert—

“Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22))

8A The Pharmacy (Northern Ireland) Order 1976 is amended as follows.

8B In article 2(2) (interpretation), omit the definition of “Directive 95/46/EC”.

8C In article 8D (European professional card), after paragraph (3) insert—

“(4) In Schedule 2C, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”

8D In article 22A(6) (Directive 2005/36/EC: functions of competent authority etc.), before sub-paragraph (a) insert—

“(za) “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

8E (1) Schedule 2C (Directive 2005/36/EC: European professional card) is amended as follows.

(2) In paragraph 8(1) (access to data), for “Directive 95/46/EC” substitute “the GDPR”.

(3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).

8F (1) The table in Schedule 2D (functions of the Society under Directive 2005/36/EC) is amended as follows.

(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

8G (1) Paragraph 2 of Schedule 3 (fitness to practice: disclosure of information) is amended as follows.

(2) In sub-paragraph (2)(a), after “provision” insert “or the GDPR”.

(3) For sub-paragraph (3) substitute—

“(3) In determining for the purposes of sub-paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”

(4) After sub-paragraph (4) insert—

“(5) In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”

Representation of the People Act 1983 (c. 2)

8H (1) Schedule 2 to the Representation of the People Act 1983 (provisions which may be contained in regulations as to registration etc) is amended as follows.

(2) In paragraph 1A(5), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.

(3) In paragraph 8C(2), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.

(4) In paragraph 11A—

(a) in sub-paragraph (1) for “who are data users to supply data, or documents containing information extracted from data and” substitute “to supply information”, and

(b) omit sub-paragraph (2).”

This amendment makes consequential amendments to primary legislation.

Amendment 193, in schedule 18, page 210, leave out lines 5 to 39 and insert—

“Medical Act 1983 (c. 54)

9 The Medical Act 1983 is amended as follows.

10 (1) Section 29E (evidence) is amended as follows.

(2) In subsection (5), after “enactment” insert “or the GDPR”.

(3) For subsection (7) substitute—

“(7) In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”

(4) In subsection (9), at the end insert—

““the GDPR” and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act).”

11 (1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.

(2) In subsection (4), after “enactment” insert “or the GDPR”.

(3) For subsection (5A) substitute—

“(5A) In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”

(4) In subsection (7), at the end insert—

““the GDPR” and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act).”

12 In section 49B(7) (Directive 2005/36: designation of competent authority etc.), after “Schedule 4A” insert “—

“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

13 In section 55(1) (interpretation), omit the definition of “Directive 95/46/EC”.

13A (1) Paragraph 9B of Schedule 1 (incidental powers of the General Medical Council) is amended as follows.

(2) In sub-paragraph (2)(a), after “enactment” insert “or the GPDR”.

(3) After sub-paragraph (3) insert—

“(4) In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

13B (1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows.

(2) In sub-paragraph (8), after “enactment” insert “or the GDPR”.

(3) For sub-paragraph (8A) substitute—

“(8A) In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”

(4) After sub-paragraph (13) insert—

“(14) In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”

13C (1) The table in Schedule 4A (functions of the General Medical Council as competent authority under Directive 2005/36) is amended as follows.

(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.”

This amendment replaces the existing consequential amendments of the Medical Act 1983.

Amendment 194, in schedule 18, page 211, line 18, leave out from “GDPR”” to “(see” in line 19 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

This amendment makes clear that in section 33B of the Dentists Act 1984 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.

Amendment 195, in schedule 18, page 211, line 20, at end insert—

15A In section 36ZA(6) (Directive 2005/36: designation of competent authority etc), after “Schedule 4ZA—” insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.”

This amendment makes further consequential amendments to the Dentists Act 1984.

Amendment 196, in schedule 18, page 211, line 39, leave out from “GDPR”” to “(see” in line 40 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

This amendment makes clear that in section 36Y of the Dentists Act 1984 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.

Amendment 197, in schedule 18, page 211, line 41, at end insert—

16A In section 53(1) (interpretation), omit the definition of “Directive 95/46/EC”.

16B (1) The table in Schedule 4ZA (Directive 2005/36: functions of the General Dental Council under section 36ZA(3)) is amended as follows.

(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

Companies Act 1985 (c. 6)

16C In section 449(11) of the Companies Act 1985 (provision for security of information obtained), for “the Data Protection Act 1998” substitute “the data protection legislation”.”

This amendment makes consequential amendments to primary legislation, including further consequential amendments to the Dentists Act 1984.

Amendment 198, in schedule 18, page 212, line 16, leave out from “GDPR”” to “(see” in line 17 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

This amendment makes clear that in section 13B of the Opticians Act 1989 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.

Amendment 199, in schedule 18, page 212, line 18, at end insert—

“Access to Health Records Act 1990 (c. 23)

18A The Access to Health Records Act 1990 is amended as follows.

18B For section 2 substitute—

“2 Health professionals

In this Act, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 197 of that Act).”

18C (1) Section 3 (right of access to health records) is amended as follows.

(2) In subsection (2), omit “Subject to subsection (4) below,”.

(3) In subsection (4), omit from “other than the following” to the end.”

This amendment makes consequential amendments to the Access to Health Records Act 1990.

Amendment 200, in schedule 18, page 213, line 2, at end insert—

“Industrial Relations (Northern Ireland) Order 1992 (S.I. 1992/807 (N.I. 5))

21A (1) Article 90B of the Industrial Relations (Northern Ireland) Order 1992 (prohibition on disclosure of information held by the Labour Relations Agency) is amended as follows.

(2) In paragraph (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3) After paragraph (6) insert—

“(7) In this Article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

This amendment makes consequential amendments to the Industrial Relations (Northern Ireland) Order 1992.

Amendment 201, in schedule 18, page 216, line 10, leave out from “data”” to “(see” in line 11 and insert “, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

This amendment makes clear that in section 40 of the Freedom of Information Act 2000 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.

Amendment 202, in schedule 18, page 219, line 15, leave out from “GDPR”” to “(see” in line 16 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

This amendment makes clear that in section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.

Amendment 203, in schedule 18, page 220, line 7, at end insert—

“Enterprise Act 2002 (c. 40)

64A (1) Section 237 of the Enterprise Act 2002 (general restriction on disclosure) is amended as follows.

(2) In subsection (4), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.

(3) After subsection (6) insert—

“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

This amendment makes consequential amendments to the Enterprise Act 2002.

Amendment 204, in schedule 18, page 221, line 21, leave out from “data”” to “(see” in line 22 and insert “, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

This amendment makes clear that in section 38 of the Freedom of Information (Scotland) Act 2002 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.

Amendment 205, in schedule 18, page 222, line 21, at end insert—

“Mental Health (Care and Treatment) (Scotland) Act 2003 (asp 13)

75A (1) Section 279 of the Mental Health Care and Treatment (Scotland) Act 2003 (information for research) is amended as follows.

(2) In subsection (2), for “research purposes within the meaning given by section 33 of the Data Protection Act 1998 (c. 29) (research, history and statistics)” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”.

(3) After subsection (9) insert—

“(10) In this section, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).””

This amendment makes consequential amendments to the Mental Health (Care and Treatment) (Scotland) Act 2003.

Amendment 206, in schedule 18, page 222, line 29, at end insert—

“Companies (Audit, Investigations and Community Enterprise) Act 2004 (c. 27)

76A The Companies (Audit, Investigations and Community Enterprise) Act 2004 is amended as follows.

76B (1) Section 15A (disclosure of information by tax authorities) is amended as follows.

(2) In subsection (2)—

(a) omit “within the meaning of the Data Protection Act 1998”, and

(b) for “that Act” substitute “the data protection legislation”.

(3) After subsection (7) insert—

“(8) In this section—

“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” has the same meaning as in Parts 5 to 7 of that Act (see section3(2) and (14) of that Act).”

76C (1) Section 15D (permitted disclosure of information obtained under compulsory powers) is amended as follows.

(2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3) After subsection (7) insert—

“(8) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

This amendment makes consequential amendments to the Companies (Audit, Investigations and Community Enterprise) Act 2004.

Amendment 207, in schedule 18, page 225, line 10, at end insert—

88A (1) Section 264C (provision and disclosure of information about health service products: supplementary) is amended as follows.

(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3) After subsection (3) insert—

(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

This amendment makes further consequential amendments to the National Health Service Act 2006.

Amendment 208, in schedule 18, page 225, line 28 at end insert—

“Companies Act 2006 (c. 46)

92A The Companies Act 2006 is amended as follows.

92B In section 458(2) (disclosure of information by tax authorities)—

(a) for “within the meaning of the Data Protection Act 1998 (c. 29)” substitute “within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)”, and

(b) for “that Act” substitute “the data protection legislation”.

92C In section 461(7) (permitted disclosure of information obtained under compulsory powers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.

92D In section 948(9) (restrictions on disclosure) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.

92E In section 1173(1) (minor definitions: general), at the appropriate place insert—

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”.

92F In section 1224A(7) (restrictions on disclosure), for “the Data Protection Act 1998” substitute “the data protection legislation”.

92G In section 1253D(3) (restriction on transfer of audit working papers to third countries), for “the Data Protection Act 1998” substitute “the data protection legislation”.

92H In section 1261(1) (minor definitions: Part 42), at the appropriate place insert—

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”.

92I In section 1262 (index of defined expressions: Part 42), at the appropriate place insert—

“the data protection legislation

section 1261(1)”.

92J In Schedule 8 (index of defined expressions: general), at the appropriate place insert—

“the data protection legislation

section 1173(1)”.”

This amendment makes consequential amendments to the Companies Act 2006.

Amendment 209, in schedule 18, page 225, line 38, at end insert—

96A (1) Section 45 (information held by HMRC) is amended as follows.

(2) In subsection (4A), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.

(3) In subsection (4B), for “the Data Protection Act 1998” substitute “the Data Protection Act 2018”.”

This amendment makes further consequential amendments to the Statistics and Registration Service Act 2007.

Amendment 210, in schedule 18, page 230, line 16, at end insert—

“Coroners and Justice Act 2009 (c. 25)

122A In Schedule 21 of the Coroners and Justice Act 2009 (minor and consequential amendments), omit paragraph 29(3).”

This amendment makes a consequential amendment to the Coroners and Justice Act 2009 and is consequential on the amendments being made to section 3 of the Access to Health Records Act 1990 by amendment 199.

Amendment 211, in schedule 18, page 232, line 39, after “after “” insert “this”

Paragraph 130(3) of Schedule 18 to the bill amends paragraph 8(8) of Schedule 2 to the Welsh Language (Wales) Measure 2011 by inserting new text. This amendment clarifies where that new text is to be inserted in the English language version of that Measure.

Amendment 212, in schedule 18, page 242, line 40, at end insert—

“Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (anaw 2)

186A (1) Section 4 of the Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (additional learning needs code) is amended as follows.

(2) In the English language text—

(a) in subsection (9), omit from “and in this subsection” to the end, and

(b) after subsection (9) insert—

“(9A) In subsection (9)—

“data subject” (“testun y data”) has the meaning given by section3(5) of the Data Protection Act 2018;

“personal data” (“data personol”) has the same meaning as in Parts 5 to 7 of that Act (see section3(2) and (14) of that Act).”

(3) In the Welsh language text—

(a) in subsection (9), omit from “ac yn yr is-adran hon” to the end, and

(b) after subsection (9) insert—

“(9A) Yn is-adran (9)—

mae i “data personol” yr un ystyr ag a roddir i “personal data” yn Rhannau 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran3(2) a (14) o’r Ddeddf honno);

mae i “testun y data” yr ystyr a roddir i “data subject” gan adran3(5) o’r Ddeddf honno.”

This amendment makes consequential amendments to the Additional Learning Needs and Educational Tribunal (Wales) Act 2018.

Amendment 213, in schedule 18, page 243, line 14, at end insert—

“Estate Agents (Specific Offences) (No. 2) Order 1991 (S.I. 1991/1091)

187A In the table in the Schedule to the Estate Agents (Specified Offences) (No. 2) Order 1991 (specified offences), at the end insert—

“Data Protection Act 2018

Section145

False statements made in response to an information notice””

This amendment makes a consequential amendment to the Estate Agents (Specific Offences) (No. 2) Order 1991.

Amendment 214, in schedule 18, page 243, line 22, after “controller”,” insert—

(ba) after “in the context of” insert “the activities of”,”

This amendment to the consequential amendment to the Channel Tunnel (International Agreements) Order 1993 is consequential on amendment 183.

Amendment 215, in schedule 18, page 243, line 27, after “controller”,” insert—

(ba) after “in the context of” insert “the activities of”,”

This amendment to the consequential amendment to the Channel Tunnel (International Agreements) Order 1993 is consequential on amendment 183.

Amendment 216, in schedule 18, page 243, line 28, at end insert—

“Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))

188A The Access to Health Records (Northern Ireland) Order 1993 is amended as follows.

188B In Article 4 (health professionals), for paragraph (1) substitute—

“(1) In this Order, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 197 of that Act).”

188C In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “made by the Department”.

Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)

188D In article 4 of the Channel Tunnel (Miscellaneous Provisions) Order 1994 (application of enactments), for paragraphs (2) and (3) substitute—

“(2) For the purposes of section 200 of the Data Protection Act 2018 (“the 2018 Act”), data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the United Kingdom is to be treated as processed by a controller established in the United Kingdom in the context of the activities of that establishment (and accordingly the 2018 Act applies in respect of such data).

(3) For the purposes of section 200 of the 2018 Act, data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the Kingdom of Belgium is to be treated as processed by a controller established in the Kingdom of Belgium in the context of the activities of that establishment (and accordingly the 2018 Act does not apply in respect of such data).”

European Primary and Specialist Dental Qualifications Regulations 1998 (S.I. 1998/811)

188E The European Primary and Specialist Dental Qualifications Regulations 1998 are amended as follows.

188F (1) Regulation 2(1) (interpretation) is amended as follows.

(2) Omit the definition of “Directive 95/46/EC”.

(3) At the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

188G (1) The table in Schedule A1 (functions of the GDC under Directive 2005/36) is amended as follows.

(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)

188H For article 7 of the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 substitute—

“7 Data Protection Act 2018

(1) The Parliamentary corporation is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.

(2) The Parliamentary corporation is to be treated as a government department for the purposes of the following provisions—

(a) section8(d) (lawfulness of processing under the GDPR: public interest etc),

(b) section202 (application to the Crown),

(c) paragraph 6 of Schedule1 (statutory etc and government purposes),

(d) paragraph 7 of Schedule2 (exemptions from the GDPR: functions designed to protect the public etc), and

(e) paragraph 8(1)(o) of Schedule3 (exemptions from the GDPR: health data).

(3) In the provisions mentioned in paragraph (4)—

(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Parliamentary corporation, and

(b) references to a person in the service of the Crown are to be treated as including a person so employed.

(4) The provisions are—

(a) section24(3) (exemption for certain data relating to employment under the Crown), and

(b) section202(6) (application of certain provisions to a person in the service of the Crown).

(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”

Northern Ireland Assembly Commission (Crown Status) Order 1999 (S.I. 1999/3145)

188I For article 9 of the Northern Ireland Assembly Commission (Crown Status) Order 1999 substitute—

“9 Data Protection Act 2018

(1) The Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.

(2) The Commission is to be treated as a government department for the purposes of the following provisions—

(a) section8(d) (lawfulness of processing under the GDPR: public interest etc),

(b) section202 (application to the Crown),

(c) paragraph 6 of Schedule1 (statutory etc and government purposes),

(d) paragraph 7 of Schedule2 (exemptions from the GDPR: functions designed to protect the public etc), and

(e) paragraph 8(1)(o) of Schedule3 (exemptions from the GDPR: health data).

(3) In the provisions mentioned in paragraph (4)—

(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Commission, and

(b) references to a person in the service of the Crown are to be treated as including a person so employed.

(4) The provisions are—

(a) section24(3) (exemption for certain data relating to employment under the Crown), and

(b) section202(6) (application of certain provisions to a person in the service of the Crown).

(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”

Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)

188J The Representation of the People (England and Wales) Regulations 2001 are amended as follows.

188K In regulation 3(1) (interpretation), at the appropriate places insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

188L In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.

188M In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.

188N In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.

188O In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—

(a) Article 89 GDPR purposes;”.

188P (1) Regulation 92(2) (interpretation and application of Part VI etc) is amended as follows.

(2) After sub-paragraph (b) insert—

“(ba) “relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”

(3) Omit sub-paragraphs (c) and (d).

188Q In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section123(5) of the Data Protection Act 2018”.

188R In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188S In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188T In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188U In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188V In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—

(i) Article 89 GDPR purposes;”.

Representation of the People (Scotland) Regulations 2001 (S.I. 2001/ 497)

188W The Representation of the People (Scotland) Regulations 2001 are amended as follows.

188X In regulation 3(1) (interpretation), at the appropriate places, insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

188Y In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.

188Z In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.

188AA In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.

188AB In regulation 61(3) (records and lists kept under Schedule 4), for paragraph (a) (but not the final “or”) substitute—

(a) Article 89 GDPR purposes;”.

188AC In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—

(a) Article 89 GDPR purposes;”.

188AD (1) Regulation 92(2) (interpretation of Part VI etc) is amended as follows.

(2) After sub-paragraph (b) insert—

“(ba) “relevant requirement” means the requirement under Article 89 of the GDPR, read with section19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”

(3) Omit sub-paragraphs (c) and (d).

188AE In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section123(5) of the Data Protection Act 2018”.

188AF In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188AG In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188AH In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188AI In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—

(i) Article 89 GDPR purposes;”.

Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001 (S.I. 2001/2188)

188AJ (1) Article 9 of the Financial Services and Markets 2000 (Disclosure of Confidential Information) Regulations 2001 (disclosure by regulators or regulator workers to certain other persons) is amended as follows.

(2) In paragraph (2B), for sub-paragraph (a) substitute—

“(a) the disclosure is made in accordance with Chapter V of the GDPR;”.

(3) After paragraph (5) insert—

“(6) In this article, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

Nursing and Midwifery Order 2001 (S.I. 2002/253)

188AK The Nursing and Midwifery Order 2001 is amended as follows.

188AL (1) Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.

(2) In paragraph (18), after “enactment” insert “or the GDPR”.

(3) After paragraph (18) insert—

“(19) In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

188AM (1) Article 25 (the Council’s power to require disclosure of information) is amended as follows.

(2) In paragraph (3), after “enactment” insert “or the GDPR”.

(3) In paragraph (6)—

(a) for “paragraph (5),” substitute “paragraph (3)—”, and

(b) at the appropriate place insert—

““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act).”

188AN In article 39B (European professional card), after paragraph (2) insert—

“(3) For the purposes of Schedule 2B, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”

188AO In article 40(6) (Directive 2005/36/EC: designation of competent authority etc), at the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

188AP (1) Schedule 2B (Directive 2005/36/EC: European professional card) is amended as follows.

(2) In paragraph 8(1) (access to data) for “Directive 95/46/EC” substitute “the GDPR”.

(3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).

188AQ (1) The table in Schedule 3 (functions of the Council under Directive 2005/36) is amended as follows.

(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

188AR In Schedule 4 (interpretation), omit the definition of “Directive 95/46/EC”.

Electronic Commerce (EC Directive) Regulations 2002 (S.I. 2002/2013)

188AS Regulation 3 of the Electronic Commerce (EC Directive) Regulations 2002 (exclusions) is amended as follows.

188AT In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “the GDPR”.

188AU In paragraph (3)—

(a) omit the definitions of “Data Protection Directive” and “Telecommunications Data Protection Directive”, and

(b) at the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.”

This amendment makes consequential amendments to secondary legislation, including to the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 and the Northern Ireland Assembly Commission (Crown Status) Order 1999.

Amendment 217, in schedule 18, page 244, line 1, at end insert—

(d) for “data controller” substitute “controller”, and

(e) after “in the context of” insert “the activities of”.

Pupils’ Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)

191A The Pupils’ Educational Records (Scotland) Regulations 2003 are amended as follows.

191B (1) Regulation 2 (interpretation) is amended as follows.

(2) Omit the definition of “the 1998 Act”.

(3) At the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

191C (1) Regulation 6 (circumstances where information should not be disclosed) is amended as follows.

(2) After “any information” insert “to the extent that any of the following conditions are satisfied”.

(3) For paragraphs (a) to (c) substitute—

(aa) the pupil to whom the information relates would have no right of access to the information under the GDPR;

(ab) the information is personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences);”.

(4) In paragraph (d), for “to the extent that its disclosure” substitute “the disclosure of the information”.

(5) In paragraph (e), for “that” substitute “the information”.

191D In regulation 9 (fees), for paragraph (1) substitute—

“(1A) In complying with a request made under regulation 5(2), the responsible body may only charge a fee where Article 12(5) or Article 15(3) of the GDPR would permit the charging of a fee if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.

(1B) Where paragraph (1A) permits the charging of a fee, the responsible body may not charge a fee that—

(a) exceeds the cost of supply, or

(b) exceeds any limit in regulations made under section 12 of the Data Protection Act 2018 that would apply if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.”

European Parliamentary Elections (Northern Ireland) Regulations 2004 (S.I. 2004/1267)

191E Schedule 1 to the European Parliamentary Elections (Northern Ireland) Regulations 2004 (European Parliamentary elections rules) is amended as follows.

191F (1) Paragraph 74(1) (interpretation) is amended as follows.

(2) Omit the definitions of “relevant conditions” and “research purposes”.

(3) At the appropriate places insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

191G In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.”

This amendment makes consequential amendments to secondary legislation, including to the Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003. The amendment to that Order is consequential on amendment 183, and also changes the reference in article 11(4) of that Order to a “data controller” to a “controller”.

Amendment 218, in schedule 18, page 244, line 13, leave out from “GDPR”” to “(see” in line 14 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

This amendment makes clear that in the Environmental Information Regulations 2004 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.

Amendment 219, in schedule 18, page 246, line 31, leave out from “GDPR”” to “(see” in line 32 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

This amendment makes clear that in the Environmental Information (Scotland) Regulations 2004 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.

Amendment 220, in schedule 18, page 247, line 40, at end insert—

“Licensing Act 2003 (Personal Licences) Regulations 2005 (S.I. 2005/41)

199A (1) Regulation 7 of the Licensing Act 2003 (Personal Licences) Regulations 2005 (application for grant of a personal licence) is amended as follows.

(2) In paragraph (1)(b)—

(a) for paragraph (iii) (but not the final “, and”) substitute—

“(iii) the results of a request made under Article 15 of the GDPR or section45 of the Data Protection Act 2018 (rights of access by the data subject) to the National Identification Service for information contained in the Police National Computer”, and

(b) in the words following paragraph (iii), omit “search”.

(3) After paragraph (2) insert—

“(3) In this regulation, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

Education (Pupil Information) (England) Regulations 2005 (S.I. 2005/1437)

199B The Education (Pupil Information) (England) Regulations 2005 are amended as follows.

199C In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “section3(4) of the Data Protection Act 2018”.

199D (1) Regulation 5 (disclosure of curricular and educational records) is amended as follows.

(2) In paragraph (4)—

(a) in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and

(b) in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “the GDPR”.

(3) After paragraph (6) insert—

“(7) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.””

This amendment makes consequential amendments to secondary legislation.

Amendment 221, in schedule 18, page 248, line 37, leave out from “GDPR”” to “(see” in line 38 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

This amendment makes clear that in regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.

Amendment 222, in schedule 18, page 249, line 1, at end insert—

“Register of Judgments, Orders and Fines Regulations 2005 (S.I. 2005/3595)

200A In regulation 3 of the Register of Judgments, Orders and Fines Regulations 2005 (interpretation)—

(a) for the definition of “data protection principles” substitute—

““data protection principles” means the principles set out in Article 5(1) of the GDPR;”, and

(b) at the appropriate place insert—

““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act);”.

Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494)

200B The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 are amended as follows.

200C (1) Regulation 39 (sensitive information) is amended as follows.

(2) In paragraph (1)(d)—

(a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and

(b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.

(3) After paragraph (1) insert—

“(1A) The condition in this paragraph is that the disclosure of the information to a member of the public—

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(1B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—

(a) Article 21 of the GDPR (general processing: right to object to processing), or

(b) section99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).

(1C) The condition in this paragraph is that—

(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section15,16 or26 of, or Schedule2,3 or4 to, the Data Protection Act 2018,

(b) on a request under section45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or

(c) on a request under section94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.

(1D) In this regulation—

“the data protection principles” means the principles set out in—

(a) Article 5(1) of the GDPR,

(b) section34(1) of the Data Protection Act 2018, and

(c) section85(1) of that Act;

“data subject” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);

“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);

“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).

(1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”

(4) Omit paragraphs (2) to (4).

National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)

200D (1) Paragraph 14 of Schedule 1 to the National Assembly for Wales (Representation of the People) Order 2007 (absent voting at Assembly elections: conditions on the use, supply and inspection of absent vote records or lists) is amended as follows.

(2) The existing text becomes sub-paragraph (1).

(3) For paragraph (a) of that sub-paragraph (but not the final “or”) substitute—

(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.

(4) After that sub-paragraph insert—

“(2) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (S.I. 2007/679)

200E In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity), for paragraph (b) substitute—

“(b) any material used consists of or includes human cells or human DNA,”.

National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118)

200F For article 5 of the National Assembly for Wales Commission (Crown Status) Order 2007 substitute—

“5 Data Protection Act 2018

(1) The Assembly Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.

(2) The Assembly Commission is to be treated as a government department for the purposes of the following provisions—

(a) section 8(d) (lawfulness of processing under the GDPR: public interest etc),

(b) section202 (application to the Crown),

(c) paragraph 6 of Schedule1 (statutory etc and government purposes),

(d) paragraph 7 of Schedule2 (exemptions from the GDPR: functions designed to protect the public etc), and

(e) paragraph 8(1)(o) of Schedule3 (exemptions from the GDPR: health data).

(3) In the provisions mentioned in paragraph (4)—

(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Assembly Commission, and

(b) references to a person in the service of the Crown are to be treated as including a person so employed.

(4) The provisions are—

(a) section24(3) (exemption for certain data relating to employment under the Crown), and

(b) section202(6) (application of certain provisions to a person in the service of the Crown).

(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”

Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (S.I. 2007/837 (W.72))

200G In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity) —

(a) in the English language text, for paragraph (c) substitute—

“(c) any material used consists of or includes human cells or human DNA; and”, and

(b) in the Welsh language text, for paragraph (c) substitute—

“(c) os yw unrhyw ddeunydd a ddefnyddir yn gelloedd dynol neu’n DNA dynol neu yn eu cynnwys; ac”.

Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (S.S.I. 2007/170)

200H (1) Regulation 18 of the Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (conditions on the supply and inspection of absent voter records or lists) is amended as follows.

(2) In paragraph (1), for sub-paragraph (a) (but not the final “or”) substitute—

“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.

(3) After paragraph (1) insert—

“(2) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (S.S.I. 2007/264)

200I In regulation 5 of the Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (conditions on the use, supply and disclosure of documents open to public inspection)—

(a) in paragraph (2), for sub-paragraph (i) (but not the final “or”) substitute—

(i) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b) after paragraph (3) insert—

“(4) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 (S.R. (N.I.) 2007 No. 43)

200J The Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 is amended as follows.

200K In regulation 2 (interpretation), at the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

200L In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “information to which the pupil to whom the information relates would have no right of access under the GDPR”.

Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)

200M In regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)—

(a) in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”, and

(b) after paragraph (3) insert—

“(4) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (S.I. 2008/3122)

200N In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act 1998 (c 29)” substitute “the data protection legislation”.

Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 (S.I. 2008/3239 (W.286))

200O The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 are amended as follows.

200P In regulation 2(1) (interpretation)—

(a) at the appropriate place in the English language text insert—

““the GDPR” (“y GDPR”) and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);”, and

(b) at the appropriate place in the Welsh language text insert—

“mae i “y GDPR” a chyfeiriadau at Atodlen2 i Ddeddf Diogelu Data 2018 yr un ystyr ag a roddir i “the GDPR” a chyfeiriadau at yr Atodlen honno yn Rhannau 5 i 7 o’r Ddeddf honno (gweler adran3(10), (11) a (14) o’r Ddeddf honno);”.

200Q (1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.

(2) In paragraph (7)—

(a) in the English language text, at the end insert “or the GDPR”, and

(b) in the Welsh language text, at the end insert “neu’r GDPR”.

(3) For paragraph (8)—

(a) in the English language text substitute—

“(8) In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and

(b) in the Welsh language text substitute—

“(8) Wrth benderfynu at ddibenion paragraff (7) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”

200R (1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.

(2) In paragraph (6)—

(a) in the English language text, at the end insert “or the GDPR”, and

(b) in the Welsh language text, at the end insert “neu’r GDPR”.

(3) For paragraph (7)—

(a) in the English language text substitute—

“(7) In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and

(b) in the Welsh language text substitute—

“(7) Wrth benderfynu at ddibenion paragraff (6) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”

200S (1) Regulation 29 (occurrence reports) is amended as follows.

(2) In paragraph (3)—

(a) in the English language text, at the end insert “or the GDPR”, and

(b) in the Welsh language text, at the end insert “neu’r GDPR”.

(3) For paragraph (4)—

(a) in the English language text substitute—

“(4) In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and

(b) in the Welsh language text substitute—

“(4) Wrth benderfynu at ddibenion paragraff (3) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”

Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (S.R. (N.I.) 2008 No. 3)

200T (1) Regulation 5 of the Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (information whose disclosure would be affected by the application of other legislation) is amended as follows.

(2) In paragraph (3)—

(a) omit “within the meaning of section 1(1) of the Data Protection Act 1998”, and

(b) for the words from “where” to the end substitute “if the condition in paragraph (3A) or (3B) is satisfied”.

(3) After paragraph (3) insert—

“(3A) The condition in this paragraph is that the disclosure of the information to a member of the public—

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(3B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—

(a) Article 21 of the GDPR (general processing: right to object to processing), or

(b) section99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”

(4) After paragraph (4) insert—

“(5) In this regulation—

“the data protection principles” means the principles set out in—

(a) Article 5(1) of the GDPR,

(b) section34(1) of the Data Protection Act 2018, and

(c) section85(1) of that Act;

“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act);

“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).”

Companies (Disclosure of Address) Regulations 2009 (S.I. 2009/214)

200U (1) Paragraph 6 of Schedule 2 to the Companies (Disclosure of Address) Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.

(2) The existing text becomes sub-paragraph (1).

(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—

(i) for the purposes of ensuring that it complies with its data protection obligations;”.

(4) In paragraph (c) of that sub-paragraph—

(a) omit “or” at the end of sub-paragraph (i), and

(b) at the end insert “; or

(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice);”.

(5) After paragraph (c) of that sub-paragraph insert—

“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”

(6) After sub-paragraph (1) insert—

“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—

(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—

(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),

(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”

Overseas Companies Regulations 2009 (S.I. 2009/1801)

200V (1) Paragraph 6 of Schedule 2 to the Overseas Companies Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.

(2) The existing text becomes sub-paragraph (1).

(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—

(i) for the purposes of ensuring that it complies with its data protection obligations;”.

(4) In paragraph (c) of that sub-paragraph—

(a) omit “or” at the end of sub-paragraph (i), and

(b) at the end insert “; or

(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice);”.

(5) After paragraph (c) of that sub-paragraph insert—

“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”

(6) After sub-paragraph (1) insert—

“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—

(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—

(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),

(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”

Provision of Services Regulations 2009 (S.I. 2009/2999)

200W In regulation 25 of the Provision of Services Regulations 2009 (derogations from the freedom to provide services), for paragraph (d) substitute—

“(d) matters covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.”

This amendment makes consequential amendments to secondary legislation including to the National Assembly for Wales Commission (Crown Status) Order 2007.

Amendment 223, in schedule 18, page 249, line 32, at end insert—

“INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440)

201A (1) Regulation 10 of the INSPIRE (Scotland) Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.

(2) In paragraph (2)—

(a) omit “or” at the end of sub-paragraph (a),

(b) for sub-paragraph (b) substitute—

“(b) Article 21 of the GDPR (general processing: right to object to processing), or

(c) section99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”, and

(c) omit the words following sub-paragraph (b).

(3) After paragraph (6) insert—

“(7) In this regulation—

“the data protection principles” means the principles set out in—

(a) Article 5(1) of the GDPR,

(b) section34(1) of the Data Protection Act 2018, and

(c) section85(1) of that Act;

“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act);

“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).

(8) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the

Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 (S.R (N.I.) 2009 No. 225)

201B The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 are amended as follows.

201C In regulation 2(2) (interpretation), at the appropriate place insert—

““the GDPR” and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);”.”

201D (1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.

(2) In paragraph (7), at the end insert “or the GDPR”.

(3) For paragraph (8) substitute—

“(8) In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”

201E (1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.

(2) In paragraph (6), at the end insert “or the GDPR”.

(3) For paragraph (7) substitute—

“(7) In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”

201F (1) Regulation 29 (occurrence reports) is amended as follows.

(2) In paragraph (3), at the end insert “or the GDPR”.

(3) For paragraph (4) substitute—

“(4) In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”

Pharmacy Order 2010 (S.I. 2010/231)

201G The Pharmacy Order 2010 is amended as follows.

201H In article 3(1) (interpretation), omit the definition of “Directive 95/46/EC”.

201I (1) Article 9 (inspection and enforcement) is amended as follows.

(2) For paragraph (4) substitute—

“(4) If a report that the Council proposes to publish pursuant to paragraph (3) includes personal data, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure of the personal data is required by paragraph (3) of this article.”

(3) After paragraph (4) insert—

“(5) In this article, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”

201J In article 33A (European professional card), after paragraph (2) insert—

“(3) In Schedule 2A, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”

201K (1) Article 49 (disclosure of information: general) is amended as follows.

(2) In paragraph (2)(a), after “enactment” insert “or the GDPR”.

(3) For paragraph (3) substitute—

“(3) In determining for the purposes of paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (1) of this article.”

(4) After paragraph (5) insert—

“(6) In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”

201L (1) Article 55 (professional performance assessments) is amended as follows.

(2) In paragraph (5)(a), after “enactment” insert “or the GDPR”.

(3) For paragraph (6) substitute—

“(6) In determining for the purposes of paragraph (5)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (4) of this article.”

(4) After paragraph (8) insert—

“(9) In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”

201M In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.), after sub-paragraph (a) insert—

“(aa) “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

201N (1) Schedule 2A (Directive 2005/36/EC: European professional card) is amended as follows.

(2) In paragraph 8(1) (access to data), for “Directive 95/46/EC)” substitute “the GDPR”.

(3) In paragraph 9 (processing data)—

(a) omit sub-paragraph (2) (deeming the Council to be the controller for the purposes of Directive 95/46/EC), and

(b) after sub-paragraph (2) insert—

“(3) In this paragraph, “personal data” has the same meaning as in the Data Protection Act 2018 (see section 3(2) of that Act).”

201O (1) The table in Schedule 3 (Directive 2005/36/EC: designation of competent authority etc.) is amended as follows.

(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

National Employment Savings Trust Order 2010 (S.I. 2010/917)

201P The National Employment Savings Trust Order 2010 is amended as follows.

201Q In article 2 (interpretation)—

(a) omit the definition of “data” and “personal data”, and

(b) at the appropriate place insert—

““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).”

201R (1) Article 10 (disclosure of requested data to the Secretary of State) is amended as follows.

(2) In paragraph (1)—

(a) for “disclosure of data” substitute “disclosure of information”, and

(b) for “requested data” substitute “requested information”.

(3) In paragraph (2)—

(a) for “requested data” substitute “requested information”,

(b) for “those data are” substitute “the information is”, and

(c) for “receive those data” substitute “receive that information”.

(4) In paragraph (3), for “requested data” substitute “requested information”.

(5) In paragraph (4), for “requested data” substitute “requested information”.

Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)

201S (1) Schedule 3 to the Local Elections (Northern Ireland) Order 2010 (access to marked registers and other documents open to public inspection after an election) is amended as follows.

(2) In paragraph 1(1) (interpretation and general)—

(a) omit the definition of “research purposes”, and

(b) at the appropriate places insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

(3) In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.

Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))

201T (1) Regulation 5 of the Pupil Information (Wales) Regulations 2011 (duties of head teacher - educational records) is amended as follows.

(2) In paragraph (5)—

(a) in the English language text, for “documents which are subject to any order under section 30(2) of the Data Protection Act 1998” substitute “information—

(a) which the head teacher could not lawfully disclose to the pupil under the GDPR, or

(b) to which the pupil would have no right of access under the GDPR.”, and

(b) in the Welsh language text, for “ddogfennau sy’n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute “wybodaeth—

(a) na allai’r pennaeth ei datgelu’n gyfreithlon i’r disgybl o dan y GDPR, neu

(b) na fyddai gan y disgybl hawl mynediad ati o dan y GDPR.”

(3) After paragraph (5)—

(a) in the English language text insert—

“(6) In this regulation, “the GDPR” (“y GDPR”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”, and

(b) in the Welsh language text insert—

“(6) Yn y rheoliad hwn, ystyr “y GDPR” (“the GDPR”) yw Rheoliad (EU) 2016/679 Senedd Ewrop a’r Cyngor dyddiedig 27 Ebrill 2016 ar ddiogelu personau naturiol o ran prosesu data personol a rhyddid symud data o’r fath (y Rheoliad Diogelu Data Cyffredinol), fel y’i darllenir ynghyd â Phennod 2 o Ran 2 o Ddeddf Diogelu Data 2018.”

Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)

201U In Schedule 4 to the Debt Arrangement Scheme (Scotland) Regulations 2011 (payments distributors), omit paragraph 2.

Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)

201V The Police and Crime Commissioner Elections Order 2012 is amended as follows.

201W (1) Schedule 2 (absent voting in Police and Crime Commissioner elections) is amended as follows.

(2) In paragraph 20 (absent voter lists: supply of copies etc)—

(a) in sub-paragraph (8), for paragraph (a) (but not the final “or”) substitute—

(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b) after sub-paragraph (10) insert—

“(11) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

(3) In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—

(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and

(b) after that sub-paragraph insert—

“(4) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

201X (1) Schedule 10 (access to marked registers and other documents open to public inspection after an election) is amended as follows.

(2) In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).

(3) In paragraph 5 (restriction on use of documents or of information contained in them)—

(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and

(b) after sub-paragraph (4) insert—

“(5) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Neighbourhood Planning (Referendums) Regulations 2012 (S.I. 2012/2031)

201Y Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (registering to vote in a business referendum) is amended as follows.

201Z (1) Paragraph 29(1) (interpretation of Part 8) is amended as follows.

(2) At the appropriate places insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

(3) For the definition of “relevant conditions” substitute—

““relevant requirement” means the requirement under Article 89 of the GDPR, read with section19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards;”.

(4) Omit the definition of “research purposes”.

201AA In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “section123(5) of the Data Protection Act 2018”.

201AB In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

201AC In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

201AD In paragraph 39(8) and (97) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

201AE In paragraph 45(2) (conditions on the use, supply and disclosure of documents open to public inspection), for paragraph (a) (but not the final “or”) substitute—

(a) Article 89 GDPR purposes (as defined in paragraph 29),”.

Controlled Drugs (Supervision of Management and Use) Regulations 2013 (S.I. 2013/373)

201AF (1) Regulation 20 of the Controlled Drugs (Supervision of Management and Use) Regulations 2013 (information management) is amended as follows.

(2) For paragraph (4) substitute—

“(4) Where a CDAO, a responsible body or someone acting on their behalf is permitted to share information which includes personal data by virtue of a function under these Regulations, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”

(3) In paragraph (5), after “enactment” insert “or the GDPR”.

(4) After paragraph (6) insert—

“(7) In this regulation, “the GDPR”, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (10), (11) and (14) of that Act).”

Communications Act 2003 (Disclosure of Information) Order 2014 (S.I. 2014/1825)

201AG (1) Article 3 of the Communications Act 2003 (Disclosure of Information) Order 2014 (specification of relevant functions) is amended as follows.

(2) The existing text becomes paragraph (1).

(3) In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(4) After that paragraph insert—

“(2) In this article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

This amendment makes consequential amendments to secondary legislation.

Amendment 224, in schedule 18, page 250, line 7, at end insert—

“Companies (Disclosure of Date of Birth Information) Regulations 2015 (S.I. 2015/1694)

204A (1) Paragraph 6 of Schedule 2 to the Companies (Disclosure of Date of Birth Information) Regulations 2015 (conditions for permitted disclosure to a credit reference agency) is amended as follows.

(2) The existing text becomes sub-paragraph (1).

(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—

(i) for the purposes of ensuring that it complies with its data protection obligations;”.

(4) In paragraph (c) of that sub-paragraph—

(a) omit “or” at the end of sub-paragraph (i), and

(b) at the end insert “; or

(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice);”.

(5) After paragraph (c) of that sub-paragraph insert—

“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”

(6) After sub-paragraph (1) insert—

“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—

(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—

(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),

(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”

Small and Medium Sized Business (Credit Information) Regulations 2015 (S.I. 2015/1945)

204B The Small and Medium Sized Business (Credit Information) Regulations 2015 are amended as follows.

204C (1) Regulation 12 (criteria for the designation of a credit reference agency) is amended as follows.

(2) In paragraph (1)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3) After paragraph (2) insert—

“(3) In this regulation, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”

204D (1) Regulation 15 (access to and correction of information for individuals and small firms) is amended as follows.

(2) For paragraph (1) substitute—

“(1) Section 13 of the Data Protection Act 2018 (rights of the data subject under the GDPR: obligations of credit reference agencies) applies in respect of a designated credit reference agency which is not a credit reference agency within the meaning of section 145(8) of the Consumer Credit Act 1974 as if it were such an agency.”

(3) After paragraph (3) insert—

“(4) In this regulation, the reference to section 13 of the Data Protection Act 2018 has the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”

European Union (Recognition of Professional Qualifications) Regulations 2015 (S.I. 2015/2059)

204E The European Union (Recognition of Professional Qualifications) Regulations 2015 are amended as follows.

204F (1) Regulation 2(1) (interpretation) is amended as follows.

(2) Omit the definition of “Directive 95/46/EC”.

(3) At the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

204G In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives 95/46/EC” substitute “the GDPR and Directive”.

204H In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.

204I In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.

204J In regulation 48(2) (processing and access to data regarding the European Professional Card), omit paragraph (2) (deeming the relevant designated competent authorities to be controllers for the purposes of Directive 95/46/EC).

204K In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute “the GDPR and Directive”.

Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)

204L The Scottish Parliament (Elections etc) Order 2015 is amended as follows.

204M (1) Schedule 3 (absent voting) is amended as follows.

(2) In paragraph 16 (absent voting lists: supply of copies etc)—

(a) in sub-paragraph (4), for paragraph (a) (but not the final “or”) substitute—

(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b) after sub-paragraph (10) insert—

“(11) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

(3) In paragraph 20 (restriction on use of absent voting lists)—

(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b) after that sub-paragraph insert—

“(4) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

204N (1) Schedule 8 (access to marked registers and other documents open to public inspection after an election) is amended as follows.

(2) In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).

(3) In paragraph 5 (restriction on use of documents or of information contained in them)—

(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b) after sub-paragraph (4) insert—

“(5) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (S.I. 2016/295)

204O In paragraph 1(3) of Schedule 3 to the Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (access to marked registers after a petition), omit the definition of “relevant conditions”.

Register of People with Significant Control Regulations 2016 (S.I. 2016/339)

204P Schedule 4 to the Register of People with Significant Control Regulations 2016 (conditions for permitted disclosure) is amended as follows.

204Q (1) Paragraph 6 (disclosure to a credit reference agency) is amended as follows.

(2) In sub-paragraph (b), for paragraph (ii) (together with the final “; and”) substitute—

(i) for the purposes of ensuring that it complies with its data protection obligations;”.

(3) In sub-paragraph (c)—

(a) omit “or” at the end of paragraph (ii), and

(b) at the end insert “; or

(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice); and”.

(4) After sub-paragraph (c) insert—

“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in sub-paragraph (c)(iii), other than a penalty notice that has been cancelled.”

204R In paragraph 12A (disclosure to a credit institution or a financial institution), for sub-paragraph (b) substitute—

(b) for the purposes of ensuring that it complies with its data protection obligations.”

204S (1) In Part 3 (interpretation), after paragraph 13 insert—

14 In this Schedule, “data protection obligations”, in relation to a credit reference agency, a credit institution or a financial institution, means—

(a) where the agency or institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b) where the agency or institution carries on business in a EEA State other than the United Kingdom, obligations under—

(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),

(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”

Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)

204T The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 are amended as follows.

204U In regulation 2(1) (interpretation), omit the definition of “the 1998 Act”.

204V In regulation 3(3) (supervision), omit “under the 1998 Act”.

204W For Schedule 2 substitute—

SCHEDULE 2